Tavve zoneranger Скачать руководство пользователя страница 379 | Manualshive

Страница: 379 / 389

background image

Note that the Ranger Gateway install CD provides sample SSL/TLS certificates that are matched to
the default configuration of the RGVI service on the Ranger Gateway. If you prefer to use your own
certificates, you will need to modify the OpenVPN client configuration to use your certificates, and
you will need to modify the RGVI configuration on the Ranger Gateway, to accept your certificates.

The remaining details for performing the installation and configuration steps are dependent on the
operating system being used. Additional information for a number of supported operating systems is
provided in the following sections. If no information has been provided for the operating system
you are using, please contact Tavve technical support.

Solaris

A pre-built Solaris OpenVPN package can be downloaded from

http://www.blastwave.org

, an open

source Solaris software site. In order to install packages from the Blastwave site, you will need to
have the

pkgutil

tool, installed on your server. You can test to see if the

pkgutil

tool is already

installed by looking for the following executable:

/opt/csw/bin/pkgutil

If the

pkgutil

executable is not found, follow the instructions for downloading and installing

pkgutil, as described on the following web page:

http://www.blastwave.org/jir/blastwave.fam

Once pkgutil has been installed, you can install OpenVPN by simply executing the following
command:

/opt/csw/bin/pkgutil/pkgutil --install openvpn

The installation process installs the

openvpn

executable in the

/opt/csw/sbin

directory, and

creates the following directory for OpenVPN configuration files:

/etc/csw/openvpn

The next step is to copy the following sample files from the

rgvi

directory on the Ranger Gateway

install CD to the

/etc/csw/openvpn

directory. The specific files to be copied, and the associated

configuration instructions depend on whether you prefer to start the OpenVPN client manually or
intend to configure the OpenVPN client to start automatically when the operating system is restarted
(i.e. via an

init.d

script), as described in the following sections.

Starting the OpenVPN Client Manually

If you prefer to run the OpenVPN client manually, copy the following files from the

rgvi

directory

on the Ranger Gateway install CD to the

/etc/csw/openvpn

directory:

•

rgviClient.conf

•

rgviClient.crt

•

rgviClientWithPassword.key

•

tavveCA.crt

After the files have been copied, you will need to edit the

rgviClient.conf

file to specify the

list of Ranger Gateway candidates, as described above. Once this step has been completed, you can
run the OpenVPN client by executing the following commands:

cd /etc/csw/openvpn
/opt/csw/sbin/openvpn rgviClient.conf

ZoneRanger 5.5 User's Guide

379

«
...
377
378
379
380
381
...
»

Содержание zoneranger

Страница 1: ...ZoneRanger User s Guide Tavve Software Company www tavve com...

Страница 2: ...9 2013 The Apache Software Foundation All Rights reserved Copyright 2003 2012 Sun Microsystems Inc All Rights Reserved V1 2 x enhancements c 2005 Multiplan Consultants Ltd Copyright 2000 Just Objects...

Страница 3: ...ZoneRanger 5 5 User s Guide 3...

Страница 4: ...y configure and operate ZoneRangers within their networks Topics covered include The ZoneRanger architecture Deployment arrangements and options for ZoneRanger and Ranger Gateway Foundational concepts...

Страница 5: ...cessary prerequisite for the rest of this guide Part III ZoneRanger Services describes the proxy and management services provided by ZoneRanger and Ranger Gateway The functionality of each service is...

Страница 6: ...er Services 58 Chapter 19 Discovery 58 Chapter 20 Forwarding 61 Chapter 21 FTP Proxy 65 Chapter 22 HTTP HTTPS Proxy 67 Chapter 23 ICMP Proxy 73 Chapter 24 NTP Proxy 74 Chapter 25 Polling 77 Chapter 26...

Страница 7: ...Gateway 370 F Accessing ZoneRanger Though the Ranger Gateway 372 G ZoneRanger Technician Access 374 H Installation 375 I Installing Ranger Gateway in Solaris 10 Zones 377 J RGVI Client Installation a...

Страница 8: ...application and acts as the interface between the management application and one or more ZoneRangers Ranger Gateway functions as a transparent proxy intercepting and relaying management protocol traff...

Страница 9: ...scoSecure ACS and one with a Trap Syslog Receiver that do not have the Ranger Gateway software installed but instead interact with the ZoneRangers using Ranger Gateway software installed on another se...

Страница 10: ...approach simplifies management application configuration and enables ZoneRanger and Ranger Gateway to be used with a wide variety of management applications In addition to its role as a management pr...

Страница 11: ...authorization are not permitted to access the ZoneRanger text interface Reference documentation for the ZoneRanger text interface is provided in Chapter 32 Ranger Gateway User Interfaces Ranger Gatewa...

Страница 12: ...Figure 1 3 Ranger Gateway Command example Reference documentation for the Ranger Gateway command interface is provided in Chapter 36 ZoneRanger 5 5 User s Guide 12...

Страница 13: ...ress patterns and using these node groups in a variety of configuration rules particularly forwarding and proxy rules Pooling Redundancy VIP Grouping Mechanisms for providing high availability and or...

Страница 14: ...ne a specific list of devices from which only those devices will the ZoneRanger either receive data or send data Each of these concepts and mechanisms are described in further detail in the following...

Страница 15: ...owing address pattern 62 1 25 The wildcard character can appear in any part of the address More specific ranges can also be specified such as 64 1 2 25 1 10 Wildcard characters can also be used with h...

Страница 16: ...2 10 10 1 10 1 2 10 Address transforms can also perform simple computations For example the following address transform indicates that the first three parts of the resulting address should be 192 168...

Страница 17: ...ress transforms always refer to the corresponding part in the input address or hostname as counted from left to right Wildcard and non wildcard characters cannot be combined within a part of an addres...

Страница 18: ...wo severity categories are supported Major The problem that has been detected is significant and may affect the ability of the ZoneRanger or Ranger Gateway to provide necessary services Corrective act...

Страница 19: ...ZoneRanger appliance will be automatically rebooted This two layer audit approach helps to ensure that ZoneRanger will continue to operate reliably even when unexpected software problems occur Note t...

Страница 20: ...way Note that a profile can only be loaded on a ZoneRanger that is at the same software version as the ZoneRanger that created the profile The ZoneRanger web interface can also be used to delete profi...

Страница 21: ...and sysLocation Ranger Gateway Backups Backups of the Ranger Gateway configuration can be created and restored using the Ranger Gateway rgBackup command Only backups of the same Ranger Gateway versio...

Страница 22: ...ee management applications appl app2 app3 If there were also five specific syslog filters configured on the ZoneRanger to process syslog messages and forward those messages to each of the management a...

Страница 23: ...o routers 10 1 1 1 and 10 2 1 50 three servers 10 1 1 22 10 1 1 40 and 10 2 1 18 and one ZoneRanger 10 1 1 100 In order to facilitate different configuration settings for different device types we cou...

Страница 24: ...yServers portConfig 2 Local ZoneRanger portConfig 3 Device groups can also contain device groups For example we could define a new group called MyRoutersAndServers as follows MyRoutersAndServers MyRou...

Страница 25: ...ces located in firewall partitioned networks as if it was communicating with those devices directly The fact that the requests are intercepted and processed by the Ranger Gateway is effectively hidden...

Страница 26: ...is disabled If the GVI service is enabled and the Ranger Gateway software is stopped the route manager will automatically remove any static routes associated with the virtual interface and will reconf...

Страница 27: ...er 64 1 2 1 The figure also shows the original default routing rule 0 0 0 0 0 64 1 2 1 and a simple Proxy Map configuration indicating which ZoneRangers should be used to proxy traffic for which devic...

Страница 28: ...nd relays this traffic to the Ranger Gateway software using a UDP based communication protocol The primary advantages of RGVI are as follows The processor memory footprint of the RGVI client is consid...

Страница 29: ...ace 2 then relays this traffic to the Ranger Gateway server to which it has connected 3 4 Within the Ranger Gateway this traffic is received by the RGVI service which consults with the Proxy Access Co...

Страница 30: ...rresponding certificate authorities can be configured using the trustSSL Ranger Gateway command Note that Ranger Gateway to ZoneRanger messaging and RGVI share a common list of trusted certificate aut...

Страница 31: ...onnection attempt fails the RGVI client will attempt to connect to a different Ranger Gateway If the RGVI client has successfully connected to a given Ranger Gateway but subsequently loses connectivit...

Страница 32: ...er Gateway and ZoneRanger must authenticate each other using SSL certificates 2 The Ranger Gateway and ZoneRanger must be configured with matching passcodes4 SSL authentication when properly configure...

Страница 33: ...ateways The number of joining relationships that need to be established then depends on the number of management applications being used and the number of firewall partitioned networks to be managed I...

Страница 34: ...e Ranger Gateway License Server is lost the ZoneRanger VM license will eventually be deactivated The Administration License Activation page may also be used to choose a different license to be activat...

Страница 35: ...node towards the license limit Nodes can automatically be designated as managed during the discovery process or can be managed or unmanaged manually using the ZoneRanger web interface If the Auto man...

Страница 36: ...Manager rules SNMP Disallowed lists Node Groups are maintained on the Configuration Node Management page Node Groups tab of the ZoneRanger Web GUI Node Groups may contain any number of valid address...

Страница 37: ...er Gateway that uses the pool is configured with an understanding that each of the ZoneRangers in the pool is equally capable of relaying management protocol traffic to a given set of devices i e the...

