1. Manuals
  2. Brands
  3. Force 10 Manuals
  4. Network Card
  5. PSeries 100-00055-01
  6. Installation and operating manual

Force 10 PSeries 100-00055-01 Installation And Operating Manual

Force10 networks pseries installation guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
P-Series Installation and
Operation Guide
Version 2.3.1.2
May 27, 2008
PN: 100-00055-01

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the PSeries 100-00055-01 and is the answer not in the manual?

Questions and answers

Related Manuals for Force 10 PSeries 100-00055-01

Summary of Contents for Force 10 PSeries 100-00055-01

  • Page 1 P-Series Installation and Operation Guide Version 2.3.1.2 May 27, 2008 PN: 100-00055-01...
  • Page 2 In the interest of improving internal design, operational function, and/or reliability, Force10 Networks reserves the right to make changes to products described in this document without notice. Force10 Networks does not assume any liability that may occur due to the use or application of the product(s) described herein.

  • Page 3: Table Of Contents

    Contents ..............3 Preface About this Guide .
  • Page 4 Mirroring to Another Device ........... . 24 Chapter 4 Graphical User Interface .
  • Page 5 Chapter 8 Compiling Rules............55 Creating Rules Files .
  • Page 6 Unix Commands ............. . . 125 vi Commands .

  • Page 7: Preface

    Preface Objectives This document provides installation and operation instructions for the P-Series P10 appliance. Audience This guide is intended to be used by network engineers. The P10 is a Unix-based product that runs rule management software based on Linux and FreeBSD. As such, understanding how to operate the appliance requires a basic knowledge of Unix, including the vi editor.

  • Page 8: Information Symbols

    Information Symbols Symbol Warning Description Danger This symbol warns you that improper handling and installation could result in bodily injury. Before you work on this equipment, be aware of electrical hazards, and take appropriate safety precautions. Caution This symbol informs you that improper handling and installation could result in equipment damage or loss of data.

  • Page 9: Installation

    Chapter 1 Figure 1 P-Series P10 Appliance (Front View) E 0 & E 1 I P A D D R E S S D I S P L A Y K E Y B O A R D Figure 2 P-Series P10 Appliance (Rear View) AC POWER RECEPTACLE MAIN POWER Label...

  • Page 10: System Specifications

    Label Description (Power Button) This button turns the appliance on and off. Press and hold the button to turn off the appliance. (Laser Warning) This label in the bottom right corner of the appliance indicates that the appliance is a Class 1 laser product that emits invisible laser radiation.
  • Page 11 Step Task Review the system specifications and ensure that your operating and storage conditions meet the stated requirements. Connect the power cable, a keyboard, and a monitor to the appliance. Connect the LAN 1 port on the appliance to the local area network where DHCP is available. If a DHCP server is not available, an IP address can be assigned manually;...

  • Page 12: Booting

    Booting During booting you can select the OS of your choice. The management ports are configured for DHCP and probe for an IP address, gateway, and name server. The IP address is displayed on the LCD screen. When the appliance is powered up, all packets are forwarded between its ports by default until the firmware and device drivers are loaded.
  • Page 13 Warning: Stop all traffic from flowing through the appliance, and disconnect all cables from the XFPs before proceeding. Step Task Save earlier configuration files and firmware by copying the directory /usr/local/pnic to the home directory. Create a new sub-directory in the home directory for the upgrade package.
  • Page 14 Step Task Re-compile all rules firmware with the new compiler located in the directory pnic-compiler. Install pre-compiled firmware if needed. Command cd upgrade_directory/pnic-compiler gmake cd upgrade_directory/firmware gmake install Installation...

  • Page 15: Getting Started

    Chapter 2 To begin inspecting and filtering traffic you must: 1. Select firmware and dynamic rules 2. Set capture/forward policies 3. Check for proper operation by generating traffic across the appliance. Step Task As root, enter the command pnic gui from the Unix command line to invoke a graphical user interface (GUI).
  • Page 16 Getting Started...

  • Page 17: Introduction

    Chapter 3 The P-Series P10 Intrusion Detection and Prevention System (IDS/IPS) appliance employs Dynamic Parallel Inspection (DPI) technology. It uses a Multiple Instruction Single Data (MISD) massively parallel processor that executes thousands of security policies or traffic capture operations on the same data stream at the same time.

  • Page 18: Types Of Rules

    Figure 3 illustrates how all matched packets are copied and transmitted by mirror ports. Note: Mirroring is automatically enabled when the mirroring port is connected to another network device. Mirroring is not controlled through the CLI. Figure 3 Logic Diagram of Traffic Flow in the P10 DPI Mirror 0 Mirror 1 Types of Rules...

  • Page 19: Rule Management

    Firmware is a set of rules that has been transformed—using a compiler—from Snort syntax into a form suitable for uploading to the FPGA. Two sets of sample rules files have been compiled into firmware and are available to be uploaded to the FPGA using either of two firmware management methods (see Management”...

  • Page 20: Inline Deployment

    Inline Deployment Use the P-Series for inline traffic inspection in IPS or firewall applications at 10-Gigabit line rate (Figure • For IPS deployment, no special configuration is needed; the P-Series is in inline IPS mode by default. • For a firewall deployment, enable drop mode (see Figure 4 P-Series Inline Deployment Internet...

