Sign In
Upload
Manuals
Brands
HPE Manuals
Control Unit
Moonshot 45Gc
HPE Moonshot 45Gc Manuals
Manuals and User Guides for HPE Moonshot 45Gc. We have
1
HPE Moonshot 45Gc manual available for free PDF download: Security Configuration Manual
HPE Moonshot 45Gc Security Configuration Manual (540 pages)
Switch Module
Brand:
HPE
| Category:
Control Unit
| Size: 5.36 MB
Table of Contents
Table of Contents
3
Configuring AAA
14
Overview
14
Radius
15
Hwtacacs
19
Ldap
22
AAA Implementation on the Device
24
AAA for MPLS L3Vpns
26
Protocols and Standards
26
RADIUS Attributes
27
FIPS Compliance
29
AAA Configuration Considerations and Task List
30
Configuring AAA Schemes
31
Configuring Local Users
31
Configuring RADIUS Schemes
35
Configuring HWTACACS Schemes
46
Configuring LDAP Schemes
53
Configuring AAA Methods for ISP Domains
56
Configuration Prerequisites
56
Creating an ISP Domain
56
Configuring ISP Domain Attributes
56
Configuring Authentication Methods for an ISP Domain
57
Configuring Authorization Methods for an ISP Domain
58
Configuring Accounting Methods for an ISP Domain
59
Enabling the Session-Control Feature
60
Configuring the RADIUS DAE Server Feature
61
Setting the Maximum Number of Concurrent Login Users
61
Configuring a NAS-ID Profile
62
Displaying and Maintaining AAA
62
AAA Configuration Examples
63
AAA for SSH Users by an HWTACACS Server
63
Local Authentication, HWTACACS Authorization, and RADIUS Accounting for SSH Users
64
Authentication and Authorization for SSH Users by a RADIUS Server
66
Authentication for SSH Users by an LDAP Server
69
Troubleshooting RADIUS
74
RADIUS Authentication Failure
74
RADIUS Packet Delivery Failure
74
RADIUS Accounting Error
75
Troubleshooting HWTACACS
75
Troubleshooting LDAP
75
802.1X Overview
77
802.1X Architecture
77
Controlled/Uncontrolled Port and Port Authorization Status
77
802.1X-Related Protocols
78
Packet Formats
78
EAP over RADIUS
79
802.1X Authentication Initiation
80
802.1X Client as the Initiator
80
Access Device as the Initiator
80
802.1X Authentication Procedures
81
Comparing EAP Relay and EAP Termination
81
EAP Relay
82
EAP Termination
83
Configuring 802.1X
85
Access Control Methods
85
802.1X VLAN Manipulation
85
Authorization VLAN
85
Guest VLAN
87
Auth-Fail VLAN
88
Critical VLAN
89
Using 802.1X Authentication with Other Features
91
ACL Assignment
91
User Profile Assignment
92
EAD Assistant
92
Configuration Prerequisites
92
802.1X Configuration Task List
93
Enabling 802.1X
93
Enabling EAP Relay or EAP Termination
94
Setting the Port Authorization State
94
Specifying an Access Control Method
95
Setting the Maximum Number of Concurrent 802.1X Users on a Port
95
Setting the Maximum Number of Authentication Request Attempts
95
Setting the 802.1X Authentication Timeout Timers
96
Configuring the Online User Handshake Feature
96
Configuration Guidelines
96
Configuration Procedure
97
Configuring the Authentication Trigger Feature
97
Configuration Guidelines
97
Specifying a Mandatory Authentication Domain on a Port
98
Setting the Quiet Timer
98
Enabling the Periodic Online User Reauthentication Feature
99
Configuring an 802.1X Guest VLAN
99
Configuration Guidelines
99
Configuration Prerequisites
100
Configuration Procedure
100
Enabling 802.1X Guest VLAN Assignment Delay
100
Configuring an 802.1X Auth-Fail VLAN
101
Configuration Guidelines
101
Configuration Prerequisites
102
Configuration Procedure
102
Configuring an 802.1X Critical VLAN
102
Configuration Guidelines
102
Configuration Procedure
103
Enabling 802.1X Critical Voice VLAN
103
Configuration Prerequisites
103
Configuration Procedure
104
Sending 802.1X Protocol Packets out of a Port Without VLAN Tags
104
Specifying Supported Domain Name Delimiters
104
Configuring the EAD Assistant Feature
105
Displaying and Maintaining 802.1X
106
802.1X Authentication Configuration Examples
106
Basic 802.1X Authentication Configuration Example
106
Guest VLAN and Authorization VLAN Configuration Example