Страница 38: ...discovery results and device status information are not propagated between redundant ZoneRangers If polling configuration settings associated with discovered devices are modified on one ZoneRanger the...

Страница 39: ...the virtual IP address each ZoneRanger also will have its own unique real address As such an alternative to using virtual IP is to configure managed devices to forward management protocol traffic to m...

Страница 40: ...ommunity in conjunction with SNMP Get Set proxy if the group name is used in place of the ZoneRanger in the community string the Ranger Gateway will select one of the joined ZoneRangers in the group t...

Страница 41: ...aged device and port config name is the name of the port configuration to be used in the second stage In the first stage the Ranger Gateway takes the src address and dest address for a given request a...

Страница 42: ...to any of the managed devices the port configuration named portConfig 2 will be used because the destination address pattern will match all destination addresses The portConfig table shows that portCo...

Страница 43: ...ll match that rule as opposed to the Default rule In order to restrict the Ranger Gateway so that only traffic originated by applications on the Ranger Gateway server itself will be processed the port...

Страница 44: ...can be enabled by adding a port configuration rule specifying TCP as the protocol For example Default TCP 300 310 TCP Note that where TCP is specified as the protocol the ZoneRanger does not provide a...

Страница 45: ...Map table using 10 10 4 5 as the destination address then will look for a matching rule in the portConfig table using 22 as the rg port Assuming the default portMap and portConfig configuration the fo...

Страница 46: ...ed to be valid When an ICMP ping request is received by the ZoneRanger if ICMP proxy caching is enabled the ZoneRanger will attempt to locate a matching caching configuration rule and a cached result...

Страница 47: ...fOperStatus should only be cached for a short period of time if at all while information that is relatively static such as the contact name for a device i e sysContact can reasonably be cached for a r...

Страница 48: ...s the target device address associated with the request at the Ranger Gateway to the corresponding device address that the selected ZoneRanger must to communicate with the target device In simple Zone...

Страница 49: ...me form of information that indicates the target DMZ device as described in the following examples Management Application 1 could initiate a proxy transaction such an ICMP echo request an SNMP Get req...

Страница 50: ...ddress The host name or IP address of the target device for a proxy transaction as indicated to the Ranger Gateway by the management application zoneranger The host name or IP address of a ZoneRanger...

Страница 51: ...cified as an address transform Using address patterns and address transforms the active proxy map configuration for the example network could be reduced to the following rg address zoneranger zr addre...

Страница 52: ...r the proxyMap command In some cases the target of a proxy transaction might be the ZoneRanger itself e g querying ZoneRanger MIB values via SNMP proxy or accessing the ZoneRanger text interface using...

Страница 53: ...d in both DMZ 1 and DMZ 2 and that virtual address spaces 10 1 1 and 10 2 1 have been configured to map to the devices in the two DMZ s Even though this approach requires some amount of effort to mana...

Страница 54: ...ntication and authorization requests from a given set of devices ZoneRanger also supports the ability to define multiple server groups and to associate different server groups with different device ad...

Страница 55: ...group 2 where the Ranger Gateway instances to be used are installed on separate servers rg3 and rg4 either Ranger Gateway instance can be used to relay traffic to either TACACS RADIUS server so additi...

Страница 56: ...roup to handle requests originated by specific devices the following steps would be required Define a new server group e g MyOtherServerGroup Insert proxy rules for the specific IP addresses or IP add...

Страница 57: ...ZoneRanger can proxy many different types of outbound data such as SNMP proxy ICMP proxy TCP Proxy etc In the case of a node licensed ZoneRanger the destination of the request will be verified as a m...

Страница 58: ...needed or configured to run periodically The first time discovery runs on a ZoneRanger the database is populated based purely on the results of analyzing configured seed nodes and ping ranges On subs...

Страница 59: ...che and Broadcast ping enabled suboptions are enabled Auto configure polling for newly discovered nodes is enabled Auto Manage newly discovered nodes is enabled The Seed Node List is populated with a...

Страница 60: ...algorithm ZoneRanger also provides a mechanism whereby the user can request that a short list of IP addresses or hostnames be scanned and incrementally added to the database When this mechanism is in...

Страница 61: ...tination the source address of the UDP information when it is received by the management application is the address of the Ranger Gateway since it sent the UDP data However The Ranger Gateway can be c...

Страница 62: ...ap Previously defined trap known by its name Enterprise ID SNMPv1 Enterprise OID of a trap or an OID prefix If the trap is not SNMPv1 its Enterprise OID is described in RFC 3584 Generic Type SNMPv1 Ge...

Страница 63: ...ecurity Level regardless of whether or not there is a configured SNMPv3 user There are some limitations when SNMPv3 users are not configured for SNMPv3 traps and informs 1 Encrypted notifications will...

Страница 64: ...log message or forwarded as an SNMP trap If the Cisco Syslog with Max Severity criteria is chosen the correct Cisco trap for the severity is generated Otherwise a Syslog trap with the specified Specif...

Страница 65: ...ation layer proxy firewall for FTP traffic enabling FTP clients to exchange files with servers located within firewall partitioned networks The following figure provides a high level overview of an FT...

Страница 66: ...han the FTP clients enabling active to passive conversion where possible is recommended from a security perspective because it ensures that all FTP data connections are originated by the ZoneRanger ra...

Страница 67: ...r HTTPS requests intended for a managed device to the actual address of the target device or an address that can be uniquely mapped to the target device The management application server is configured...

Страница 68: ...sends a SOCKS connection request to the Ranger Gateway indicating the managed device and port to which the client would like to connect The SOCKS server on the Ranger Gateway will check the Proxy Acc...

Страница 69: ...button A dialog box will open as shown in the following figure Figure 22 3 Internet Explorer LAN Settings 3 Check the Use a proxy server for your LAN box then click the Advanced button A dialog box wi...

Страница 70: ...a ZoneRanger is joined to a Ranger Gateway the Ranger Gateway allocates dedicated ports that can be used to access various services for example HTTP HTTPS SQL Telnet and SSH on the newly joined ZoneRa...

Страница 71: ...blish a proxy connection to a joined ZoneRanger simply by connecting to the Ranger Gateway s address specifying the dedicated HTTP or HTTPS port associated with that ZoneRanger as the destination port...

Страница 72: ...nd browse via a dedicated HTTP or HTTPS port to the web interface of the selected ZoneRanger by clicking the Browse HTTP or Browse HTTPS buttons on the Status tab of the Ranger Gateway Viewer s main w...

Страница 73: ...he ICMP echo request should be allowed and to identify the proxy service to which the ICMP echo request should be forwarded i e ICMP Proxy 4 The ICMP Proxy service in the Ranger Gateway consults with...

Страница 74: ...without requiring configuration of firewall rules to allow NTP traffic ZoneRanger s NTP proxy service can be configured to operate in either of two modes 1 The ZoneRanger can obtain its time from a c...

Страница 75: ...red on the specified server must include the selected index key pair 5 The ZoneRanger Acts as NTP Server option should be enabled 6 Optionally the Authenticate Client Requests option may be enabled 7...

Страница 76: ...e instead of the address of the Ranger Gateway To configure NTP proxy spoofing either use the Ranger Gateway Viewer Configure Gateway Settings menu NTP Proxy area or the configGateway command on the R...

Страница 77: ...RIfDown SNMP trap is generated as appropriate If a device is determined to have changed state a tscZRNodeUp or tscZRNodeDown trap will be generated If at least one interface of a device whose previous...

Страница 78: ...e the Configuration Polling page TCP Settings tab to configure different polling rates for an individual TCP Port as well as modifying the default TCP port polling rate Polling for a particular TCP po...

Страница 79: ...n outage using four ICMP requests over a two minute period Once the device is verified to have failed a tscZRVerifyDown SNMP trap is generated Then once the root cause is determined the tscZRSourceDow...

Страница 80: ...er that is able to relay the request to the target device 5 The ZoneRanger forwards the request to the target device 6 The target device generates a response and sends it to the requesting ZoneRanger...

Страница 81: ...sent to the address of the target device 10 4 1 2 1 The routing table in the management application server is preconfigured to route traffic destined for the 10 4 1 2 address to the GVI driver The GV...

Страница 82: ...ation in any way Another advantage is that the same mechanism can be used for other proxy services such as ICMP proxy or TCP proxy SOCKS SOCKS is a standard protocol for generic TCP and UDP proxy serv...

Страница 83: ...roxy with SOCKS The messaging flow for an SNMP proxy request using a SOCKS shim is illustrated in the following figure Note the following from this example The management application requests that a U...

Страница 84: ...or SOCKS and reliable SOCKS shims may not be available for the operating system being used In these cases an alternative SNMP proxy access mechanism will need to be selected IP Address Aliasing Most o...

Страница 85: ...27 4 ZoneRanger SNMP Proxy with IP Aliasing In order to manage this network addresses 10 2 1 1 10 2 1 2 10 4 1 1 10 4 1 2 and 10 4 1 3 would be configured as IP address aliases on the management appl...

Страница 86: ...he Ranger Gateway software is supported The main disadvantage of the IP address aliasing technique is the administrative effort required to add and maintain IP address aliases for all managed devices...

Страница 87: ...verlap The IP address of the Ranger Gateway Server is 10 254 1 1 Figure 27 5 ZoneRanger SNMP Proxy with Community String Conventions An example of the messaging flow for an SNMP proxy request is shown...

