Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Report Wizard

The first Report wizard screen allows you to specify the objects you wish to include in the report. The available objects include:

IP Group

User

User Group

Device (security gateway)

VPN

To create a report using the report wizard:

1.Move to the Main Console.

2.Click Report to start theReport Wizard.

3.In the Report Contents portion of the screen, select the object types to be included in the report.

4.The Select All and Deselect All buttons are provided for convenience.

5.Click Next.

6.In the Show Report Title text box, type the report title.

7.Report format details including date and time, report title, author, page numbering, and the type font and font size.

8.The available font types are: Arial, Times Roman, and Helvetica. The available font sizes range from 8 points to 72 points.

9.Click Next.

10.Depending on the objects selected in the initial screen, each object is displayed as part of the report wizard.

11.Select the desired object groups to be included in the report.

Note:

The Summary button presents a single-screenoverview of all the currently set report selections and options. Advanced users may wish to jump to this screen immediately.

12.Click Next.

13.Select additional information for the object group to be included in the report.

14.Click Next.

15.Click Finished when all report information has been selected.

16.You then have a choice of the output file type, HTML or PDF. The output file may be viewed on the screen, then sent to a printer if hardcopy is desired. Be sure you have an Adobe Acrobat reader to view the PDF file, or a web browser to view the HTML file.

Issue 4 May 2005 271

Monitoring your network

Generating the report

When you are satisfied with the report selections made, click on the Finished button to generate the report. The report window appears after a short pause. If a hardcopy is desired, you may save the report as a PDF or html file, then print from Acrobat or a browser (respectively).

Figure 84: Report Sample

272 Avaya VPNmanager Configuration Guide Release 3.7

Device diagnostics

Device diagnostics

Beginning with VPNmanager 3.7, device specific diagnostic reports can be retrieved from a security gateway running VPNos 4.6 or higher

The device diagnostic capability allows the network administrator to run any of the available diagnostic reports from a central network management location.

Diagnostic reports provides convenient access to remote security gateways that can be used to troubleshoot common configuration problems.

The following diagnostic reports show internal network-relatedinformation for the security gateway that can be used to diagnose configuration and network problems.

Table 30: Diagnostic Reports

Report Type

Description

 

 

General

 

Diagnostics

 

 

 

Routing Table

Shows information regarding how the network

 

traffic flows within the network interfaces in the

 

security gateway.

 

 

Flow Table

Shows secure traffic packet flow information for

 

the VPN.

 

 

SA Table

Shows secure traffic security association

 

information for the VPN.

 

 

Interface

Shows MAC address information for all network

Table

interfaces in the security gateway.

 

 

Interface

 

Configuration

 

 

 

Socket Table

Shows the active connection (UDP and TCP)

 

state table of the security gateway. Each entry

 

contains the IP address and port information for

 

the connection.

 

 

Network

Shows network memory usage information, and

Memory

any errors that occur in network memory

 

allocation.

 

 

System

Shows the memory table for the kernel processes

Memory

that are running in the security gateway.

 

 

Interrupts

Shows the interrupt counters that the security

Stats

gateway handles.

 

 

 

1 of 2

 

 

Issue 4 May 2005 273

Monitoring your network

Table 30: Diagnostic Reports

Report Type

Description

 

 

Firewall State

Shows information about each firewall rule

 

configured in the security gateway.

 

 

Firewall

Shows firewall timer information for the various IP

Timers

protocols.

 

 

Process

Shows information about all user processes that

Table

are currently running in the security gateway.

 

 

Protocol Stats

Shows information about the network traffic that

 

the security gateway handles. Information is

 

presented according to the type of protocol.

 

 

Route Stats

Shows network routing table statistics.

 

 

System Stats

Shows statistics regarding system resources.

 

 

System State

Shows a snapshot of all system resources.

 

 

Security

Shows the statistics for the Hifn chip. These

Processor

statistics are only applicable for SG200, SG203,

Statistics

and SG208.

 

 

Flush

Deletes existing firewall, VPN, QoS, failover,

Configuration

SNMP, DNS relay, NAT, VoIP, remote access, and

 

static routes configuration on the security

 

gateway. The settings are returned to the factory

 

defaults.