  • Page 21: Highly-Available Deployment

    Highly-available Deployment Use optical bypass switches with the P-Series for a highly-available, redundant deployment, as shown in Figure 6. Both the appliances have the same configuration so that in the event of a power failure on one device, the other continues to operate, and the detection engine remains intact. In the event that both devices experience a power failure, the traffic continues to flow through the bypass switches.

  • Page 22: Capturing Matched Traffic

    Figure 8 Passive Deployment with Aggregation using a Network Tap 10-Gigabit Figure 9 Passive Deployment with Aggregation using a SPAN port 10-Gigabit Capturing Matched Traffic P-Series supports capturing matched traffic for analysis. Network Tap P-Series P10 Network Switch with SPAN port Port to Monitor SPAN Port P-Series P10...

  • Page 23: Capturing To A Host Cpu

    Capturing to a Host CPU Captured traffic can be sent to a host CPU through a libpcap library interface, where it can be made available to applications for analysis. A typical implementation provides IDS/Snort acceleration because of the hardware assist. Figure 10 Capturing Matched Traffic via the libpcap Interface Use the P-Series in an integrated security monitoring solution through the management port.

  • Page 24: Mirroring To Another Device

    Mirroring to Another Device Mirror captured traffic out of the 1-Gigabit mirroring ports to use the P-Series as an IDS accelerator or as part of an integrated security monitoring solution. Figure 12 Creating an IDS Accelerator with the P-Series PB-10GE-2P M1 P1 P0 M0 Traffic to Monitor Matched Traffic...

  • Page 25: Graphical User Interface

    Chapter 4 The GUI can be used to: • Start and stop the DPI • Load firmware • Compile and load dynamic rules • Manage the runtime parameters • Manage the capture/forward policies for rules Note: Using the GUI requires the super user privilege. To invoke the GUI: Step Task...

  • Page 26: Gui Commands

    GUI Commands From the Runtime Statistics display, you can enter commands to control the DPI (see command from the GUI command line). Figure 13 Runtime Statistics - FPGA Unloaded CPU(s): 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle N/A/1 FlowTimeout=16 Note: GUI commands that require a subsequent value entry have the current value displayed in...

  • Page 27: Managing Rules, Policies, And Firmware

    Table 3 GUI Commands Command Description Brings the OS network interface up and enables matching. This is similar to the command s, but it does not load/reload the driver. It is only valid after the command s has been executed. Toggles the direct memory access (DMA) off and on to enable or disable capturing to the host, respectively.

  • Page 28: Editing Dynamic Rules With The Gui

    Table 4 Managing Rules Using the GUI Option Edit Rules Manage Rules Manage Firmware Table 5 describes the four possible combinations of capture/forward policies. Table 5 Capture/Forward Policies Policy Permit Deny Alert Divert Editing Dynamic Rules with the GUI Dynamic rules are stored in the file rules.custom in the /usr/local/pnic/0 directory. The GUI provides a quick way to access and modify these rules by invoking the vi editor on this file.

  • Page 29: Managing Capture/Forward Policies With The Gui

    To modify dynamic rules: Step Task Enter the m command from the GUI command line (see main rule management GUI (see Select Edit Rules to invoke the vi editor (see Add, delete, alter, or uncomment rules using vi commands (see You are prompted to confirm your changes upon exiting the editor.

  • Page 30: Selecting Firmware With The Gui

    Figure 16 Managing Capture/Forward Policies GUI Figure 17 Capture/Forward Policies GUI Selecting Firmware with the GUI Firmware is a set of rules that has been transformed—using a compiler—from Snort syntax into a form suitable for uploading to the FPGA. Graphical User Interface...

  • Page 31: Runtime Statistics

    To select firmware: Step Task Enter the m command from the GUI command line (see rule management GUI. Select Manage Firmware (see Use the arrow keys to highlight the desired firmware and the Select option, and press the Enter key. See “Firmware Filename Description”...
  • Page 32 The remaining lines report the cumulative number of events and the rate of those events. A description of each line is given in Table Figure 19 Runtime Statistics for Channel 0 and 1—FPGA Loaded CPU(s): 0.0% user, Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.6 - DefaultDrop: disabled pnic0 UP Capture=on HW Interfaces CH0 Top...

  • Page 33: Reloading Firmware

    Table 6 Runtime Statistics Description Statistic Description Total Packets Shows the number of packets received by the ports. This is a Layer 1 statistic and is independent of whether the OS interface is up or down. TCP/UDP/ICMP/Other Reports the type of packets received during matching. Other includes all non-IP types and all IP types other than TCP, UDP, and ICMP.
  • Page 34 Graphical User Interface...

  • Page 35: Web-Based Management

    Chapter 5 You can manage and monitor the P-Series on the web using the Force10 Networks P-Series Node Manager. Note: The web-based GUI is supported on Linux only, which is the default OS, and requires software version 2.3.0.0 or newer.
  • Page 36 Note: Stop the secure HTTP service using the command 79). Figure 21 Lauching the P-Series Node Manager pnic web-gui-stop (see Appendix A , on page Web-based Management...