108
802.1X with ACL Assignment Configuration Example
111
802.1X with EAD Assistant Configuration Example
112
Troubleshooting 802.1X
115
EAD Assistant for Web Browser Users
115
Configuring MAC Authentication
116
Overview
116
User Account Policies
116
Authentication Methods
116
VLAN Assignment
116
ACL Assignment
118
User Profile Assignment
119
Periodic MAC Reauthentication
119
Configuration Prerequisites
119
Configuration Task List
119
Enabling MAC Authentication
120
Specifying a MAC Authentication Domain
120
Configuring the User Account Format
121
Setting MAC Authentication Timers
121
Enabling MAC Authentication Offline Detection
122
Setting the Maximum Number of Concurrent MAC Authentication Users on a Port
122
Enabling MAC Authentication Multi-VLAN Mode on a Port
123
Configuring MAC Authentication Delay
123
Enabling Parallel Processing of MAC Authentication and 802.1X Authentication
124
Configuration Restrictions and Guidelines
124
Configuration Procedure
124
Configuring a MAC Authentication Guest VLAN
125
Configuring a MAC Authentication Critical VLAN
125
Enabling the MAC Authentication Critical Voice VLAN
126
Configuration Prerequisites
126
Configuration Procedure
127
Configuring the Keep-Online Feature
127
Including User IP Addresses in MAC Authentication Requests
127
Displaying and Maintaining MAC Authentication
128
MAC Authentication Configuration Examples
128
Local MAC Authentication Configuration Example
128
RADIUS-Based MAC Authentication Configuration Example
130
ACL Assignment Configuration Example
132
Configuring Portal Authentication
136
Overview
136
Extended Portal Functions
136
Portal System Components
136
Portal System Using the Local Portal Web Server
138
Interaction between Portal System Components
138
Portal Authentication Modes
139
Portal Authentication Process
139
Portal Configuration Task List
141
Configuration Prerequisites
142
Configuring a Portal Authentication Server
143
Configuring a Portal Web Server
143
Enabling Portal Authentication on an Interface
144
Configuration Restrictions and Guidelines
144
Configuration Procedure
144
Referencing a Portal Web Server for an Interface
145
Controlling Portal User Access
145
Configuring a Portal-Free Rule
145
Configuring an Authentication Source Subnet
146
Configuring an Authentication Destination Subnet
147
Setting the Maximum Number of Portal Users
148
Specifying a Portal Authentication Domain
148
Enabling Outgoing Packets Filtering on a Portal-Enabled Interface
149
Configuring Portal Detection Features
149
Configuring Online Detection of Portal Users
149
Configuring Portal Authentication Server Detection
150
Configuring Portal Web Server Detection
151
Configuring Portal User Synchronization
152
Configuring the Portal Fail-Permit Feature
153
Configuring BAS-IP for Unsolicited Portal Packets Sent to the Portal Authentication Server
153
Applying a NAS-ID Profile to an Interface
154
Enabling Portal Roaming
155
Logging out Portal Users
155
Configuring the Local Portal Web Server Feature
155
Customizing Authentication Pages
156
Configuring a Local Portal Web Server
158
Displaying and Maintaining Portal
158
Portal Configuration Examples
159
Configuring Direct Portal Authentication
159
Configuring Re-DHCP Portal Authentication
166
Configuring Cross-Subnet Portal Authentication
170
Configuring Extended Direct Portal Authentication
172
Configuring Extended Re-DHCP Portal Authentication
175
Configuring Extended Cross-Subnet Portal Authentication
179
Configuring Portal Server Detection and Portal User Synchronization
182
Configuring Cross-Subnet Portal Authentication for MPLS L3Vpns
190
Configuring Direct Portal Authentication Using Local Portal Web Server
192
Troubleshooting Portal
195
No Portal Authentication Page Is Pushed for Users
195
Cannot Log out Portal Users on the Access Device
195
Cannot Log out Portal Users on the RADIUS Server
196