Страница 88: ...y will automatically select a ZoneRanger from this group to relay the request The only difference between formats 1 and 2 is the order of the fields The ability to configure the SNMP Proxy service to...

Страница 89: ...he community string and is used in conjunction with the IP address aliasing mechanism In some cases it may be necessary to configure the SNMP proxy service to use a non standard port value in order to...

Страница 90: ...sts as illustrated in the following figure This feature enables authentication and encryption of SNMP messages in firewall partitioned networks such as a DMZ where enhanced security is arguably most n...

Страница 91: ...s intended for a managed device to the actual address of the target device or an address that can be uniquely mapped to the target device The management application server is configured with static ro...

Страница 92: ...4855 on the Ranger Gateway After this connection is established the client application sends a SOCKS connection request to the Ranger Gateway indicating the managed device and port to which the clien...

Страница 93: ...d SSH proxy services can also be used to access the ZoneRanger text interface for joined ZoneRangers While the ZoneRanger is able to proxy both Telnet and SSH protocols SSH will typically be the prefe...

Страница 94: ...the Ranger Gateway and selected ZoneRanger will relay Telnet or SSH data between the management application s TCP connection to the Ranger Gateway and the ZoneRanger s TCP connection to the target de...

Страница 95: ...nnection request to the Ranger Gateway indicating the DMZ device and port to which the client would like to connect The SOCKS server on the Ranger Gateway will check the Proxy Access Control configura...

Страница 96: ...e protocol to be used SSH in this example 3 Verify the port value PuTTY will automatically set this value based on the selected protocol You may need to modify this value if the target device uses a n...

Страница 97: ...the Open button to establish the SSH session One advantage of SOCKS over GVI RGVI is that it is typically possible to configure the SOCKS client to route traffic for certain ports to the Ranger Gatewa...

Страница 98: ...Ranger Gateway server The SSH proxy port can be configured using the configGateway command or the Ranger Gateway Viewer Gateway Settings window Note that by default this feature is disabled and the S...

Страница 99: ...SH session The IP address aliasing approach for SSH proxy has the following advantages It can be used in cases where the Ranger Gateway software is installed on a server with an operating system that...

Страница 100: ...Gateway s address specifying the dedicated Telnet or SSH port associated with that ZoneRanger as the destination port The following figure illustrates how to use PuTTY to establish an SSH session wit...

Страница 101: ...lready used SSH to access the Ranger Gateway itself the first time you access a ZoneRanger using a Ranger Gateway dedicated port an entry is created associating the Ranger Gateway address with the Zon...

Страница 102: ...CS and or RADIUS traffic it must be joined to one or more Ranger Gateways and one or more server groups must be defined A server group is a named set of TACACS RADIUS server entries each of which cont...

Страница 103: ...y rules for TACACS and RADIUS are configured on the TACACS and RADIUS tabs Configuring ZoneRanger to use TACACS RADIUS It is also possible to configure the ZoneRanger to use TACACS or RADIUS to authen...

Страница 104: ...is used to identify the device being accessed Note that the spoofing feature requires GVI or RGVI to be enabled and configured to intercept replies directed back to the managed devices When the spoofi...

Страница 105: ...hat server For example if there are two equivalent TACACS RADIUS servers acs1 and acs2 and two Ranger Gateways rg1 and rg2 that can be used to relay requests to those servers the corresponding server...

Страница 106: ...ce address spoofing for TACACS In addition the GVI or RGVI service should be enabled and configured to intercept traffic destined for 10 1 1 0 255 255 255 0 5 On rg3 and rg4 ensure that source address...

Страница 107: ...up will need to be configured to use the same encryption key Insert IP Address If the TACACS Shared Key has been enabled it is possible to configure the ZoneRanger to insert the requesting device s ad...

Страница 108: ...roxy Rules table Each TFTP Proxy request can be processed in one of three ways indicated by Proxy Option 1 None Handle the TFTP requests locally on the ZoneRanger 2 To Gateway Send the TFTP Requests t...

Страница 109: ...ox In this case ZoneRanger generates a single use TCP proxy rule based on the SNMP set proxied via the Ranger Gateway Note this feature is triggered by sets using the CISCO CONFIG COPY MIB Cisco IOS s...

Страница 110: ...ill also be logged if Traffic logging is enabled to Short On the ZoneRanger the amount of traffic for each Traffic Type for each IP address will also be measured The amount of traffic will also be log...

Страница 111: ...h are not in the whitelist will be ignored This includes telnet SSH HTTP and HTTPS requests It is able possible to configure the ZoneRanger to apply the whitelist to Outbound information If enabled Ou...

Страница 112: ...which may be used to interaction with the system and are described in detail in the following chapters ZoneRanger Web Interface Chapter 33 Ranger Gateway Viewer Chapter 34 ZoneRanger Text Interface Ch...

Страница 113: ...sts of a set of activity indicators which give a indication when a particular ZoneRanger service is in use When an activity indicator flashes ZoneRanger is performing tasks associated with the indicat...

Страница 114: ...ds TACACS requests and responses TCP Proxy Outbound Flashes intermittently while ZoneRanger sends TCP requests and responses TFTP Proxy Flashes intermittently while ZoneRanger sends TFTP requests and...

Страница 115: ...s in a category appears in a number at the right of the inventory bar for the category You can mouse over the inventory bar to see a count of devices associated with each status Color Description Gree...

Страница 116: ...e access to the entire ZoneRanger menu Users with Operator access have access to the Home and View menus The items available in each category are described in the following sections Administration Bac...

Страница 117: ...be used to manually start the Discovery process When discovery is in progress the Administration Discovery page displays discovery progress and the Discovery activity indicator on the ZoneRanger dash...

Страница 118: ...in progress As discovery progresses the numbers in the Counts column converge for each of the entities begin scanned access1The Recent Events table shows the 25 most recently reported discovery event...

Страница 119: ...added devices until a full discovery is executed Profiles You can use the Administration Profiles page to load save and manage ZoneRanger profiles You can save a ZoneRanger profile on the ZoneRanger...

Страница 120: ...Activation The Administration License Activation page may be used to activate a ZoneRanger VM so that it may process management traffic A ZoneRanger VM may obtain a license by either retrieving a lic...

Страница 121: ...ger Gateway Ranger Gateway The Ranger Gateway License Server Available The number of available licenses of this type Used The number of allocated licenses of this type Expiration The day on which this...

Страница 122: ...Pending Token must be entered in the Load License Activation Key section The Pending Token must be provided to Tavve Software which will return an activation key When the activation key is entered and...

Страница 123: ...zero since there is some cache overhead Route Management The Administration Route Management page may be used to add and remove network routes from the ZoneRanger Figure 34 10 Administration Route Man...

Страница 124: ...rvice dump file to Tavve Support Usually a standard service dump contains all necessary troubleshooting data However Tavve Support might occasionally request a targeted service dump that contains spec...

Страница 125: ...f IP addresses which ZoneRanger has determined to have the same SNMPv3 Engine ID Each SNMP Agent t hat supports v3 has a unique Enigne ID associated with that agent When a ZoneRanger issues an SNMP v3...

Страница 126: ...must be configured on the Configuration SNMP page Manager tab To change SNMPv3 passwords using the configuration tool perform the following steps from the Administration SNMP page SNMPv3 Passwords tab...

Страница 127: ...tion between Ranger Gateways and ZoneRangers use SSL for authentication and encryption of transmitted data The SSL configuration on each ZoneRanger or Ranger Gateway consists of two parts 1 Configurin...

Страница 128: ...e file For X 509 Certificate and Private Key you will need the following 1 The PEM file containing the public private key pair for the new certificate 2 The password to read the PEM file 3 The new cer...

Страница 129: ...definitions xml Windows install_dir ZRCustom trap definitions xml where install_dir is the directory where the Ranger Gateway software was installed The trap definition file uses a simple NMS neutral...

Страница 130: ...proxied through a joined Ranger Gateway User authentication is organized through the use of Server Groups Incoming authentication requests are sent to the TACACS or RADIUS server determined by the no...

Страница 131: ...he password is setup The user and the password for the Setup User security level may both be changed The password must contain at least five alphanumeric characters Special characters are not accepted...

Страница 132: ...or Node Group see Chapter 2 TACACS requests received by a ZoneRanger and TACACS responses sent by a ZoneRanger can be written to a log file called log tacacsProxy log This log can be downloaded using...

Страница 133: ...h a Ranger Gateway using TACACS proxy The Access Mode dropdown determines which method the ZoneRanger should use to authenticate with a TACACS server When authenticating the ZoneRanger itself using TA...

Страница 134: ...l TACACS servers ZoneRanger will choose from the listed TACACS servers with which it has most recently authenticated successfully If the current authentication fails the ZoneRanger will use additional...

Страница 135: ...one Server Group or may be configured to communicate directly to a RADIUS server The Proxy Rules section is used to define which server group is selected for each incoming RADIUS request Thus ZoneRan...

Страница 136: ...henticate directly to a RADIUS server or through a Ranger Gateway using RADIUS proxy The Access Mode dropdown determines which method the ZoneRanger should use to authenticate with a RADIUS server Whe...

Страница 137: ...vers if a timeout has not yet occurred An optional RADIUS Shared Key may be specified in the RADIUS Shared Key field to be used to encrypt and decrypt RADIUS messages Configuring Server Groups Server...

Страница 138: ...rem_addr field of authentication START authorization REQUEST and accounting REQUEST messages so that TACACS servers can log the original source of the TACACS request In order to use this option all de...