  • Page 37: Web-Browser Security Certificates

    Web-browser Security Certificates The P-Series Node Manager client and the server communicate via HTTPs. All transactions are encrypted, and thus protected, by the SSL protocol. The SSL certificate is a self-signed certificate that is not signed by a trusted Certificate Authority (CA). While trying to launch the P-Series Node Manager, your web browser might display an alert indicating that the security certificate was not issued by trusted CA or a similar warning (Figure...

  • Page 38: Monitoring System Performance

    Monitoring System Performance Monitor system performance from the Home panel into Node Manager. It displays basic system information, card, interface, and resource information, as well as CPU and memory usage over time. Figure 23 P-Series Node Manager: Home Panel (Figure 23).

  • Page 39: Managing Firmware Images

    Managing Firmware Images Manage the software image from the Image Management panel provides options for compiling and deleting an image. It displays a list of available images along with the currently applied image and its details. Figure 24 P-Series Node Manager: Image Managment Panel Managing the Network Interface Card Manage the network interface card from the Card Management panel.
  • Page 40 Figure 25 P-Series Node Manager: Card Management Panel Web-based Management...

  • Page 41: Managing Policies

    Managing Policies Manage policies from the Policy Management panel (Figure 26). The Policy Management panel provides you with a list of available static and dynamic rules available for the currently running image. It also has the provision for adding, modifying, and deleting dynamic rules. P-Series Installation and Operation Guide, version 2.3.1.2...
  • Page 42 Figure 26 P-Series Node Manager: Policy Managment Panel Web-based Management...

  • Page 43: Network Security Monitoring

    Chapter 6 A key aspect of network security deployment is the ability to monitor the network for security events, analyze them, and perform counter measures. To that end, the P-Series supports Sguil, an open source network security monitoring and reporting system that provides the ability to: •...

  • Page 44: Installing The Sguil System

    Note: You can download the server and client Sguil components directly from the Sguil website at sguil.sourceforge.net/index.html. The solution uses a number of components which must be installed. For your convenience, a simplified install package is provided on the Force10 Networks support website; please see the instructions in the remainder of this chapter.

  • Page 45: Installing The Sguil Client

    Step Task Source the server configuration file. The default parameters in this file may be changed. Compile and build the Sguil server package. Use the logging option to collect debugging information during compilation and redirect standard output and errors to a log file.

  • Page 46: Installation Files

    Step Task Configure the following parameters in the file sguil.conf: • Enable (1) or disable (0) the debug option • Set the browser path. • Set the Wireshark application path. • Set the TLS library path, as shown in • Set priority levels of the alert window.

  • Page 47: Running The Sguil System

    Running the Sguil System Running the Sguil Sensor Start the Sguil sensor using the command server, and confirm the action, as shown in Figure 29 Starting the Sguil Sensor root@# pnic sguil-sensor-start Enter the IP address of the Sguil-Server:192.16.130.246 *********************************************** INTERFACE NAME SGUIL-SERVER IP-ADDRESS : 192.16.130.246 ***********************************************...

  • Page 48: Running The Sguil Server

    • The rule file you are using should be mentioned in snort.conf file. A sample rule file under rules directory is already added and commented in snort.conf. • Log files are stored in the installation sub-directory .../nsm/sguil/logs. • When adding new rules to the file sample.rules, uncomment the line, “include sample.rules”in the file snort.conf.

  • Page 49: Running The Sguil Client

    Running the Sguil Client To run the Sguil Client: Step Task Open sguil.tk using the Wish application. A window appears, as shown in Specify the IP address of the Sguil server, and your username and password. Select the sensors to monitor (click “Select All” to monitor all sensors), and click “Start SGUIL” (Figure 32).
  • Page 50 Figure 32 Selecting the Sensor to Monitor When the Sguil client starts and the client is properly connected to the Sguil server, the window in Figure 33 appears. Figure 33 Accepting Events from the Sensor fn90027mp fn90028mp Network Security Monitoring...

  • Page 51: Command Line Interface

    Chapter 7 The command line interface (CLI) is an alternative to the GUI for managing the appliance. A script called pnic is used to perform the same management functions as the GUI. Invoke the pnic script using the command syntax such that this command can be executed from any path.
  • Page 52 This feature can be enabled per channel. When MAC rewrite is enabled, the P10 appliance classifies the incoming traffic into one of 256 hash buckets to determine the value to be written to the LSB of destination MAC address. A hash function based on the source and destination IP addresses is used to calculate an 8-bit index for each incoming packet.

  • Page 53: Removing Vlan Tags

    Removing VLAN Tags The P-Series can strip the VLAN tag from incoming packets before they exit the egress port. Enable the feature using the command is enabled. If an incoming packet is untagged, it is not changed. View the enable state of this feature using the command P-Series Installation and Operation Guide, version 2.3.1.2 pnic vlan-remove-enable .
  • Page 54 Command Line Interface...