Users Logged out by the Access Device Still Exist on the Portal Authentication Server
196
Re-DHCP Portal Authenticated Users Cannot Log in Successfully
196
Configuring Port Security
198
Overview
198
Port Security Features
198
Port Security Modes
198
Configuration Task List
201
Enabling Port Security
201
Setting Port Security's Limit on the Number of Secure MAC Addresses on a Port
202
Setting the Port Security Mode
202
Configuring Port Security Features
203
Configuring NTK
203
Configuring Intrusion Protection
204
Configuring Secure MAC Addresses
204
Configuration Prerequisites
205
Configuration Procedure
205
Ignoring Authorization Information from the Server
206
Enabling MAC Move
206
Applying NAS-ID Profile to Port Security
207
Enabling the Authorization-Fail-Offline Feature
207
Displaying and Maintaining Port Security
208
Port Security Configuration Examples
208
Autolearn Configuration Example
208
Userloginwithoui Configuration Example
210
Macaddresselseuserloginsecure Configuration Example
213
Troubleshooting Port Security
216
Cannot Set the Port Security Mode
216
Cannot Configure Secure MAC Addresses
217
Configuring Password Control
218
Overview
218
Password Setting
218
Password Updating and Expiration
219
User Login Control
220
Password Not Displayed in any Form
220
Logging
220
FIPS Compliance
221
Password Control Configuration Task List
221
Enabling Password Control
221
Setting Global Password Control Parameters
222
Setting User Group Password Control Parameters
223
Setting Local User Password Control Parameters
224
Setting Super Password Control Parameters
224
Displaying and Maintaining Password Control
225
Password Control Configuration Example
225
Network Requirements
225
Configuration Procedure
226
Verifying the Configuration
227
Managing Public Keys
229
Overview
229
FIPS Compliance
229
Creating a Local Key Pair
229
Distributing a Local Host Public Key
231
Exporting a Host Public Key
231
Displaying a Host Public Key
231
Destroying a Local Key Pair
232
Configuring a Peer Host Public Key
232
Importing a Peer Host Public Key from a Public Key File
232
Entering a Peer Host Public Key
232
Displaying and Maintaining Public Keys
233
Examples of Public Key Management
233
Example for Entering a Peer Host Public Key
233
Example for Importing a Public Key from a Public Key File
235
Configuring PKI
238
Overview
238
PKI Terminology
238
PKI Architecture
239
PKI Operation
239
PKI Applications
240
Support for MPLS L3VPN
240
FIPS Compliance
241
PKI Configuration Task List
241
Configuring a PKI Entity
241
Configuring a PKI Domain
242
Requesting a Certificate
244
Configuration Guidelines
244
Configuring Automatic Certificate Request
245
Manually Requesting a Certificate
245
Aborting a Certificate Request
246
Obtaining Certificates
246
Configuration Prerequisites
246
Configuration Guidelines
246
Configuration Procedure
247
Verifying PKI Certificates
247
Verifying Certificates with CRL Checking
247
Verifying Certificates Without CRL Checking
248
Specifying the Storage Path for the Certificates and Crls
248
Exporting Certificates
249
Removing a Certificate
249
Configuring a Certificate-Based Access Control Policy
250
Displaying and Maintaining PKI
251
PKI Configuration Examples
251
Requesting a Certificate from an RSA Keon CA Server
251
Requesting a Certificate from a Windows Server 2003 CA Server
254
Requesting a Certificate from an Openca Server
257
Certificate Import and Export Configuration Example
260
Troubleshooting PKI Configuration
265
Failed to Obtain the CA Certificate
266
Failed to Obtain Local Certificates
266
Failed to Request Local Certificates
267
Failed to Obtain Crls
267
Failed to Import the CA Certificate
268
Failed to Import a Local Certificate
269
Failed to Export Certificates
269
Failed to Set the Storage Path
270
Configuring Ipsec
271
Overview
271
Security Protocols and Encapsulation Modes
271
Security Association
273
Authentication and Encryption
273
Ipsec Implementation
274
Protocols and Standards