Страница 139: ...d Note To use root cause correlation you must check Search for Additional Nodes This examination of network connectivity is required to build the root cause correlation rules Using additional advanced...

Страница 140: ...y add to the ZoneRanger databases If Search for additional nodes is enabled on the Options tab the list of seed nodes will also be used as a starting point for additional discovery You can add seed no...

Страница 141: ...and interface tables and to addresses found by broadcast pings and root cause path analysis Filtering does not apply to addresses specified in seed nodes In effect seed nodes override filtering Note I...

Страница 142: ...efines the different TCP services that the ZoneRanger will discover and monitor The TCP port list on this tab is initially populated with common TCP services Figure 34 30 Configuration Discovery page...

Страница 143: ...tab provide a mechanism to map the sysObjectId of discovered devices to a device type enabling you to identify routers and switches Figure 34 31 Configuration Discovery page Device Types tab ZoneRange...

Страница 144: ...will ultimately receive the data Must be reachable by the Ranger Gateway Destination Port Port on the Destination Host where the data will be sent Filter Additional filtering options for Trap and Sysl...

Страница 145: ...To filter on a certain type of criteria check the box to the left of the criteria label and enter the desired filtering criteria If multiple criteria are selected a Syslog message must match all selec...

Страница 146: ...more concisely organize multiple forwarding rules with the same set of destinations Each destination group is comprised of a set of rules Each rule is comprised of a Ranger Gateway or Data Diode and t...

Страница 147: ...rap Specific Trap SNMPv1 Specific Type of a trap Trap OID SNMPv2c Trap OID of a trap or an OID prefix Variable Binding Variable binding value of a trap defined by an index starting at 1 An may be used...

Страница 148: ...characters will be discarded Warning messages will be logged in the View System Log for discarded syslog messages Discarded messages will be logged if Forwarding logging is set to Short or Full Inbou...

Страница 149: ...use in the trusted network This option is only valid for Through Gateway transactions Port Port to use on the remote TFTP server Proxy Option Description None All TFTP transfers are between the clien...

Страница 150: ...OS software release 12 0 and the OLD CISCO SYSTEM MIB OLD CISCO FLASH MIB Cisco IOS software release 10 2 and later The SNMP triggered rules timeout field specifies the maximum life span for the SNMP...

Страница 151: ...ging levels are Log Level Description None Logging is off Short Message header is logged Full Entire message is logged This NTP Proxy log can be downloaded by the downloadFile command on a Ranger Gate...

Страница 152: ...and the Save button is clicked ZoneRanger management services become unavailable for that node For example the node along with its interfaces and TCP ports is no longer polled The node does not appea...

Страница 153: ...the Node Group must be prefixed with For example the Node Group webservers would be represented in configurations as webservers Note that Node Groups may not contain hostnames Configuring device type...

Страница 154: ...wnloadFile command on a Ranger Gateway The log file is called log tcpProxy log The log file may also be viewed on the View Service Logs page Configuring ICMP Proxy ZoneRanger has the capability to pro...

Страница 155: ...ed Store unsuccessful ICMP responses Time to Cache Length of time to store unsuccessful ICMP responses Time Units Units of time to store unsuccessful ICMP responses If an address matches more than one...

Страница 156: ...nger group On the Configuration Peers page Group tab the Group Name is used to filter duplicate information from multiple ZoneRangers reporting to the same Ranger Gateway Redundant ZoneRangers always...

Страница 157: ...rtual IP address may be shared by redundant ZoneRangers A virtual IP address is a secondary IP address which one of the redundant ZoneRangers is configured to support If that ZoneRanger becomes unavai...

Страница 158: ...ilability of the virtual IP address If this timeout is reached another redundant ZoneRanger will assume control of the virtual IP address The Heartbeat Timeout must be at least twice the Heartbeat Int...

Страница 159: ...e selected nodes Figure 34 47 Configuration Polling page Interface Settings tab Configuring polling settings The Configuration Polling page Interface Settings tab displays a table of interface polling...

Страница 160: ...th individual interfaces or common interface polling settings with groups of interfaces for example all interfaces on a specified node or all interfaces with IP addresses matching a specified wild car...

Страница 161: ...P port status propagation for specific services can be enabled or disabled for all nodes If status propagation is enabled TCP port status affects node status Thus if polling fails for one or more TCP...

Страница 162: ...n with the specified passcode When joining to a Ranger Gateway from a ZoneRanger the ZoneRanger passcode must be configured to match the Ranger Gateway passcode for the request to succeed If the join...

Страница 163: ...a messaging connection to the ZoneRanger but the ZoneRanger will not be allowed to initiate a connection to the Ranger Gateway The typical application of restricted addresses is the case where a Zone...

Страница 164: ...ertificate issued by the Tavve internal certificate authority with the following subject identity CN ZoneRanger OU Engineering O Tavve L Morrisville ST North Carolina C US Similarly each Ranger Gatewa...

Страница 165: ...ggered by status polling failures that determines which device is the root cause of the problem and which devices are impacted by the root cause device The root cause service divides root cause analys...

Страница 166: ...stination to the configured mail server The Send Test Email button can be used to verify that the configuration parameters are correct The Show Advanced Options button can be used to specify the actio...

Страница 167: ...ting ZoneRanger such as ZoneRanger1 dmz1 Note The domain in this address cannot be localhost which Ranger Gateway does not recognize Ranger Gateway for sending Email Notifications Ranger Gateway thoug...

Страница 168: ...variable bindings This SNMP Proxy log can be downloaded by the downloadFile command on a Ranger Gateway The log file is called log snmpProxy log The log file may also be viewed on the View Service Log...

Страница 169: ...me limitations when SNMPv3 users are not configured for SNMPv3 traps and informs 1 The type of notification trap or inform cannot be determined for encrypted notifications 2 Encrypted notifications wi...

Страница 170: ...is used that is SNMPv2c requests are converted to SNMPv1 Wildcards specified by may be used at the end of the community string When using wildcards the preceding portion of the community string will b...

Страница 171: ...and privacy are applied Auth Protocol Authentication protocol Auth Password Authentication password used if authentication is applied Privacy Protocol Encryption Protocol Privacy Password Encryption p...

Страница 172: ...cally add configuration rules to the Manager and User tables based on successful test results Configuring the SNMP Preferred Address Some devices having multiple IP interfaces might be configured so t...

Страница 173: ...section a set of Targets OID trees and whether or not to disallow an Get or Set to those Targets When an SNMP Proxy Get or Set request is received with a disallowed OID the OID is removed from the re...

Страница 174: ...figuration SNMP page Agent tab The Community String defines the community string to respond to when using SNMPv1 or SNMPv2c The Users list defines which users the ZoneRanger agent will respond to when...

Страница 175: ...dicate which addresses should have their SNMP responses cached based on the following information Setting Description OID OID of SNMP request beginning with the listed OID Cache Whether or not cache t...

Страница 176: ...e speed However if necessary the interface speed and duplex type may be specified on the IP tab If the ZoneRanger is connected to a 802 1q VLAN trunk the Connect to VLAN trunk check box should be sele...

Страница 177: ...This is useful when no DNS server is available If the Secondary DNS enabled check box is checked ZoneRanger acts as a caching DNS server Note Saving any changes on this tab results in a ZoneRanger res...

Страница 178: ...the NTP server through the specified Ranger Gateway NTP Server NTP server to use for time synchronization Key Authentication key to use to validate time with NTP server Values are retrieved from NTP K...

Страница 179: ...ding on the type of port Below are the service options Service Option Description eth0 and eth1 Enabled for both interfaces disabled Port is disabled Ranger Gateway Only Port is disabled but service i...

Страница 180: ...62 used to receive external SNMP traps SSH SSH port 22 used to connect to the ZoneRanger configuration The Ranger Gateway Only disables direct access to SSH but permits proxy access through a joined R...

Страница 181: ...d proxied The ZoneRanger can also be configured to monitor thresholds by Traffic Type and to send an SNMP trap if a threshold is exceeded The Configuration Traffic page is used to configure the thresh...

Страница 182: ...each one second interval and the highest rate is saved and used to compare with the configured thresholds As an example if the SNMP threshold is configured for 100 requests sec and the interval is 5 m...

Страница 183: ...d a threshold is exceeded a ZoneRanger audit message will be displayed as well as a message will be logged in the ZoneRanger System log If the Send a trap when a threshold is exceeded checkbox is chec...

Страница 184: ...a threshold is exceeded checkbox is checked the ZoneRanger will also generate an SNMP trap containing information about the exceeded threshold Whitelist ZoneRanger can receive data from many different...

Страница 185: ...sts This applies to Discovery Root Cause Diagnostics Join Redundancy requests as well as proxy requests received from joined Ranger Gateways Network servers should as DNS and NTP must also be added to...

Страница 186: ...e the Traceroute tool the FindRoute tool uses SNMP to determine the route between hosts The SNMP settings used are those configured on the Configuration SNMP page Insertion Tools ZoneRanger provides a...

Страница 187: ...ext is generated The test message is followed by a count of the number of test messages sent since you most recently logged into ZoneRanger If the Syslog Forwarding activity indicator flashes this ind...

Страница 188: ...unreachable there could be a significant timeout for each tested TCP port Using the SNMP interface scan diagnostic The SNMP interface scan diagnostic scans the interface table on the specified addres...