  • Page 55: Compiling Rules

    Chapter 8 The P-Series Network Interface Card Compiler (pnic-Compiler) produces user-defined firmware for the appliances. The user-defined input is a set of signature-based rules in Snort syntax, and compilation directives. The output of the compiler is a Xilinx bit file and ASCII mapping files that map specified signatures to internal configuration registers.
  • Page 56 Table 8 Compiler Configuration Options Compilation Option Target Device Match non-IP Traffic Match Fragmented IPv4 Packets or IPv4 Packets w/ Options Rules File Dynamic Rules meta.rules Description Choose the model of your appliance. The P10 requires type PB-10G-2P (see • Answering Yes to this option matches packets that are not IPv4.
  • Page 57 Table 8 Compiler Configuration Options Compilation Option Segmentation Evasion Rules Maximum String Firmware Name Confirmation P-Series Installation and Operation Guide, version 2.3.1.2 Description The pnic-Compiler prepends a set of fixed rules—called evasion.rules — located in the pnic-compiler/rules directory. The rules help detect attacks which are using strategic TCP segmentation to avoid detection.
  • Page 58 Figure 35 pnic-Compiler Option 1-6 root@# gmake Makefile:2: mtp_configuration: No such file or directory bin/getparams2.sh Please choose the target device 1) PB-10G-2P #? 1 Do you want to support matching of non IPv4 and non IPv6 packets (like ARP/IPX etc)? 1) Yes 2) No #? 2...
  • Page 59 Figure 36 pnic-Compiler Option 6-7 Channel 1 Dynamic rules Please choose how many dynamic rules (5-20 recommended) Dynamic rules are rules that can be added without recompiling the firmware. They can be added at runtime through the UI Dynamic rules only work for Ipv4 traffic for now 1) 0 5) 20 9) 60 13) 100 17) 180 21) 260 25) 340 2) 2...

  • Page 60: Starting And Stopping The Pnic-Compiler

    Figure 37 pnic-Compiler Option 8-9 Please choose the maximum number of bytes per signature (1024 recommended). Selecting a small number allows larger sets of signatures at the expense of more false positives. 1) 16 2) 32 3) 64 4) 96 5) 128 6) 256 7) 512...

  • Page 61: Configuration And Generated Files

    Configuration and Generated Files Table 9 describes the files that are used or generated by the pnic-Compiler. Table 9 Configuration and Generated Files File pnic_*.bit pnic_*.mapping <firmware_filename>.bit <firmware_filename>.mapping pnic_*.bin pnic_*.custmapping rules.custom P-Series Installation and Operation Guide, version 2.3.1.2 Description Generated after compiling static rules. They are then renamed and copied to /usr/local/ pnic/firmware.

  • Page 62: Firmware Filenames

    Firmware Filenames The pnic-Compiler creates new firmware — in the .bit files and eight .mapping files. The default firmware filenames follow a naming convention designed to identify three properties: • The appliance that can use it • The number of dynamic rules •...

  • Page 63: Writing Rules

    Chapter 9 P-Series rule syntax is based on Snort. Both rule structures are described in this chapter. • Snort Rule Syntax on page 63 • P-Series Rule Syntax on page 66 Snort Rule Syntax Snort rules are descriptions of traffic plus a prescribed action that is taken if a packet matches that description.
  • Page 64 pass • directs Snort to ignore the packet. activate • directs Snort to generate an alert and activate another specified rule. dynamic • directs Snort to disregard the rule until it is activated by another rule. Once activated, the action defaults to log. Note: The default actions for the P-Series are different from Snort.
  • Page 65 Ports Port numbers may be specified by the keyword any, a single port number, ranges, and by negation. any specifies any port. Static ports are indicated by a single port number, for example, 23 for Telnet. Port ranges can be specified using a colon as a range operator. It can be applied in three ways, as shown by Table Table 15 Rules Containing the Port Number Range Operator log udp any any ->...

  • Page 66: Snort Rule Options

    Destination Address and Port The destination address and port follow the direction operator. The syntax of these parameters are the same as the source address and port. See Snort Rule Options Options are made of a keyword and an argument. An argument is the packet data against which the rule is matched.
  • Page 67 Table 19 Supported Snort Keywords for Static and Dynamic Rules Keyword depth dsize flags flow fragbits fragoffset icmp_id icmp_seq icode ip_proto itype offset nocase protocol source address destination address source port destination port uricontent window within P-Series Installation and Operation Guide, version 2.3.1.2 Static ICMP, UDP, TCP, IP Yes, no negative.

  • Page 68: Writing Stateful Rules

    Writing Stateful Rules Stateful matching improves the accuracy of detection because it adds ordering when specifying behaviors across multiple matching events. State transitions in the P-Series follow a non-cyclic pattern; no state transitions may erase any of the previous states. New state transitions are simply recorded via a non-destructive, additive operation.
  • Page 69 Pre-match Condition — the S Value The value in register C must have all the bits specified by s other words, if the result of the logical “AND” of register C signature is allowed to trigger. Otherwise the signature is not triggered. Therefore value s the pre-match bit pattern.