275
FIPS Compliance
275
Ipsec Tunnel Establishment
275
Implementing ACL-Based Ipsec
276
Feature Restrictions and Guidelines
276
ACL-Based Ipsec Configuration Task List
276
Configuring an ACL
277
Configuring an Ipsec Transform Set
277
Configuring a Manual Ipsec Policy
279
Configuring an IKE-Based Ipsec Policy
281
Applying an Ipsec Policy to an Interface
284
Enabling ACL Checking for De-Encapsulated Packets
285
Configuring Ipsec Anti-Replay
285
Configuring Ipsec Anti-Replay Redundancy
286
Binding a Source Interface to an Ipsec Policy
287
Enabling Qos Pre-Classify
287
Enabling Logging of Ipsec Packets
288
Configuring the DF Bit of Ipsec Packets
288
Configuring Ipsec for Ipv6 Routing Protocols
289
Configuration Task List
289
Configuring a Manual Ipsec Profile
289
Configuring SNMP Notifications for Ipsec
290
Displaying and Maintaining Ipsec
291
Ipsec Configuration Examples
292
Configuring a Manual Mode Ipsec Tunnel for Ipv4 Packets
292
Configuring an IKE-Based Ipsec Tunnel for Ipv4 Packets
294
Configuring Ipsec for Ripng
297
Configuring IKE
301
Overview
301
IKE Negotiation Process
301
IKE Security Mechanism
302
Protocols and Standards
303
FIPS Compliance
303
IKE Configuration Prerequisites
303
IKE Configuration Task List
303
Configuring an IKE Profile
304
Configuring an IKE Proposal
306
Configuring an IKE Keychain
307
Configuring the Global Identity Information
308
Configuring the IKE Keepalive Feature
308
Configuring the IKE NAT Keepalive Feature
309
Configuring IKE DPD
309
Enabling Invalid SPI Recovery
310
Setting the Maximum Number of IKE Sas
310
Configuring SNMP Notifications for IKE
311
Displaying and Maintaining IKE
311
IKE Configuration Examples
312
Main Mode IKE with Pre-Shared Key Authentication Configuration Example
312
Verifying the Configuration
314
Troubleshooting IKE
314
IKE Negotiation Failed Because no Matching IKE Proposals Were Found
314
IKE Negotiation Failed Because no IKE Proposals or IKE Keychains Are Referenced Correctly
315
Ipsec SA Negotiation Failed Because no Matching Ipsec Transform Sets Were Found
316
Ipsec SA Negotiation Failed Due to Invalid Identity Information
316
Configuring Ikev2
319
Overview
319
Ikev2 Negotiation Process
319
New Features in Ikev2
320
Protocols and Standards
320
Ikev2 Configuration Task List
320
Configuring an Ikev2 Profile
321
Configuring an Ikev2 Policy
324
Configuring an Ikev2 Proposal
324
Configuring an Ikev2 Keychain
326
Configure Global Ikev2 Parameters
327
Enabling the Cookie Challenging Feature
327
Configuring the Ikev2 DPD Feature
327
Configuring the Ikev2 NAT Keepalive Feature
327
Displaying and Maintaining Ikev2
328
Ikev2 Configuration Examples
328
Ikev2 with Pre-Shared Key Authentication Configuration Example
328
Ikev2 with RSA Signature Authentication Configuration Example
331
Troubleshooting Ikev2
336
Ikev2 Negotiation Failed Because no Matching Ikev2 Proposals Were Found
336
Ipsec SA Negotiation Failed Because no Matching Ipsec Transform Sets Were Found
336
Ipsec Tunnel Establishment Failed
336
Configuring SSH
338
Overview
338
How SSH Works
338
SSH Authentication Methods
339
SSH Support for Suite B
340
Protocols and Standards
341
FIPS Compliance
341
Configuring the Device as an SSH Server
341
SSH Server Configuration Task List
341
Generating Local Key Pairs
341
Enabling the Stelnet Server
342
Enabling the SFTP Server
342
Enabling the SCP Server
343
Configuring NETCONF over SSH
343
Configuring User Lines for SSH Login
343
Configuring a Client's Host Public Key
344
Configuring an SSH User
345
Configuring the SSH Management Parameters
346
Specifying a PKI Domain for the SSH Server
347
Configuring the Device as an Stelnet Client
348
Stelnet Client Configuration Task List
348
Specifying the Source IP Address for SSH Packets
348
Establishing a Connection to an Stelnet Server
348
Establishing a Connection to an Stelnet Server Based on Suite B
350
Configuring the Device as an SFTP Client
351