Страница 189: ...ngs check box Otherwise uncheck the box to specific alternate SNMP information Using the SNMP Engine IDs diagnostic The SNMP Engine IDs diagnostic discovers the SNMP v3 Engine ID for the specified nod...

Страница 190: ...ddresses using the SNMP Engine ID of the specified device will also be reported SNMP Engine Ids discovered using this diagnostic page will not be cached SNMP Engine IDs are only cached when discovered...

Страница 191: ...n request is performed If use the ZoneRanger s configured values is selected the values for Service Protocol and Command already configured on the ZoneRanger will be used in the authorization request...

Страница 192: ...ormance of the command View Database During discovery ZoneRanger builds a database containing information about discovered nodes interfaces networks and TCP ports The View Database page enables you to...

Страница 193: ...page enables you to view network reports for resolved IP addresses resolved nodes and devices that support SNMP Figure 34 82 View Network Reports page Viewing the Resolved IP Addresses report The View...

Страница 194: ...he list of unresolved nodes The lists are built using IP addresses captured during discovery Figure 34 83 View Network Reports page Resolved Nodes tab During discovery ZoneRanger uses ICMP requests to...

Страница 195: ...ere accessible using SNMP and which were not as of the last time discovery was performed To update the report based on current device status and configuration click Test The update process can take a...

Страница 196: ...e Diagnostics Ping Scan page for the indicated node or interface Status colors have the following meeting Color Status Green Normal Yellow Marginal Red Critical Blue Unknown Not configured for polling...

Страница 197: ...will be removed from the dashboard Each section may also be moved or removed Root Causes The View Root Causes page displays information about outstanding root causes A root cause is the entity underl...

Страница 198: ...boxes enable you to specify the time period for which you want to view log entries If you uncheck the From check box the start time is unbounded in other words the start of the period is the time of...

Страница 199: ...ul in determining the level of processing a particular service is experiencing Statistics may be updated by using the Refresh Selected button Statistics may be reset set to 0 by using the Reset Select...

Страница 200: ...ch match the specified criteria as well as to automatically update the display when a new syslog message is received by the ZoneRanger which matches the criteria To stop automatically updating the dis...

Страница 201: ...ns see the system log View System Log System Information The View System Information page displays information about the ZoneRanger system the status of joined Ranger Gateways and the patch history Fi...

Страница 202: ...layed in square brackets at the end of the entry The system log contains the following types of entries Status Description INFO Information entries generally report events that occur normally WARN War...

Страница 203: ...ally updating the display with the specified criteria click the Stop Updating button The View System Log page will remain in the automatic update mode until the Stop Updating button is clicked or the...

Страница 204: ...ffic Data button will cause the display to update when the current measurement interval has changed To stop automatically updating the display click the Stop Updating button The View Traffic Informati...

Страница 205: ...al This is reported for up to a 60 second interval Peak traffic analysis can be used to measure the magnitude and duration of traffic bursts A high one second rate accompanied by decreasing rates for...

Страница 206: ...adFile command on a Ranger Gateway The log file is called log trapd log The Show Matching Traps and Automatically Update button may be used to view current traps which match the specified criteria as...

Страница 207: ...User s Guide The ZoneRanger User s Guide will be displayed in a separate window or tab ZoneRanger 5 5 User s Guide 207...

Страница 208: ...nger Gateway Viewer A splash screen will be displayed briefly while the Ranger Gateway Viewer is starting up then the main Ranger Gateway Viewer window will be displayed as shown in the following figu...

Страница 209: ...t Mouse over displays a brief summary of audit results Clicking displays a complete summary of audit results Root Cause Status Current ZoneRanger root cause status Mouse over displays a brief summary...

Страница 210: ...n the Ranger Gateway is requesting information from the selected ZoneRanger This message normally appears for only a few seconds If it appears for a significant amount of time then the Ranger Gateway...

Страница 211: ...lem is resolved for the Ranger Gateway to remove the corresponding audit result and it can take up to a full Ranger Gateway Viewer refresh cycle for the removal of that result to be reflected on the R...

Страница 212: ...same effect as clicking the Cancel button The settings pane content for each of the listed categories is described in the following sections Gateway Settings General The Gateway Settings General wind...

Страница 213: ...ined ZoneRangers and Ranger Gateways must use the same port HTTP Port Enabled When checked the Ranger Gateway will listen for HTTP requests on the configured HTTP Port and will return a web page listi...

Страница 214: ...e managed by the ZoneRanger If the checkbox is disabled the source address in these requests will be the address of the Ranger Gateway The Spoof RADIUS Client Requests checkbox governs the source addr...

Страница 215: ...the group name in the Device Group list and click Modify To remove a Device Group right click on the group name in the Device Group list and click Delete Due to the frequency that addresses will be q...

Страница 216: ...isabled the source address will be the address of the Ranger Gateway Note The mechanism that the Ranger Gateway uses to spoof source addresses may be prevented by Windows XP security updates so the Sp...

Страница 217: ...The GVI Routes list specifies the set of addresses that should be routed to the virtual interface An address may be specified as a entire subnet e g 10 0 0 0 255 255 255 0 or a specific address e g 1...

Страница 218: ...value is the number of seconds to wait for a response from the ZoneRanger for each ICMP request Gateway Settings Inbound TCP Proxy The Gateway Settings Inbound TCP Proxy window provides the mechanism...

Страница 219: ...e address in TCP proxy requests from ZoneRanger sent from the Ranger Gateway to an application will be the source address of the original sending device managed by the ZoneRanger If the checkbox is di...

Страница 220: ...log ICMP Proxy icmpProxy log NetFlow Forwarding netflow log NTP Proxy ntpProxy log Port Map portMap log Proxy Map proxyMap log RADIUS Proxy radiusProxy log RGVI rgvi log sFlow Forwarding sflow log SNM...

Страница 221: ...r with the source address of the Ranger Gateway or the source address of the ZoneRanger managed device When the Spoof NTP Client Requests checkbox is enabled the source address in NTP requests sent fr...

Страница 222: ...y select any joined ZoneRanger to proxy the request If this option is disabled the Proxy Map service will only select ZoneRangers to handle proxy requests based on configured rules If no matching rule...

Страница 223: ...te select the route and click the Delete button The Weight field indicates the relative cost of each proxy map route If there are more than one proxy map routes which match an incoming request the low...

Страница 224: ...t device or a translation rule that can be used to calculate the port that should be used based on the rg port When the Transport field is ICMP all of the other fields are ignored To modify the name o...

Страница 225: ...te a Port Map rule select any field in the rule and click the Delete button The order of Port Map rules is important since the Port Config ruleset to be used for an incoming request will be the first...

Страница 226: ...re configured in this list The Add button displays a new Add RGVI Client dialog window which is used to configure a new entry in the RGVI Clients list Each entry consists of two parts 1 An IP address...

Страница 227: ...multiple entries may match a given client so the order of the entries in the RGVI Clients list becomes important Important Note The set or host subnet addresses to be intercepted by an RGVI client is...

Страница 228: ...scribed in further detail in Appendix C SOCKS is a standard networking proxy protocol that enables SOCKS aware applications to communicate TCP and UDP protocols through a SOCKS server without requirin...

Страница 229: ...tination Port settings can be defined The SSH Proxy Port field specifies the port on which Ranger Gateway will listen for SSH Proxy requests The default is 4822 The SSH Proxy Destination Port field sp...

Страница 230: ...cified the hostname or IP address to which status traps should be sent The Destination Port field specifies the destination port that should be used when sending status traps Gateway Settings TFTP Por...

Страница 231: ...r managed devices The Write Directory field specifies the directory where TFTP files should be written when proxying files from ZoneRanger managed devices Gateway Settings Traffic The Gateway Settings...

Страница 232: ...gory is all of the traffic of a particular type either received from or proxied to all joined ZoneRangers The Per ZoneRanger category is all of the traffic of a particular type either received from or...

Страница 233: ...verall or Per ZoneRanger thresholds then an SNMP Trap will be generated if a threshold is exceeded The traffic rate is calculated for each one second interval and the highest rate is compared with the...

Страница 234: ...set for 100 requests sec the interval is 5 minutes and a burst of 105 proxy requests occurs during one second and even if no other SNMP requests are received during the 5 minutes the maximum one seco...

Страница 235: ...the configuration shown in the previous figure the Ranger Gateway Viewer will simply look to see if any of netscape mozilla firefox or opera can be found using the configured operating system path an...

Страница 236: ...the directory where the Ranger Gateway software is installed To transfer a file from the Ranger Gateway to the selected ZoneRanger select the file in the Upload Directory list Then click Upload File T...

Страница 237: ...Gateway software is installed Before attempting to apply a patch you must copy the corresponding patch file into the Ranger Gateway s patch directory To upload an available patch select the patch in...

Страница 238: ...Shutdown window Help Help Contents The Help Help Contents window contains detailed information about the configuration options available from the Ranger Gateway Viewer This window is also available fr...

Страница 239: ...ZoneRanger 5 5 User s Guide 239 Figure 35 32 Help About Ranger Gateway Window...

Страница 240: ...have a particular behavior Question Mark Question mark produces contextual help based on the preceding text Backslash Escapes the next character to remove any special processing of the next character...

Страница 241: ...orm a tcp or snmp scan shell Shell settings show Display values snmp SNMP settings snmpwalk Perform a diagnostic snmpwalk system System operations tacacs TACACS proxy settings tcp TCP proxy settings t...