 

Caution!

 

Use this operation only as a last resort to recover

 

lost administrator connectivity with the security

 

gateway.

 

 

Reset

Deletes all existing configuration except the

Configuration

license. All configuration parameters are returned

to Factory

to the factory default configuration except for the

Defaults

license parameters. Unless the security gateway

 

device is in an inconsistent state (that is, if the

 

configd process in not running) the license

 

parameter is also returned to the factory default

 

setting.

 

Caution!

 

Use this operation only as a last resort to recover

 

lost administrator connectivity with the security

 

gateway.

 

 

 

2 of 2

 

 

274 Avaya VPNmanager Configuration Guide Release 3.7

Chapter 11: Device management

From the VPNmanager Console, you can manage and check that status of the security gateways This chapter describes:

Using the Management tab to change administrative passwords and set up SSH and Telnet to connect to a security gateway

Using the Connectivity tab to ping the security gateway

Using the Device Actions tab to reboot the device, set the device time and import a device configuration

Importing and exporting VPN configurations to a device

Exporting RADIUS

Using the Management tab

The Device>Management tab is used to set up the SSH/Telnet feature and to change the administrator’s password for the security gateway.

Setting Up SSH and Telnet

Beginning with VPNos 4.31, SSH (Secure Shell) and Telnet can be used to access the security gateway’s CLI. When you use SSH to transfer data, the entire log in session, including transmission of the password, is encrypted. If you use Telnet to communicate with the security gateway, data transfer is not encrypted.

You can turn on both SSH and Telnet, and you can specify the port to use and the allowed IP addresses that can access the security gateway. The default is the following:

SSH is enabled for Any network objects on theprivate zone, all other zones are disabled. Only the root and the monitor users can use SSH to access the security gateway.

Telnet is disabled on all zones.

Use the Device>Management tab to change the defaults and to configure or change the security gateway SSH/Telnet feature.

When you log in to the security gateway using either SSH or Telnet, the security gateway’s CLI interface is displayed. You can then use the CLI commands to troubleshoot the security gateway. To use CLI commands see the VPNos Configuration Guide.

Issue 4 May 2005 275

Device management

Note:

To restrict access to hosts or networks, Firewall rules limit access from specific zones. See Appendix B: Firewall rules template on page 297.

To set up SSH or Telnet

1.Move to the Configuration Consolewindow.

2.From the Icon tool bar, click Devices to list all security gateways in theContents column.

3.From the Contents column, select the security gateway to configure for SSH or Telnet connection.

4.Click the Management tab, to bring it to the front.The SSH/Telnet page is displayed.

5.By default SSH is enabled and the port 22 is configured, and Telnet is disabled. Make the appropriate changes to enable or disable either or both of these and to change the port if required

6.In the Allowed area, selectZones to set which zones can be used. TheSSH/Telnet Zones Configuration dialog is displayed, and the zones that are configured as listed.

7.For SSH, by default, the private zone is allowed.

8.For Telnet, you must select a zone as all zones are disabled by default.

9.Move the zones from Blocked toAllowed. ClickOK.

10.Select Networks, to configure the IP address to use to access the security gateway

To add an IP address, click Add, enter the address and clickOK.

To add network objects, from Available list, select the network object and clickMove Left to theAllowed column. ClickOK.

For SSH, by default Any is allowed.

11.Click Save and then clickUpdate Devices to send the configuration change to the security gateway.

Changing device administrator’s passwords

The following security gateway administrators configure and monitor the security gateway.

Super user is the VPNmanager centralized management administrator. The VPNmanager super user has full read and write privileges to configure and monitor security gateways. The super user name and the password are entered from the VPNmanager console and are authenticated before VPNmanager is used to make configuration changes on the security gateway. For centralized management, the security gateway must have thePermit Centralized Management feature enabled. See the VPNos Configuration Guide for details.

276 Avaya VPNmanager Configuration Guide Release 3.7

Using the Connectivity tab

Root is the login name for the security gateway administrator. The root administrator has full privileges to configure and maintain a specific security gateway network and user configuration.