SFTP Client Configuration Task List
351
Specifying the Source IP Address for SFTP Packets
351
Establishing a Connection to an SFTP Server
351
Establishing a Connection to an SFTP Server Based on Suite B
353
Working with SFTP Directories
354
Working with SFTP Files
354
Displaying Help Information
354
Terminating the Connection with the SFTP Server
355
Configuring the Device as an SCP Client
355
Establishing a Connection to an SCP Server
355
Establishing a Connection to an SCP Server Based on Suite B
357
Specifying Algorithms for SSH2
357
Specifying Key Exchange Algorithms for SSH2
358
Specifying Public Key Algorithms for SSH2
358
Specifying Encryption Algorithms for SSH2
358
Specifying MAC Algorithms for SSH2
359
Displaying and Maintaining SSH
359
Stelnet Configuration Examples
359
Password Authentication Enabled Stelnet Server Configuration Example
359
Publickey Authentication Enabled Stelnet Server Configuration Example
362
Password Authentication Enabled Stelnet Client Configuration Example
367
Publickey Authentication Enabled Stelnet Client Configuration Example
371
Stelnet Configuration Example Based on 128-Bit Suite B Algorithms
373
SFTP Configuration Examples
377
Password Authentication Enabled SFTP Server Configuration Example
377
Publickey Authentication Enabled SFTP Client Configuration Example
379
SFTP Configuration Example Based on 192-Bit Suite B Algorithms
383
SCP Configuration Examples
387
SCP Configuration Example with Password Authentication
387
SCP Configuration Example Based on Suite B Algorithms
389
NETCONF over SSH Configuration Example with Password Authentication
395
Network Requirements
396
Configuration Procedure
396
Verifying the Configuration
397
Configuring SSL
398
Overview
398
SSL Security Services
398
SSL Protocol Stack
398
FIPS Compliance
399
SSL Configuration Task List
399
Configuring an SSL Server Policy
399
Configuring an SSL Client Policy
401
Displaying and Maintaining SSL
403
Configuring IP Source Guard
404
Overview
404
Static IPSG Bindings
404
Dynamic IPSG Bindings
405
IPSG Configuration Task List
405
Configuring the Ipv4Sg Feature
406
Enabling Ipv4Sg on an Interface
406
Configuring a Static Ipv4Sg Binding
406
Configuring the Ipv6Sg Feature
407
Enabling Ipv6Sg on an Interface
407
Configuring a Static Ipv6Sg Binding
408
Displaying and Maintaining IPSG
409
IPSG Configuration Examples
409
Static Ipv4Sg Configuration Example
409
Dynamic Ipv4Sg Using DHCP Snooping Configuration Example
410
Dynamic Ipv4Sg Using DHCP Relay Configuration Example
411
Static Ipv6Sg Configuration Example
412
Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example
413
Configuring ARP Attack Protection
415
ARP Attack Protection Configuration Task List
415
Configuring Unresolvable IP Attack Protection
415
Configuring ARP Source Suppression
416
Configuring ARP Blackhole Routing
416
Displaying and Maintaining Unresolvable IP Attack Protection
416
Configuration Example
417
Configuring ARP Packet Rate Limit
417
Configuration Guidelines
418
Configuration Procedure
418
Configuring Source MAC-Based ARP Attack Detection
418
Configuration Procedure
419
Displaying and Maintaining Source MAC-Based ARP Attack Detection
419
Configuration Example
419
Configuring ARP Packet Source MAC Consistency Check
420
Configuring ARP Active Acknowledgement
421
Configuring Authorized ARP
421
Configuration Procedure
421
Configuration Example (on a DHCP Server)
422
Configuration Example (on a DHCP Relay Agent)
423
Configuring ARP Detection
424
Configuring User Validity Check
425
Configuring ARP Packet Validity Check
425
Configuring ARP Restricted Forwarding
426
Enabling ARP Detection Logging
427
Displaying and Maintaining ARP Detection
427
User Validity Check and ARP Packet Validity Check Configuration Example
427
ARP Restricted Forwarding Configuration Example
429
Configuring ARP Scanning and Fixed ARP
430
Configuration Restrictions and Guidelines
431
Configuration Procedure
431