  • Page 70: Stateful Rule Examples

    When a packet is stored in either Temporary Memory or Match Memory, a pointer to the previously stored packet in the same flow (contained in a portion of the flow register C in Match Memory may reference another packet stored in Temporary Memory, which in turn may reference more packets, thus forming a linked list of partial matches, starting with a packet stored in Match Memory.

  • Page 71: The Meta.rules File

    You can inspect Signatures 4, 5, and 6, and verify that they trigger a match and place a packet in Match Memory — thus alerting the host — if three consecutive packets are seen with size between 0 and 100. The third packet references the previous two stored in Temporary Memory.

  • Page 72: Support For Snort's Within Keyword

    The start of the state machine is prompted by a SYN; state 1 is reached if a packet of length greater than 0 but less than 20 is detected; state 2 is reached if a packet of length 1 is received right after a SYN or a second packet of length greater than 0 but less than 20 is detected;...

  • Page 73: Anomalous Tcp Flags

    Anomalous TCP Flags Some TCP packets with anomalous flags are captured by default to provide scan detection software diagnosis information. Table 24 Table 24 TCP Packets with Anomalous Flags alert on c0 tcp any any -> any any (msg:"Z SAPU TCP Flags"; flags:SAPU;) alert on c0 tcp any any ->...
  • Page 74 Writing Rules...

  • Page 75: Firewall

    Chapter 10 Deploying the P-Series as a Firewall By default the P-Series is an IDS/IPS system; the P-Series forwards all traffic by default and blocks packets only if it matches a rule. You can deploy the P-Series as a limited firewall by enabling Drop mode. In Drop mode, the P-Series blocks all traffic by default and forwards traffic only if it matches a rule.

  • Page 76: Enabling The Firewall

    Enabling the Firewall Enable Drop mode using the command pnic default-drop-disable Figure 39 Enabling and Disabling Drop Mode [root@localhost ~]# pnic default-drop-disable No device number specified. Assuming device 0 *** Disabling Default-Packet-Drop on card:0 successful! *** Temporary memory enabled. [root@localhost ~]# pnic default-drop-enable No device number specified.

  • Page 77: Allowing Traffic Through The Firewall

    Allowing Traffic through the Firewall To allow packets through the firewall you must write rules so that packets that you want the appliance to forward match those rules. Rules can be as simple as allowing traffic destined to a port. Stateful rules can be used to allow all traffic for an established connection.
  • Page 78 Table 25 Sample Firewall Rules #permit: let through and do not log to the host #alert: let through and log to the host #deny: DO NOT let through and do not log to the host #divert: DO NOT let through and log to the host # S:<precondition>;...