Monitor is the login name for an administrator who can view the Inspect properties and monitor sub functions of the security gateway’s interface software. The monitor user hasread-onlypermissions.

These administrator’s cannot be deleted but their passwords can be changed. Go to the Device>Management tab to change the passwords.

To reset the passwords

1.Move to the Configuration Consolewindow.

2.From the Icon tool bar, click Devices to list all security gateways in theContents column.

3.From the Contents column, select the security gateway that requires the administrator passwords reset.

4.Click the Management tab, to bring it to the front.

5.Select Reset Password to see the configuration reset buttons.You can reset the super user, root user or monitor user password.

6.Click Reset for the administrator user that should be changed.TheReset Password dialog is displayed.

7.Enter the new password. The password must be a minimum of six characters.

8.Click OK. The new password is automatically reset on the security gateway.

Using the Connectivity tab

The Device>Connectivity tab provides basic communications testing. Ping between the VPNmanager workstation and a security gateway, or the VPNmanager and an address or DNS server.

Issue 4 May 2005 277

Device management

Figure 85: The Connectivity tab for a security gateway Object

Two methods for testing the connectivity of a security gateway are:

Ping between the VPNmanager workstation and a security gateway

Proxy ping, which has been initiated by the VPNmanager, from a security gateway to any node.

A ping between the VPNmanager workstation and a security gateway is useful for verifying that the security gateway is powered on and operational, and that an IP network connection from the VPNmanager workstation to the security gateway exists.

The Ping This Device button initiates a clear text(non-VPNtraffic) ping from the VPNmanager workstation to the security gateway.

Check connectivity by ping

To execute this ping:

Select a security gateway from the Contents list, then click on the Ping This Device button.

The ping results are displayed in the Ping Results window.

The Ping Results window indicates that connectivity to the security gateway’s IP address is being checked.

A result of “<IP address of security gateway> is alive” indicates a reply was received from the IP address of this security gateway.

A result of “security gateway unreachable” indicates no reply was received.

278 Avaya VPNmanager Configuration Guide Release 3.7

Using the Device Actions tab

To directly ping a specific security gateway:

1.Move to the Configuration Consolewindow.

2.From the Contents column, select the security gateway that you want to ping.

3.Click the Connectivity tab to bring it to the front.

4.Click Ping This Device to start the ping.

5.Information about the ping appears in the Ping Results text box.

Check Connectivity by Proxy Ping

Ping this Address/DNS name: Enter the IP address or DNS name.

Results are displayed in the Proxy Ping Results window.

To proxy ping a specific security gateway:

1.Move to the Configuration Consolewindow.

2.From the Contents column, select the security gateway that you want to ping.

3.Click the Connectivity tab to bring it to the front.

4.In the Ping IP Address/DNS Host Name, type in an address or host name of the proxy.

5.Click Proxy Ping to start the ping.

6.Information about the ping appears in the Ping Results text box.

Using the Device Actions tab

The Device Actions tab is used to perform basic functions on the security gateway. Basic functions include Update Configuration, Reset Device Time, Reboot Device, Re-setupdevice, Import Configuration, and Ethernet Speed.

Note:

The Import Configuration and Ethernet Speed features are visible and only on some models.

Issue 4 May 2005 279

Device management

Figure 86: The Actions tab for a security gateway Object

Update Configuration

When changes are made to a Device Object, use the Update Configuration button to send the changes from the server to a specific security gateway.

Reset Device Time

Click Reset Time to synchronize the security gateway and VPNmanager workstation to Greenwich Mean Time.

Reboot Device

To restart a security gateway at any time, click Reboot. (A Cold Start alarm is logged by VPNmanager and any other trap targets specified.) Note that any existing VPN connections are dropped and are re-establishedfollowing the security gateway reboot sequence.

Reboot should normally not be necessary except when the fundamental configuration changes (such as changing the security gateway’s IP address) are made.

The time for the reboot process to complete varies with each security gateway series. The VSU-1200/7500series taking up to approximately two minutes during which VPN connections through this security gateway are down. For this reason, security gateway reboots should be performed during scheduled maintenance whenever possible.

280 Avaya VPNmanager Configuration Guide Release 3.7