Страница 242: ...user User to configure user_name User name to configure password Password for user Must be at least 5 characters administrator User is administrator level operator User is operator level no Deletes th...

Страница 243: ...ess_host TACACS_Port RADIUS_Auth_Port RADIUS_Acct_Port no group entry ranger_gateway access_host TACACS_Port RADIUS_Auth_Port RADIUS_Acct_Port group entry Adds an access control server to the group ra...

Страница 244: ...ry settings on a ZoneRanger To remove a discovery setting use the no form of this command discovery auto manage auto poll exclude network ignored address include network pe riod ping ranger search see...

Страница 245: ...aging newly discovered devices discovery auto poll no discovery auto poll auto poll Automatically poll newly discovered devices no Disables automatic polling of newly discovered devices discovery excl...

Страница 246: ...ry ping range ip_address_pattern ping range Ping ranges to discover ip_address_pattern IP address pattern to look for new devices no Deletes a ping range discovery search ip route arp cache broadcast...

Страница 247: ...ds Example This example shows how to create a set of discovery rules zr discovery auto manage zr discovery auto poll zr discovery include network 10 0 0 0 255 0 0 0 zr discovery exclude network 11 10...

Страница 248: ...level netflow generic sflow snmp syslog syslog options trap options Syntax Description dest group Destination Groups log level Logging level for forwarding netflow Netflow forwarding rules generic Ge...

Страница 249: ...est group Adds an already defined destination group as a rule group_name Destination group name to add as a rule data diode Adds Data Diode as the destination rule no Removes a destination group entry...

Страница 250: ...ZoneRanger should forward Generic UDP packets dest group Forward to destination group group name Destination group to which to forward Generic UDP packets data diode Forward to Data Diode destination...

Страница 251: ...enable disable local_port ZoneRanger port to receive syslog messages ranger_gateway Hostname or IP address of a joined Ranger Gateway destination_host Hostname or IP address to which ZoneRanger shoul...

Страница 252: ...verity filter convert trap trap_type no convert trap trap_type convert Forward syslog as another type trap_type Trap specific type for non Cisco traps no Deletes the convert filter facility facility n...

Страница 253: ...ination_host_port source_addresses enable disable no forward trap local_port ranger_gateway destination_host dest group group name data diode destination_host_port source_addresses enable disable loca...

Страница 254: ...r Forward traps matching a filter filter_name Name of the trap filter to use no Deletes the trap filter Examples This example shows how to create a netflow forwarding rule for ZoneRanger port 9996 thr...

Страница 255: ...commands to recall zr history 50 icmp To manage the ICMP proxy settings for this ZoneRanger To remove a ICMP proxy setting use the no form of this command icmp cache log level no icmp cache log level...

Страница 256: ...minutes hours position index rule ICMP proxy caching rule for this ZoneRanger ip_address_pattern IP address pattern to use for this ICMP proxy rule positive cache Set positive response caching time fo...

Страница 257: ...passcode Syntax Description passcode Specifies the passcode passcode Passcode to use for this ZoneRanger Usage Guidelines To set the passcode for this ZoneRanger Example This example shows how to set...

Страница 258: ...starting at 1 no Delete message system restricted address rule message system ssl trusted subject word position index no message system ssl trusted subject word position index ssl Configure the SSL Tr...

Страница 259: ...group no remove or use default settings group entry ip_address_pattern no group entry ip_address_pattern group entry Adds an ip address pattern to the group ip_address_pattern IP address pattern or an...

Страница 260: ...dex position is specified the rule is placed at the bottom of the list ntp client timeout timeout no ntp client timeout timeout client timeout Amount of time a ZoneRanger waits for a message from an N...

Страница 261: ...dex Index position of NTP proxy rule starting at 1 no Delete NTP proxy server rule ntp server timeout timeout no ntp server timeout timeout server timeout Amount of time a ZoneRanger waits for a messa...

Страница 262: ...terface clause takes an optional index position which determines its place relative to the other rules The indices start at 1 If no index posi tion is specified the rule is placed at the bottom of the...

Страница 263: ...s control settings on the ZoneRanger To remove a RADIUS access control setting use the no form of this command radius access control client timeout log level proxy rule server timeout no radius access...

Страница 264: ...el none short full no radius log level log level Configure logging level for RADIUS none No logging default short RADIUS message header is logged full RADIUS message is logged no Delete RADIUS log lev...

Страница 265: ...ZoneRanger resolve address Syntax Description address Hostname or IP address to resolve Usage Guidelines Command to perform a diagnostic name resolution of a hostname or IP address Example This examp...

Страница 266: ...commas ranger gateway Send email through specified Ranger Gateway rg Joined Ranger Gateway through which to send email recipients List of email recipients addresses Email addresses separated by commas...

Страница 267: ...e ZoneRanger routing table delete Delete a route from the ZoneRanger routing table view View the ZoneRanger routing table Usage Guidelines Each of the route commands will take effect immediately when...

Страница 268: ...w to add and remove a route from the ZoneRanger zr route add 10 1 2 3 255 255 255 255 10 1 2 1 zr route commit 10 1 2 3 255 255 255 255 10 1 2 1 zr route view zr route delete 10 1 2 3 255 255 255 255...

Страница 269: ...mand shell level Debug level which is 1 15 Usage Guidelines Command to modify options of the text interface shell Example This example shows how to modify command shell options zr shell output lines 1...

Страница 270: ...figuration tftp Display TFTP configuration traffic Display Traffic configuration trap filter Display Trap Filter configuration version Display ZoneRanger version whitelist Display Whitelist configurat...

Страница 271: ...ring contact contact_string location loc_string user user_name v1 v2c v3 agent Configure the ZoneRanger SNMP agent community Configure the ZoneRanger SNMP community string comm_string ZoneRanger SNMP...

Страница 272: ...SNMP proxy caching rule starting at 1 no Delete SNMP proxy caching log level snmp disallowed ip_address_pattern no snmp disallowed ip_address_pattern disallowed Configure the list of IP addresses disa...

Страница 273: ...MP community string v1 Use SNMP v1 for this rule v2 Use SNMP v2 for this rule v3 Use SNMP v3 for this rule user SNMP v3 user to use with this rule timeout Specify how long SNMP request should wait tim...

Страница 274: ...ser_name SNMP v3 user name authentication SNMP v3 authentication type md5 Use MD5 authentication sha Use SHA authentication auth_password Authentication password must be at least 8 characters privacy...

Страница 275: ...gnostic snmpwalk to a hostname or IP address from the ZoneRanger snmpwalk address v1 v2c v3 Syntax Description address Hostname or IP address to which to make SNMP request Usage Guidelines Command to...

Страница 276: ...igure ZoneRanger DNS settings host Configure ZoneRanger host name list port Configure ZoneRanger ports property Configure ZoneRanger properties reboot Reboot ZoneRanger restart Restart ZoneRanger soft...

Страница 277: ...p_address IP address with which to associate a hostname hostname Hostname to associate with IP address alias_list List of aliases to associate with IP address May be a space separat ed list enclosed i...

Страница 278: ...g level max size proxy rule server timeout Syntax Description access control Configure the TACACS access control for the ZoneRanger itself client timeout Timeout for TACACS client session log level Le...

Страница 279: ...Require TACACS authorization request to include command direct server entry Authenticate directly to TACACS server address Hostname or IP address of TACACS server port Port to use for authentication o...

Страница 280: ...default short TACACS message header is logged full TACACS message is logged no Delete TACACS log level tacacs proxy rule ip_address_pattern server_group position index no tacacs proxy rule ip_address...

Страница 281: ...e FTP sessions to passive sessions log level Configure the TCP proxy logging level Usage Guidelines Each of the TCP commands will take effect immediately when executed tcp ftp active to passive no tcp...

Страница 282: ...t Basic information is logged full Additional information including TFTP rule is logged no Disable TFTP proxy logging tftp proxy rule ip_address_pattern read write create to ranger_gateway remote_host...

Страница 283: ...To configure the time setting on the ZoneRanger itself To remove a time setting use the no form of this command time gateway ntp time protocol no time gateway ntp time protocol Syntax Description gat...

Страница 284: ...ough Ranger Gateway ranger_gateway Retrieve ZoneRanger time from a NTP server through this joined Ranger Gateway ntp_server NTP server name from which to retrieve time key_index Authentication key ind...

Страница 285: ...on forwarded Configure the forwarded traffic thresholds interval Interval to check traffic thresholds in seconds log level Level of traffic logging on the ZoneRanger proxied Configure the proxied traf...

Страница 286: ...No logging default short Traffic totals are logged at each measurement interval full Traffic counts per IP address are logged at each measurement interval no Delete traffic log level traffic proxied a...

Страница 287: ...rue to pass filter any condition At least one condition must be true to pass filter cancel Exit this mode without saving any changes clear conditions Clear all conditions condition Define a new condit...

Страница 288: ...filter_name Specify an already defined trap filter no Deletes this condition condition generic type no condition generic type condition Adds a filtering condition generic Specify generic trap conditi...

Страница 289: ...n index Specific variable binding index to use to match against trap Starts with 1 value Value of variable binding to use to match against trap no Deletes this condition condition version 1 2c 3 no co...

Страница 290: ...lete an IP address pattern enforce outbound requests Blocks all traffic with addresses outside of the whitelist exit exit server group mode saving changes list Lists the IP Address patterns no Disable...

Страница 291: ...the commands The commands are installed in the following directories depending on the platform Operating System Directory Linux install_dir bin Solaris install_dir bin Windows install_dir bin where in...