  • Page 79: Command Line Reference

    Appendix A The command line interface (CLI) is an alternative to the GUI for managing the appliance. A script called pnic is used to perform the same management functions as the GUI. Invoke the pnic script using the commands in this chapter; the OS environment variables are set such that these command can be executed from any path.
  • Page 80 • pnic showconf on page 108 • pnic show-firmwares on page 108 • pnic showtech on page 109 • pnic start on page 110 • pnic stop on page 111 • pnic temp-mem-disable on page 112 • pnic temp-mem-enable on page 112 •...
  • Page 81 Related pnic aggregate-mode-enable Commands pnic aggregate-mode-enable Receive both client-to-server and server-to-client traffic on one port. This is the default behavior. pnic aggregate-mode-enable Syntax Disable aggregate mode using the command Parameters number Command Version 2.3.0.0 History Example Figure 41 pnic aggregate-mode-enable Command Example [root@localhost SW]# pnic aggregate-mode-enable No card number specified.
  • Page 82 Parameters number Command Version 2.3.0.0 History Example Figure 42 [root@localhost SW]# pnic apply-firmware No card number specified. Assuming card 0 Do you really want to apply a new firmware for card0 (y/n)? y Please enter the path or name of the firmware to apply: /usr/local/ pnic/firmware/null.xc4vlx200-ff1513.50.50.2048 Compiling dynamic rules for pnic0 Parsing the dynamic rules for channel0...
  • Page 83 pnic capture-off Disable the capturing of packets via direct memory access (DMA). pnic capture-off Syntax Parameters number Command Version 2.3.0.0 History Example Figure 44 [root@localhost SW]# pnic capture-off root@# pnic macrewrite-on 0 No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 Capture OFF set successful.
  • Page 84 Example Figure 45 pnic capture-on Command Example root@# pnic macrewrite-on 0 [root@localhost SW]# pnic capture-on No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 Capture ON set successful. *** Enabling MAC rewrite on card:0 channel:0 is successful! [root@localhost SW]# Related pnic capture-off...
  • Page 85 pnic compilerules Transform the dynamic Snort rules contained in /usr/local/pnic/0/rules.custom into binary code suitable for the DPI processor. pnic compilerules [number] Syntax Parameters number Command Version 2.0.0.1 History Example Figure 47 pnic compilerules Command Example [root@localhost SW]# pnic compilerules No card number specified. Assuming card 0 Compiling dynamic rules for pnic0 Parsing the dynamic rules for channel0 Parsing the dynamic rules for channel1...
  • Page 86 Example Figure 48 [root@localhost SW]# pnic default-drop-disable No card number specified. Assuming card 0 *** Disabling Default-Packet-Drop on card:0 successful! *** Temporary memory enabled. *** Flow teardown disabled. [root@localhost SW]# pnic default-drop-enable Enable firewall functionality. pnic default-drop-enable Disable firewall functionality using the command Parameters number Command...
  • Page 87 Parameters number Command Version 2.3.1.2 History Version 2.0.0.1 Example Figure 50 [root@localhost pnic]# pnic diag No card number specified. Assuming card 0 Running PNIC diagnostic test needs to stop traffic matching. Do you want to proceed [n/y]? y Matching disabled. Test starting ... Waiting for matching to stop ...
  • Page 88 pnic flow-teardown-disable Configure the appliance to reset the state of the flow only upon a timeout. This is the default behavior. pnic flow-teardown-disable Syntax Command Version 2.3.1.2 History Example Figure 52 [root@localhost SW]# pnic flow-teardown-disable No card number specified. Assuming card 0 *** Disabling Flow-Teardown on card:0 successful.
  • Page 89 Example Figure 53 [root@localhost SW]# pnic flow-teardown-enable No card number specified. Assuming card 0 *** Enabling Flow-Teardown on card:0 successful. [root@localhost SW]# Usage The flow teardown feature is coupled with the firewall feature. When default drop mode is Information enabled (command When default drop mode is disabled ( disabled by default.
  • Page 90 Related pnic macrewrite-on Commands pnic macrewrite-off pnic updatemacvalue pnic gui Launch the graphical user interface. pnic gui Syntax Command Version 2.0.0.1 History Enable MAC rewriting. Disable MAC rewriting. Update the LSB value for a particular hash index value. Introduced Appendix A...
  • Page 91 Example Figure 55 [root@localhost SW]# pnic gui CPU(s): Dev: 8002 - Type: PNIC-0 - FirmwareID: 64 - Ver:2.6 - DefaultDrop: disabled pnic0 UP Capture=on HW Interfaces Total Packets TCP Packets UDP Packets ICMP Packets Other Packets Capture Packets Total Flows Delayed Pkts Stateful Pkts Blocked Packets...
  • Page 92 pnic help Display a list of all available commands, their syntax, and descriptions. pnic help Syntax Command Version 2.3.0.0 History Example Figure 56 [root@localhost SW]# pnic help No card number specified. Assuming card 0 Usage: pnic function_command <card_num> <channel_num> <force_options> pnic aggregate-mode-disable <0|...|5>...
  • Page 93 pnic linkdown Disable the physical link. pnic linkdown [number] Syntax Enable a physical link using the command Parameters number channel Command Version 2.0.0.1 History Example Figure 57 [root@localhost SW]# pnic linkdown No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 Card 0, Channel 0 is down.
  • Page 94 Parameters number channel Command Version 2.0.0.1 History Example Figure 58 [root@localhost SW]# pnic linkup No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 Card 0, Channel 0 is up. [root@localhost SW]# Related pnic linkdown Commands pnic loadconf Upload the runtime configuration parameters contained in the file /usr/local/pnic/0/pnic.conf.
  • Page 95 Example Figure 59 [root@localhost ~]# pnic loadconf No card number specified. Assuming card 0 Loading configurations ... Read from configuration file and apply to PNIC card... Registers on master FPGA: (0x10)0000 (0x14)0010 (0x18)0000 Registers on PCI FPGA: (0x18)0100 (0x24)20788 (0x28)20788 DMA Capture MAC rewrite Default Drop packet...
  • Page 96 pnic loadeproms Load the PCI-X and front-end EEPROMs. pnic loadeproms [number] Syntax Parameters number Command Version 2.0.0.1 History Usage Use this command to upgrade PCI-X and front-end EEPROMs to new revisions. Reboot the Information chassis after executing this command; only then does new firmware take effect. Note: This process takes up to 30 minutes.
  • Page 97 Example Figure 60 [root@localhost ~]# pnic loadparams No card number specified. Assuming card 0 Loading configurations... Read from configuration file and apply to PNIC card... (0x10)0000 (0x14)0010 (0x18)0000 (0x18)0100 (0x24)20788 (0x28)20788 DMA Capture Status: off MAC Rewrite state: CH0 - disabled; CH1 - disabled Default Drop Packet: disabled Temporary memory: disabled Aggregate mode: enabled...
  • Page 98 Table 27 Loadparams Address Mapping Address Address 24 (PCI-X FPGA) Address 36 (PCI-X FPGA) pnic loadrules Upload to the FPGA the dynamic rules for both channels encoded in the files /usr/local/pnic/ 0/pnic_{0|1}.bin. pnic loadrules [channel] Syntax Parameters channel Command Version 2.0.0.1 History Example Figure 61...