Configuring ARP Gateway Protection
431
Configuration Guidelines
431
Configuration Procedure
432
Configuration Example
432
Configuring ARP Filtering
433
Configuration Guidelines
433
Configuration Procedure
433
Configuration Example
433
Configuring ARP Sender IP Address Checking
434
Configuring MFF
436
Overview
436
Basic Concepts
437
MFF Operation Modes
437
MFF Working Mechanism
438
Protocols and Standards
438
Configuring MFF
438
Enabling MFF
438
Configuring a Network Port
438
Enabling Periodic Gateway Probe
439
Specifying the IP Addresses of Servers
439
Displaying and Maintaining MFF
440
MFF Configuration Examples
440
Manual-Mode MFF Configuration Example in a Tree Network
440
Manual-Mode MFF Configuration Example in a Ring Network
441
Configuring Urpf
443
Overview
443
Urpf Check Modes
443
Urpf Operation
443
Network Application
446
Configuring Urpf
446
Displaying and Maintaining Urpf
446
Urpf Configuration Example
447
Configuring Crypto Engines
448
Overview
448
Displaying and Maintaining Crypto Engines
448
Configuring FIPS
449
Overview
449
Configuration Restrictions and Guidelines
449
Configuring FIPS Mode
450
Entering FIPS Mode
450
Configuration Changes in FIPS Mode
451
Exiting FIPS Mode
452
FIPS Self-Tests
452
Power-Up Self-Tests
453
Conditional Self-Tests
453
Triggering Self-Tests
454
Displaying and Maintaining FIPS
454
FIPS Configuration Examples
454
Entering FIPS Mode through Automatic Reboot
454
Entering FIPS Mode through Manual Reboot
455
Exiting FIPS Mode through Automatic Reboot
457
Exiting FIPS Mode through Manual Reboot
457
Configuring User Profiles
459
Overview
459
Configuration Task List
459
Configuration Restrictions and Guidelines
459
Creating a User Profile
459
Configuring Parameters for a User Profile
460
Configuring Qos Parameters for Traffic Management
460
Displaying and Maintaining User Profiles
460
User Profile Configuration Examples
460
Local 802.1X Authentication/Authorization with Qos Policy Configuration Example
460
Configuring Attack Detection and Prevention
465
Overview
465
Attacks that the Device Can Prevent
465
Single-Packet Attacks
465
Scanning Attacks
466
Flood Attacks
467
TCP Fragment Attack
468
Login Dictionary Attack
468
Attack Detection and Prevention Configuration Task List
468
Configuring an Attack Defense Policy
469
Creating an Attack Defense Policy
469
Configuring a Single-Packet Attack Defense Policy
469
Configuring a Scanning Attack Defense Policy
470
Configuring a Flood Attack Defense Policy
471
Configuring Attack Detection Exemption
475
Applying an Attack Defense Policy to the Device
475
Disabling Log Aggregation for Single-Packet Attack Events
476
Configuring TCP Fragment Attack Prevention
476
Enabling the Login Delay
476
Displaying and Maintaining Attack Detection and Prevention
477
Attack Detection and Prevention Configuration Example
478
Network Requirements
478
Configuration Procedure
478
Verifying the Configuration
479
Configuring ND Attack Defense
482
Overview
482
Configuring Source MAC Consistency Check for ND Packets
482
Configuring Keychains
483
Overview
483
Configuration Procedure
483
Displaying and Maintaining Keychain
484
Keychain Configuration Example
484
Network Requirements
484
Configuration Procedure
484
Verifying the Configuration
486
Document Conventions and Icons
489
Conventions
489
Network Topology Icons
490
Support and Other Resources
491
Accessing Hewlett Packard Enterprise Support
491
Accessing Updates
491
Websites
492
Customer Self Repair
492
Remote Support
492
Documentation Feedback
492
Index
494
Advertisement
Advertisement
Related Products
HPE Moonshot 45XGc
HPE Moonshot 180XGc
HPE Apollo 4520 Gen9
HPE Apollo 4530
HPE Apollo 4500
HPE Apollo 4510 Gen9
HPE Apollo 4530 Gen9
HPE Apollo 480
HPE ARCS 48U
HPE ARCS 42U
HPE Categories
Server
Switch
Network Router
Wireless Access Point
Storage
More HPE Manuals
Login
Sign In
OR
Sign in with Facebook
Sign in with Google
Upload manual
Upload from disk
Upload from URL