Страница 292: ...l of the ZoneRanger or Ranger Gateway debugString Displays debugging information from particular ZoneRanger and Ranger Gateway services deleteRoute Removes an entry from the ZoneRanger routing table d...

Страница 293: ...requesting client and the destination address of the target device used in Proxy Access Control proxyMap Manages the contents of the active proxy map as well as the configurations setting of the Proxy...

Страница 294: ...rk_mask gateway_addr metric zoneranger specifies the name of the ZoneRanger to add the route network_addr specifies the network IP address of the route to be added network_mask specifies the network m...

Страница 295: ...ddr network_mask gateway_addr zoneranger specifies the name of the ZoneRanger to commit the route network_addr specifies the network IP address of the route to be added network_mask specifies the netw...

Страница 296: ...s All joined ZoneRangers and Ranger Gateways and redundant ZoneRangers must use the same port netflow_forward_log Level of logging for NetFlow forwarding values none short full ntp_proxy_log Level of...

Страница 297: ...g ssh_proxy_port ssh_proxy_port Port on which Ranger Gateway listens for SSH Proxy requests The default is 4822 ssh_proxy_port_enabled Whether or not the Ranger Gateway will listen for SSH proxy reque...

Страница 298: ...ts the Ranger Gateway configuration configLicenses configLicenses list load filename export filename list displays the list of licenses loaded on this Ranger Gateway load can be used to load a new set...

Страница 299: ...ord kp_password keyEntryPassword ke_password key_file specifies the file in keystore format containing the SSL keys and certificates kp_password specifies the password to access the keystore file ke_p...

Страница 300: ...y TACACS servers already configured may be displayed or removed by the configTacacsServers command configTraffic configTraffic subcommand arguments configTraffic configures traffic thresholds enables...

Страница 301: ...hecking notify enables and disables notification when a threshold is exceeded per_zr specifies the threshold notification is on a per IP address basis forwarded specifies the threshold notification is...

Страница 302: ...ed to the Ranger Gateway debugLevel debugFilter zoneranger set level 1 15 jni set level 1 15 zoneranger specifies the name of the ZoneRanger set sets the overall debug level default is 4 jni sets the...

Страница 303: ...be inspected and edited using a text editor then installed on the Ranger Gateway when required modifications have been completed As a convenience a device group called ZoneRanger is available which i...

Страница 304: ...group table is used If no output file is speci fied the resulting configuration is automatically copied to the active device group table If an output file is specified the resulting configuration is...

Страница 305: ...he specified file and the active device group table is unchanged deviceGroup list in input_file group name address in indicates the name of the input file containing device group information group nam...

Страница 306: ...listed If an item is specified with no value the current value of the specified configuration item is displayed If an item and a value are specified the value of the specific configuration item is se...

Страница 307: ...ied ZoneRanger discovery starts the discovery service on the specified ZoneRanger or gives the status of a currently running discovery service downloadFile downloadFile zoneranger list filename zonera...

Страница 308: ...tart ksh gateway start ksh gateway start ksh starts the Ranger Gateway software This command ignores any arguments Linux and Solaris only gateway stop ksh gateway stop ksh gateway stop ksh stops the R...

Страница 309: ...tatus of the GVI service The gvi status subcommand indicates whether the GVI service is currently enabled or disabled and displays any errors or warnings that were generated during the most recent rou...

Страница 310: ...ubnet or individual IP address to add to the GVI route list gvi add route subcommand adds one or more subnets or individual IP addresses to GVI route list The route manager within the GVI service main...

Страница 311: ...e f option is specified the user is not prompted for confirmation gvi config item value gvi config can be used display or modify configuration items associated with the GVI ser vice The configuration...

Страница 312: ...ied the listStatistics command operates on the Ranger Gateway statistics listTcpPorts listTcpPorts zoneranger zoneranger specifies the name of the ZoneRanger from which to list TCP ports optional list...

Страница 313: ...ave patchfile Ranger Gateway patch filename as provided by Tavve Support noserver specifies to not check if the Ranger Gateway is running before installation nosave specifies to not save backup of cha...

Страница 314: ...include the pat file extension All patches contain an internal timeout so in most cases the timeout does not need to be specified patchZR zoneranger upload timeout seconds patch_number timeout specifi...

Страница 315: ...ion about an uploaded patch from the indicated ZoneRanger If the patch information has not been retrieved within the specified timeout period the command will exit patchZR zoneranger listApplied timeo...

Страница 316: ...s the name of the input file containing portConfig information out indicates the name of the output file to write portConfig information portConfig copy can be used for the following To copy the conte...

Страница 317: ...ates the name of the output file to write portConfig information port config name specifies the name of the port config ruleset transport specifies the protocol of ICMP UDP or TCP rg port specifies th...

Страница 318: ...cified text file If no input file is specified the active portConfig table is used If no output file is specified the resulting configuration is automatically copied to the active portConfig table If...

Страница 319: ...me transport rg port port config name specifies the name of the port config ruleset transport specifies the protocol of ICMP UDP or TCP rg port specifies the destination port associated with the incom...

Страница 320: ...2 SQL ZoneRangerDefault UDP 161 SNMP ZoneRangerDefault ICMP portControl portControl zoneranger list portName setting zoneranger specifies the name of the ZoneRanger list displays the current port sett...

Страница 321: ...he name of the input file containing portMap information out indicates the name of the output file to write portMap information portMap copy can be used for the following To copy the content of the ac...

Страница 322: ...g rule The portMap remove subcommand can be used to remove one or more rules from the active portMap table or from an offline file The src address and optional dest address and port config name parame...

Страница 323: ...read input from the active portMap table or from a specified text file If no input file is specified the active portMap table is used Otherwise the specified input file is used portMap clear f portMap...

Страница 324: ...dest address ZoneRanger port config name ZoneRangerDefault rule src address dest address port config name Default port map The portMap commands that read configurations i e copy add remove merge list...

Страница 325: ...map as well as the configurations setting of the Proxy Map service The proxyMap command is organized as a set of subcommands each of which supports different parameters and options Most proxyMap subco...

Страница 326: ...the copy If no output file is specified the input configuration is automatically copied to the active proxy map If an output file is specified the input configuration is written to the specified file...

Страница 327: ...the matching rg address and zoneranger values is removed If no matching entries are found the input configuration will be unchanged The proxyMap remove subcommand can read input from the active proxy...

Страница 328: ...l as entries where the rg address value is a matching address pattern The proxyMap list subcommand can read input from the active proxy map or from a specified text file If no input file is specified...

Страница 329: ...number greater than or equal to the number of DMZ devices to which proxy requests may be directed via this Ranger Gateway proxyMap test rg address The proxyMap test subcommand performs a query on the...

Страница 330: ...s All elements where the rg address value is an address pattern are listed last in the order in which they were originally created Note that there is a slight difference to the way that the proxyMap a...

Страница 331: ...is not specified the install_dir backup directory will be used Only a backup of the same Ranger Gateway version may be restored The nostart option causes the Ranger Gateway to NOT restart after the ba...

Страница 332: ...roup rgvi add client subcommand specifies which OpenVPN clients may connect to the RGVI service on the Ranger Gateway rgvi remove client client address client address indicates the set of OpenVPN clie...

Страница 333: ...0 0 255 10 1 10 0 255 255 255 0 rgvi remove route client address subnet subnet client address indicates the set of OpenVPN client addresses to which to remove routes subnet indicates the subnet or ind...

Страница 334: ...name of the zoneranger to perform the service dump i nfo reports the status of the service dump s top stops the service dump t arget performs a targeted service dump servicedump generates a file conta...

Страница 335: ...variable binding 1 2 3 1 0 Test 1 snmpRequest p V1TRAP v 1 c public Ce 1 2 3 Cg 6 Cs 42 ZR500 162 1 2 3 1 0 s Test 1 sqlQuery sqlQuery zoneranger s separator tables cols tablename sql_query zoneranger...

Страница 336: ...web interface or the uploadConfig command to upload the converted trap definitions trapXmlValidator trapXmlValidator trap_definitions_xml_file trap_definitions_xml_file is a trap definitions xml styl...

Страница 337: ...configuration This is used for ZoneRanger communications Option 3 Remove trusted messaging subject trustedSSL removeMessagingSubject number index number specifies the index number of the trusted mess...

Страница 338: ...e specified file to the Ranger Gateway configuration Option 9 Remove trusted certificate authority trustedSSL removeCa number indices number specifies the index number of the trusted subject as return...

Страница 339: ...nger specifies the name of the ZoneRanger uploadTftpFile uploads a file to the ZoneRanger TFTP directory viewIcmpLatency viewIcmpLatency zoneranger ipAddress1 ipAddressN zoneranger specifies the name...

Страница 340: ...hich provide application specific functionality in ZoneRanger Separately licensed features are distributed by Tavve as ZoneRanger patches Each Tavve license patch is specific to the ZoneRanger upon wh...

Страница 341: ...ough a Ranger Gateway to the HP OM server in the secure network The HP OM server responses will be proxied through the Ranger Gateway and ZoneRanger back to the HP OM agents HP OM Certificates HP OM a...

Страница 342: ...and HP OM servers and the ZoneRanger The Trusted Certificate Authorities section defines which certificates will be trusted The certificate will be verified with one of the configured Certificate Aut...

Страница 343: ...agents need to communicate One or more Ranger Gateways may be used to reach a particular management application server in this case HP OM server The Ranger Gateways may be installed on the HP OM serv...