  • Page 99 pnic macrewrite-off Disable MAC rewriting. This is the default behavior. pnic macrewrite-off [number] [channel] Syntax Enable MAC rewriting using the command Parameters number channel Command Version 2.1.0.0 History Example Figure 62 [root@localhost SW]# pnic macrewrite-off No card number specified. Assuming card 0 No channel number specified.
  • Page 100 Parameters number channel Default MAC rewrite is disabled by default. The default value for the LSB is the system-assigned hash index value. Command Version 2.1.0.0 History Example Figure 63 [root@localhost SW]# pnic macrewrite-on No card number specified. Assuming card 0 No channel number specified.
  • Page 101 Example Figure 64 [root@localhost SW]# pnic off root@# pnic macrewrite-on 0 No card number specified. Assuming card 0 No channel number specified. Assuming channel 0 *** Enabling MAC rewrite on card:0 channel:0 is successful! Capture OFF set successful. [root@localhost SW]# Usage Turning off capturing might be desirable during traffic mirroring or pure filtering applications Information...
  • Page 102 pnic params Display the card interface name, device ID, and contents of the register on the PCI-X and Master FPGAs. pnic params [number] Syntax Parameters number Command Version 2.0.0.1 History Example Figure 66 [root@localhost SW]# pnic params No card number specified. Assuming card 0 PNIC 8002 pnic0 0xffff810000700000 20006 ********************** **** Configurations on Master FPGA *****************************...
  • Page 103 Command Version 2.3.0.0 History Example Figure 67 pnic passive-mode-disable Command Example [root@localhost SW]# pnic passive-mode-disable No card number specified. Assuming card 0 Channel 0 and 1 are set to work in normal TX/RX mode. [root@localhost SW]# Related pnic passive-mode-enable Commands pnic passive-mode-enable Configure the ports to only receive traffic.
  • Page 104 pnic resetconf Reset the system configuration back to the default settings, which are located in <installation_directory>/SW/misc/pnic.conf. pnic resetconf Syntax Parameters number Command Version 2.3.1.2 History Example Figure 69 [root@localhost ~]# pnic resetconf No card number specified. Assuming card 0 Loading default configurations ... Read from configuration file and apply to PNIC card...
  • Page 105 • Load the rule firmware • Load the capture/block configuration • Load the runtime parameters • Enable the network interface Note: Essentially, this command performs the command pnic stop followed by the command pnic start. pnic restart Syntax Command Version 2.0.0.1 History Example Figure 70...
  • Page 106 pnic sguil-sensor-start Syntax Stop the Sguil sensor using the command Parameters Command Version 2.3.0.0 History Example Figure 71 [root@localhost pnic]# pnic sguil-sensor-start Enter the IP address of the Sguil-Server:10.11.194.183 Do you want to enable secure connection between sguil-sensor and sguil-server? 1) Enable 2) Disable #? 1...
  • Page 107 pnic sguil-sensor-stop Stop the Sguil sensor. pnic sguil-sensor-stop Syntax Start the Sguil sensor using the command Parameters Command Version 2.3.0.0 History Example Figure 72 [root@localhost pnic]# pnic sguil-sensor-stop Do you really want to stop the Sguil-sensor application (y/n)? y LogPackets stopped successfully. Trying to stop Pcap Agent Stopped Pcap Agent successfully Trying to stop Sancp Agent...
  • Page 108 pnic showconf Display configuration parameters of the card. pnic showconf Syntax Parameters number Command Version 2.0.0.1 History Example Figure 74 [root@localhost ~]# pnic showconf No card number specified. Assuming card 0 DMA Capture MAC rewrite Default Drop packet Temporary memory Aggregate mode PHY passive mode Flow teardown...
  • Page 109 Command Version 2.3.0.0 History Example Figure 75 [root@localhost SW]# pnic show-firmwares No card number specified. Assuming card 0 List of available firmware images: null.xc4vlx200-ff1513.50.50.2048 snort_rules.bad.xc4vlx200-ff1513.20.20.2048 [root@localhost SW]# Related pnic apply-firmware Commands pnic showtech Display all technical data and configuration files for the diagnostic and debugging purpose. pnic showtech Syntax Parameters...
  • Page 110 Example Figure 76 [root@localhost pnic]# pnic showtech | more No card number specified. Assuming card 0 ************************************************************ Display date ************************************************************ Tue Apr 29 11:21:07 PDT 2008 ************************************************************ Display OS version information ************************************************************ Linux localhost.localdomain 2.6.18-8.1.14.el5 #1 SMP Thu Sep 27 19:05:32 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux CentOS release 5 (Final) ************************************************************...
  • Page 111 Example Figure 77 [root@localhost SW]# pnic start No card number specified. Assuming card 0 Interface pnic0 is down Loading pass/block settings ... Done. Loading dynamic rules ... Done. *************************************** Interface pnic0 is up MTU set to 9264 bytes *************************************** Version : P_MAIN2.2.0.058 [root@localhost SW]# Related pnic stop...
  • Page 112 pnic temp-mem-disable Disable temporary memory. pnic temp-mem-disable [number] Syntax Enable temporary memory using the command Parameters number Command Version 2.3.0.0 History Example Figure 79 [root@localhost SW]# pnic temp-mem-disable No card number specified. Assuming card 0 *** Disabling temporary memory on card:0 successful. [root@localhost SW]# Related pnic temp-mem-enable...
  • Page 113 Example Figure 80 [root@localhost SW]# pnic temp-mem-enable No card number specified. Assuming card 0 *** Enabling temporary memory on card:0 successful. [root@localhost SW]# Related pnic temp-mem-disable Commands pnic updatemacvalue Specifies an LSB value for a particular hash index. pnic updatemacvalue [number] Syntax Parameters number...
  • Page 114 pnic vlan-remove-disable Disable the VLAN Tag Remove feature. pnic vlan-remove-disable Syntax Default The VLAN Tag Remove feature is disabled by default. Command Version 2.3.1.2 History Usage This feature is enabled and disabled on both sensing ports. Information Example Figure 82 pnic vlan-remove-disable Command Example [root@localhost pnic]# pnic vlan-remove-disable No card number specified.
  • Page 115 Syntax Command Version 2.0.0.1 History Example Figure 84 pnic version Command Example [root@localhost SW]# pnic version Force10 Networks PNIC Software Version: P_MAIN2.2.0.058 [root@localhost SW]# pnic web-gui-start Start the web server. pnic web-gui-start Syntax Disable the web server using the command...
  • Page 116 Common Name (FQDN or IP address of the P-Series box using which you access the web-gui application) [192.168.1.1]:10.11.194.184 Organization Name (company) [Force10 Networks Inc]: Organizational Unit Name (department, division) [P-Series Security]: Locality Name (city, district) [350 Holger way, San Jose]:...
  • Page 117 Example Figure 86 pnic web-gui-stop Command Example [root@localhost pnic]# pnic web-gui-stop Do you really want to stop the web-gui application (y/n)? y Web-gui application has been stopped! [root@localhost pnic]# Related pnic web-gui-start Start the web server. Commands P-Series Installation and Operation Guide, version 2.3.1.2...
  • Page 118 Appendix A...

  • Page 119: Snort Keywords

    Appendix B Table 28 describes briefly the valid Snort keywords supported on the P-Series. For a more detailed explanation for these keywords, see the Snort website at node17.html. Table 28 Description of P-Series Snort Keywords Keyword Description Checks for a specific TCP acknowledgment number. number is a reference to a previously transmitted sequence number that is being acknowleged.
  • Page 120 Table 28 Description of P-Series Snort Keywords Keyword Description flow This keyword applies the rule to a specific traffic flow direction. The flow can be in one of two states: established: Trigger only on established TCP • connections. stateless: Trigger regardless of the state of the •...
  • Page 121 Table 28 Description of P-Series Snort Keywords Keyword Description This keyword checks for the specified IP time-to-live value. uricontent Searches the normalized request URI field for the specified content. data_string can contain mixed text and binary data. Binary data is enclosed within pipe characters and is written in hexadecimal form.
  • Page 122 Appendix B...

  • Page 123: Meta And Evasion Rules

    Appendix C The meta and evasion rules for Channel 0 and Channel 1 are the same. They are listed in Table Table 29 meta Rules for Channel 0 and Channel 1 meta Rules alert tcp any any -> any any (msg:"Z SYN"; flags:S,12; S:1; R:2; C:3;) alert tcp any any ->...
  • Page 124 Appendix C...

  • Page 125: Basic Unix Commands

    Appendix D Unix Commands Table 31 Basic Unix Commands Command Description cd path Changes the current directory to the specified directory. The path specified can be an absolute path, or a relative path: • • grep text filename Searches the specified file for a specified string of characters. logout Logs you out of the current session.

  • Page 126: Vi Commands

    vi Commands vi has two modes: • Command Mode: In command mode, commands can be entered which allow you to jump to points in a file, search text, and exit the editor. • Insert Mode: Insert mode allows you to create or alter text in a file. Note: Commands are case sensitive.

  • Page 127: Glossary

    Appendix E An Acknowledgment packet (ACK) is a packet that is sent from the client to the server to complete a TCP connection. See SYN. DHCP Dynamic Host Configuration Protocol (DHCP) is a protocol that automatically requests an IP address, subnet mask, and default gateway for a network client. Direct Memory Access (DMA) is a method by which devices in a hardware system can transfer data without occupying the CPU.
  • Page 128 Snort Snort is an open source network intrusion detection and prevention system that uses rules created with a special syntax to examine and control specified traffic. SPAN Port Switched Port Analyzer (SPAN) Port is a switch port that receives a copy of specific traffic that passes through a switch.

  • Page 129: Technical Support

    If you do not have one, you can request one at the website: 1. On the Force10 Networks iSupport page, click the Account Request link. 2. Fill out the User Account Request form, and click Send. You will receive your userid and password by E-Mail.

  • Page 130: Contacting The Technical Assistance Center

    Contacting the Technical Assistance Center How to Contact Force10 Log in to iSupport at www.force10networks.com/support/, and select the Service Request tab. • Information to Submit • When Opening a Support Case • • • • • Managing Your Case Log in to iSupport, and select the Service Request tab to view all open cases and RMAs.

  • Page 131: Requesting A Hardware Replacement

    Requesting a Hardware Replacement To request replacement hardware, follow these steps: Step Task Determine the part number and serial number of the component. Request a Return Materials Authorization (RMA) number from TAC by opening a support case. Open a support case by: •...
  • Page 132 Technical Support...

This manual is also suitable for:

P-series

Table of Contents

Save PDF