Страница 344: ...is specified as a destination ZoneRanger will attempt each destination until it can successfully proxy the request Once ZoneRanger determines a successful management application server destination it...

Страница 345: ...stinations Each HP OM Proxy Rule has a set of Destination Management Application Servers which are paths to HP OM Servers The Management Application Server may either be a joined Ranger Gateway as ind...

Страница 346: ...HP OM proxy traffic based on the statistics recorded by the ZoneRanger Specific ZoneRanger statistics are also available on the View Statistics page when viewing the TCP Proxy service A Status Indicat...

Страница 347: ...ort Basically the ZoneRanger will appear to be the Web server to the Web File agents The ZoneRanger will then proxy those requests through a Ranger Gateway to the Web server in the secure network The...

Страница 348: ...d space The star special character represents one or more valid filename characters The special characters list the possible single valid characters For example a c would be valid either an a b or c T...

Страница 349: ...le agents need to communicate One or more Ranger Gateways may be used to reach a particular management application server in this case Web server The Ranger Gateways may be installed on the Web server...

Страница 350: ...tination until a proxy request fails Web File requests received by a ZoneRanger and Web File responses sent by a ZoneRanger can be written to a log file called log webFileProxy log This log can be vie...

Страница 351: ...nt Application Server may either be a joined Ranger Gateway as indicated by a preceding RG or a path to a Management Application Server as configured on the Configuration Ranger Gateway page Mgmt App...

Страница 352: ...ffic based on the statistics recorded by the ZoneRanger Specific ZoneRanger statistics are also available on the View Statistics page when viewing the TCP Proxy service A Status Indicator in the Activ...

Страница 353: ...ent of Tavve Software Co products This MIB document is supplied AS IS and Tavve Software Co makes no warranty either express or implied as to the use operation condition or performance of the MIB ZONE...

Страница 354: ...numeric version as well as SP level if set tscZRInformation 1 tscZRModel OBJECT TYPE SYNTAX DisplayString MAX ACCESS read only STATUS current DESCRIPTION A textual description of the ZoneRanger model...

Страница 355: ...tem memory in kilobytes tscZRInformation 9 tscZRPatchStatusTable OBJECT TYPE SYNTAX SEQUENCE OF TscZRPatchStatusEntryEntry MAX ACCESS not accessible STATUS current DESCRIPTION This conceptual table co...

Страница 356: ...atewayTable OBJECT TYPE SYNTAX SEQUENCE OF TscZRRangerGatewayEntryEntry MAX ACCESS not accessible STATUS current DESCRIPTION This conceptual table contains a list of Ranger Gateways tscZRInformation 1...

Страница 357: ...sible STATUS current DESCRIPTION This conceptual table contains a list of forwarded UDP data tscZRForwardStats 1 tscZRForwardStatsEntry OBJECT TYPE SYNTAX TscZRForwardStatsEntry MAX ACCESS not accessi...

Страница 358: ...sponses tscZRSnmpProxyStats 2 tscZRSnmpProxyDiscards OBJECT TYPE SYNTAX Counter32 MAX ACCESS read only STATUS current DESCRIPTION The count of SNMP proxy requests discarded One possible reason is requ...

Страница 359: ...IPTION The ZoneRanger Information Group tscZRGroups 1 tscZRMessagingGroup OBJECT GROUP OBJECTS tscZRMessagesDiscarded tscZRMessagesExternalReceived tscZRMessagesExternalSent STATUS current DESCRIPTION...

Страница 360: ...ZRVerifyDown Sent after ZoneRanger reports that a root cause node is down tscZRVerifyUp Sent after ZoneRanger reports that a device is again up after being verified down Test trap Trap Description tsc...

Страница 361: ...at all interfaces on a node are down tscZRNodeMarginal Sent after ZoneRanger determines that some interfaces on the node are down and some interfaces on the node are up tscZRNodeUnknown Sent after Zon...

Страница 362: ...eported node tscZRNodeDeleted Sent by ZoneRanger to report that it deleted the reported node tscZRNodeMerged Sent by ZoneRanger to report that it merged two hostnames tscZRSysContactChanged Sent by Zo...

Страница 363: ...in the chain tscDataDiodeSubtendingVMActivat ionExpiring The ZoneRanger detected a subtending ZoneRanger activation that will soon expire tscDataDiodeSubtendingVmNotActi vated The ZoneRanger detected...

Страница 364: ...cket tscServiceDegraded A ZoneRanger or Ranger Gateway service is degraded tscServiceFailed A ZoneRanger or Ranger Gateway service failed tscSnmpProtocolViolation The ZoneRanger detected SNMP protocol...

Страница 365: ...ain applications such as SSH proxy its overall usefulness tends to be somewhat limited given the number of prevalent management applications that do not provide built in support SOCKS shims can be use...

Страница 366: ...ansport i e UDP in this case and destination port associated with the datagram and uses the Proxy Access Control tables to determine whether the datagram should be forwarded to a managed device and if...

Страница 367: ...on the same server the IP address aliases can usually be added to the server s loopback interface For example consider the network shown in the following figure Figure D 1 IP Address Aliasing In this...

Страница 368: ...agement application server routing table in the figure above could be simplified by configuring a single subnet route 10 10 1 0 24 10 2 1 2 provided that the there are no devices with addresses in the...

Страница 369: ...atic routing rules in management servers where applicable Another concern is that operating systems may limit the number of IP address aliases that can be defined As a result this technique may not be...

Страница 370: ...ject This initial SSL configuration is provided so that ZoneRangers and Ranger Gateways are able to communicate right out of the box In environments where a high degree of security is required it is r...

Страница 371: ...rustSSL command on the Ranger Gateway first add the distinguished name identified in the SSL certificate which was installed on the ZoneRanger by using the Add trusted subject option The default Subje...

Страница 372: ...are joined and will remain the same while the ZoneRanger and Ranger Gateway remain joined If they are unjoined and then joined later the ports may change Using Ranger Gateway to access and query the Z...

Страница 373: ...each joined ZoneRanger For example suppose the listTcpPorts command returned SSH port 20014 and the Telnet port 20015 for a particular ZoneRanger You would access that ZoneRanger s text interface thro...

Страница 374: ...id passcode is entered a shell prompt appears The customer then has operating system level access to the ZoneRanger This level of access remains active until the technician access session is exited Zo...

Страница 375: ...H environment variable on Linux and Solaris systems Ranger Gateway requires at least 256MB of RAM In order for the Ranger Gateway software to start properly it must be possible for the software to ide...

Страница 376: ...installer Uninstalling Ranger Gateway on Linux and Solaris To uninstall the Ranger Gateway software on Linux and Solaris systems run the following command install_dir UninstallerData Uninstall_Tavve_...

Страница 377: ...ty for non global zones to manage network routes the Ranger Gateway GVI will not install in non global zones In order for the Ranger Gateways installed in the non global zones to use GVI in a Solaris...

Страница 378: ...ed via one or more ZoneRangers in the same manner as locally intercepted traffic e g via GVI So the end result is an application layer proxy firewall with a VPN based front end as opposed to a simple...

Страница 379: ...wing web page http www blastwave org jir blastwave fam Once pkgutil has been installed you can install OpenVPN by simply executing the following command opt csw bin pkgutil pkgutil install openvpn The...

Страница 380: ...list of Ranger Gateway candidates as described above In addition you will need to modify the rgviClient conf file to indicate that the rgviClientNoPassword key key file should be used because there is...

Страница 381: ...n download the OpenVPN source code and build install using the configure convention as described in the Linux Notes without RPM section on the following web page http www openvpn net index php open so...

Страница 382: ...service on the Ranger Gateway by verifying that the IP address associated with RGVI client is listed in the output of the following command executed on the Ranger Gateway server usr tavve gateway bin...

Страница 383: ...ng and managing Linux services Information describing this utility can be found at the following URLs http linuxcommand org man_pages chkconfig8 html http www netadmintools com art94 html Microsoft Wi...

Страница 384: ...server RangerGatewayInstallDir bin rgvi status Running the OpenVPN Client as a Windows Service If you prefer to run the OpenVPN client as a Windows service copy the following files from the rgvi direc...

Страница 385: ...ort as shown in the following figure 4 The welcome page for the Certificate Import Wizard will be displayed Read the information on the welcome page then click the Next button The File to Import page...

Страница 386: ...ormation Exchange pfx p12 from the Files of type drop down list then select the rgviClientWindowsService p12 file as shown in the following figure 6 Click the Open button The File to Import page will...

Страница 387: ...e Certificate Import Wizard page will be displayed Click the Finish button A confirmation dialog will be displayed indicating that the import was successful Click the OK button The Local Computer Acco...

Страница 388: ...les with this extension should be deleted renamed to have a different extension or moved to a different directory To start the OpenVPN service open the Services control panel tool located in the Admin...

Страница 389: ...atus of the OpenVPN service by looking in the log file at the following location C Program Files OpenVPN log rgviClientWindowsService log If OpenVPN started and connected to the Ranger Gateway success...

Отзывы:

Нет отзывов

Похожие инструкции для zoneranger

Proventia Network GX4004

Бренд: IBM Страницы: 3

Бренд: IBASE Technology Страницы: 16

Бренд: Palo Alto Страницы: 14

Firebox SOHO 6 Wireless

Бренд: Watchguard Страницы: 10

Бренд: AhnLab Страницы: 120

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды