OmniVista SafeGuard Manager Release 3.0 Administration Guide PART NUMBER: 005-0034 REV A1 PUBLISHED: MARCH 2007 ALCATEL-LUCENT 26801 WEST AGOURA ROAD CALABASAS, CA 91301 USA (818) 880-3500 WWW.ALCATEL-LUCENT.
Alcatel-Lucent Proprietary Copyright © 2007 Alcatel-Lucent. All rights reserved. This document may not be reproduced in whole or in part without the expressed written permission Alcatel-Lucent. Alcatel-Lucent ® and the AlcatelLucent logo are registered trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
Contents Preface About This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Guide Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conventions Used in This Guide . . . . . . . . . . . . .
Contents Installing the OmniVista SafeGuard Manager Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Logging into the OmniVista SafeGuard Manager Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Connecting Over Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Chapter 3: General Navigation Viewing Visualization Tables . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Chapter 5: Device Configuration Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Checking a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Adding a New Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Configuring Device Objects . . . . . . . .
Contents Chapter 7: Managing the Server User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Authentication Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Adding a New User . . . . . . . .
Preface In this preface: ■ ■ ■ About This Guide Conventions Used in This Guide Related Documentation
Preface About This Guide This guide describes the OmniVista SafeGuard Manager command center features, including how to use and navigate through different views. This guide also provides detailed installation procedures for the server and client. Intended Audience The OmniVista SafeGuard Manager Administration Guide is for experienced network administrators who are responsible for installing, configuring, and maintaining the Alcatel-Lucent devices and OmniVista SafeGuard Manager command center.
Preface Conventions Used in This Guide This document uses the following conventions: Italic ■ Italics are used the first time a glossary term is introduced, for the titles of books, and for menu items. Bulleted lists Bulleted lists designate items of equal importance. 1 Numbered lists Numbered lists designate a specific sequence of steps required to complete a procedure. Boldface type Boldface type is used for button names. Code Code excerpts and command line sequences are shown in this type face.
Preface Related Documentation ■ OmniAccess SafeGuard Controller Installation Guide Describes the OmniAccess SafeGuard Controller. The guide provides detailed installation instructions and technical specifications for the OmniAccess SafeGuard Controller. ■ OmniAccess SafeGuard OS Administration Guide Provides concepts and configuration instructions for the major features of OmniAccess SafeGuard OS and its supported products, which includes End Point Validation (EPV) the integral component for using ICS.
chapter 1 Getting Started This section includes the following: ■ ■ ■ ■ ■ ■ ■ Overview Key Features Getting Started Navigation Viewing Tips Modifying Your Password Adding a Device
Chapter 1: Getting Started Overview The OmniVista SafeGuard Manager command center provides centralized and easy-touse management of one or more Alcatel-Lucent devices, enabling network administrators to perform basic configuration, management, and monitoring of several devices in a single interface.
Chapter 1: Getting Started ■ Policy Creation Using Flows—Allows you to create policy filters from data available in an application flow. ■ CSV/HTML Report Generator—Allows you to create customized reports with server-side Scheduler; these reports can be e-mailed and printed easily. ■ Real-time Incident Dashboard—Displays total number of users, authenticated and unauthenticated, device health, and policy, posture, and malware incidents.
Chapter 1: Getting Started Getting Started The OmniVista SafeGuard Manager command center has client and server components. The server runs on a Windows server system, and the client runs on a Windows client system using Internet Explorer. The client can be deployed directly from the server using the Java Web Start technology.
Chapter 1: Getting Started ■ 2.8-GHz processor speed ■ 2 processors NOTE: The appliance that ships from Alcatel-Lucent meets all these requirements. OmniVista SafeGuard Manager Client Requirements The OmniVista SafeGuard Manager client can be run on most Windows systems. Minimum requirements are: ■ One of the following Windows platforms: — Microsoft Windows Server 2000 — Microsoft Windows Server 2003 (Enterprise or Standard) — Microsoft Windows XP Professional ■ 2.
Chapter 1: Getting Started Starting the Server When you boot up the OmniVista SafeGuard Manager appliance, the OmniVista SafeGuard Manager server is started automatically. However, if you upgraded the software version or re-installed the software, you must manually start the server. For more information on installing, upgrading, or uninstalling, see Installation and Setup. To manually start the server: 1 Use the Windows shortcut from the Start menu, Programs > OmniVista SafeGuard Manager > Start Server.
Chapter 1: Getting Started that the application is authored by Alcatel-Lucent and needs some privileges on your client system (Figure 1). Figure 1 Security Warning 3 Click Start. A prompt appears asking if you want to create a shortcut on the desktop. 4 Select Yes to create a shortcut. If you select No, you can still launch the client using the URL from Step 2. The client launches. See Logging In to the Client for information on logging procedures.
Chapter 1: Getting Started Logging In to the Client To log in to the client: 1 Launch the client using either of the following methods: — Double-click on the shortcut that was created on your desktop when you first installed the client. — Invoke from Internet Explorer by typing the URL (http://ip-address-ofOmniVistaSafeGuardManager-server).
Chapter 1: Getting Started 4 Click Login. If you are logging in for the first time to the OmniVista SafeGuard Manager server, the Alcatel-Lucent License Agreement will be displayed. You must accept it to use OmniVista SafeGuard Manager. NOTE: The license agreement is a one-time acknowledgement for each server and is not displayed for this client or any other client or this server. The client is successfully launched, and the OmniVista SafeGuard Manager command center panel displays (Figure 3).
Chapter 1: Getting Started Navigation When you log into the OmniVista SafeGuard Manager command center, a navigation panel displays that allows you to access the various features by simply clicking a button or using a menu item.
Chapter 1: Getting Started Menus You can access the OmniVista SafeGuard Manager features by selecting menu commands that are located in the menu bar, which is the toolbar located at the top of the screen (Figure 4). Page Bar The OmniVista SafeGuard Manager Page Bar icons allow you to access the various features of OmniVista SafeGuard Manager while retaining the context as much as possible.
Chapter 1: Getting Started Table 1 Page Bar Icon Navigating within OmniVista SafeGuard Manager (continued) Menu Sequence Key Sequence Displays View Description View > Go To > Config Management Shift + 1 Config Management Enables you to manage AlcatelLucent devices, view inventory, and perform minimal configuration of the device system and ports. View > Go To > Audit Logs Shift + 2 Audit Logs Displays log entries that are relevant for auditing purposes.
Chapter 1: Getting Started Viewing Tips The following tips expedite your navigation through the OmniVista SafeGuard Manager Manager panels and windows: ■ Buttons in the Action Bar are used to execute actions. Select a row and then click the action button. If an action is not applicable for the selected row, the corresponding button is disabled.
Chapter 1: Getting Started Modifying Your Password The Account Management feature of OmniVista SafeGuard Manager allows an administrator to perform basic modifications to user accounts, such as adding users, changing passwords, and configuring dual-admin. To modify your password: 1 Select Tools > OmniVista SafeGuard Manager Users > User Accounts... The Account Management window (Figure 5) displays.
Chapter 1: Getting Started Figure 6 Modify User Account Dialog Box 5 Modify the password, as needed, and click Modify Password. 6 Click Modify Account if you are changing the admin role or user information. NOTE: For more information on adding a new user or the different types of user roles, see User Accounts. Adding a Device Before you can visualize any data, you need to add a device. For more information on device management, see Device Configuration.
Chapter 1: Getting Started Figure 7 4 Enter the following device attributes: Table 2 26 New Device Dialog Box Add Device Attributes Attribute Description IP Address The Management IP address of the device. SNMP Community String (Read) Simple Network Management Protocol (SNMP) read community name that was configured when the device was initially set up. SNMP Community (Read/Write) SNMP read/write community name that was configured when the device was initially set up. Name Device name.
Chapter 1: Getting Started NOTE: Make sure that the attributes are specified correctly; otherwise, adding a device fails producing one of the following error messages, “Device unreachable,” or “Device is not a Alcatel-Lucent device,” or “Unable to communicate with IP Address.” 5 Click OK to add the device.
Chapter 1: Getting Started 4 Click Import From File to import a list of devices written in a specific format. For example: ######################################################################### Name: Device List File #Purpose: For bulk device addition into OmniVista SafeGuard Manager Syntax of each line: # ip,read,readwrite,name,region,building,enable-flow-collection-in-truefalse # # Example: 172.16.3.
chapter 2 Installation and Setup This section includes the following: ■ ■ ■ ■ ■ ■ ■ ■ ■ Installing the OmniVista SafeGuard Manager Server Upgrading the OmniVista SafeGuard Manager Server Uninstalling the Server Starting the Server Shutting Down the Server Installing the OmniVista SafeGuard Manager Client Installing the OmniVista SafeGuard Manager Client Logging into the OmniVista SafeGuard Manager Client Connecting Over Firewall
Chapter 2: Installation and Setup Installing the OmniVista SafeGuard Manager Server To install the OmniVista SafeGuard Manager server: 1 Double-click the executable file (omnivista-safeguard-.exe). The Installation Wizard prepares Java Virtual Machine (JVM) and initializes the installation wizard. This could take a few seconds. After the initialization process is completed, the Welcome screen displays (Figure 9). Figure 9 2 30 Installation Welcome Screen Click Next.
Chapter 2: Installation and Setup Figure 10 Alcatel-Lucent License Agreement 3 Accept the licensing terms and click Next. 4 The Directory Location screen displays (Figure 11). Figure 11 OmniVista SafeGuard Manager Alcatel-Lucent Installation Directory Location 5 Accept the default location to which the installation files will be downloaded for the Install Location, or click Browse to choose a different directory. The default location is C:\Alcatel-Lucent\OmniVistaSafeGuardManager.
Chapter 2: Installation and Setup 6 If a previous version of OmniVista SafeGuard Manager already exists on your system, a warning is displayed and you are given an option to exit the installation. 7 Click Exit Installation to quit the installation process. Uninstall OmniVista SafeGuard Manager and then re-install. 8 If a previous version is not installed, click Next.
Chapter 2: Installation and Setup Upgrading the OmniVista SafeGuard Manager Server When the appliance is shipped from Alcatel-Lucent it comes pre-installed with OmniVista SafeGuard Manager. You need to uninstall OmniVista SafeGuard Manager and then re-install to upgrade. For more information on installing, upgrading, and uninstalling the server, see Installation and Setup. WARNING: When you upgrade the OmniVista SafeGuard Manager server, the existing database and reports are overwritten.
Chapter 2: Installation and Setup 6 Follow the on-screen prompts using default options. 7 After the installation is completed, you have to start the OmniVista SafeGuard Manager server. For more information on starting the server, see Starting the Server. Uninstalling the Server To uninstall the server: 1 From the Start menu, click Programs > OmniVista SafeGuard Manager > Uninstall > Uninstall OmniVista SafeGuard Manager. The Welcome screen displays (Figure 14).
Chapter 2: Installation and Setup Figure 15 Uninstallation Summary 3 Install asks you if you want to delete backup and data directories. Select No if you want to save the data. Figure 16 Delete Data Directory 4 Follow the on-screen prompts to uninstall the server. The uninstall wizard stops the server and database, cleans the log files and begins the uninstallation process. The status is displayed in a console window.
Chapter 2: Installation and Setup Starting the Server When you boot up the OmniVista SafeGuard Manager appliance, the OmniVista SafeGuard Manager server is started automatically. However, if you upgraded the software version or re-installed the software, you must manually start the server. To manually start the server: 1 Use the Windows shortcut from the Start menu, Programs > OmniVista SafeGuard Manager > Start Server. A GUI window displays.
Chapter 2: Installation and Setup Installing the OmniVista SafeGuard Manager Client The OmniVista SafeGuard Manager client is based on Java Web Start technology, allowing you to install the client automatically over the network with a single click. NOTE: If the client machine has a JRE version that is earlier than 1.5, then the client is automatically upgraded to JRE 1.5. To install the client: 1 Launch Internet Explorer. NOTE: Currently, only Internet Explorer version 6.0 or higher is supported.
Chapter 2: Installation and Setup Figure 17 Security Warning 3 Click Start. A prompt appears asking if you want to create a shortcut on the desktop. 4 Select Yes to create a shortcut. If you select No, you can still launch the client using the URL from Step 2. The client launches. See Logging into the OmniVista SafeGuard Manager Client for information on logging in procedures.
Chapter 2: Installation and Setup Logging into the OmniVista SafeGuard Manager Client To log into the client: 1 Launch the client using either of the following methods: — Double-clicking on the shortcut that was created on your desktop when you first installed the client. — Invoking from the Internet Explorer by typing the URL (http://ip-address-ofOmniVistaSafeGuardManager-server).
Chapter 2: Installation and Setup 4 Click Login. If you are logging in for the first time to the OmniVista SafeGuard Manager server, the Alcatel-Lucent License Agreement displays. You must accept it to use OmniVista SafeGuard Manager. NOTE: The Alcatel-Lucent license agreement is a one-time acknowledgement for each server and is not displayed for this client or any other client or this server. The client is launched and the dashboard is displayed (Figure 19).
Chapter 2: Installation and Setup Connecting Over Firewall If a firewall exists between the OmniVista SafeGuard Manager client and the OmniVista SafeGuard Manager server, or between the OmniVista SafeGuard Manager server and the SafeGuard OS device, certain ports must be opened for successful deployment. Table 4 gives the number of ports that must be open: Table 4 Ports that must be open for successful deployment When connecting... Ports that need to be open...
Chapter 2: Installation and Setup 42 OmniVista SafeGuard Manager Administration Guide
chapter 3 General Navigation This section includes the following: ■ ■ ■ ■ ■ Viewing Visualization Tables Choosing Columns in a Table Searching and Sorting Exporting and Printing Data Using the Status Bar
Chapter 3: General Navigation Viewing Visualization Tables Visualization allows administrators to track what a user is doing, what applications are being used, and what is being done to a network. Such tracking is useful for forensic and postmortem purposes, that is, for debugging and ensuring that the network is performing at its optimum and there are no threats to the network. SafeGuard collects this data and periodically pushes it in tabular format to OmniVista SafeGuard Manager as visualization data.
Chapter 3: General Navigation Figure 20 Table View (Users) Viewing Table Data To view table data: 1 Use the Action Bar buttons to navigate from one type of table view to another. See Viewing Visualization Tables for more information on different table views. 2 Use the scroll buttons at the top of the table to scroll through the data, one page at a time, previous page, next page, first page, or last page.
Chapter 3: General Navigation Attribute Description Time Range From the dropdown list choose a time for which you want to view table data. Following values are available: Time Filter ■ Current Hour—displays incidents for the current hour ■ Last Hour—displays incidents for the last hour ■ Current Day—displays incidents for the current day ■ Last Day—displays incidents for the day before ■ Previous Day—displays incidents for the previous 24 hours.
Chapter 3: General Navigation Navigating between Different Table Views The single-window design in OmniVista SafeGuard Manager lets you navigate from one view to another with a single click of a button. Figure 21 below shows the different views to which you can navigate from a given table view. For example, from the User view you can use the Action Bar buttons to access Posture Incidents, Malware Incidents, Policy Incidents, Applications, and Application Instances.
Chapter 3: General Navigation Choosing Columns in a Table OmniVista SafeGuard Manager allows you to choose and set the order in which you view the columns in a given table view. These settings are remembered in Windows for each user and are applied when you visit the same table again. However, you can reset the column order to its default value at any given time. From the menu bar, select Tools > Client Settings> Reset Views>.
Chapter 3: General Navigation Table 6 Column Editor Buttons (continued) Button Name Function Hide Select a column in the Displayed Columns panel and click Hide to remove it from the display list. This will hide the column from the table view. Hide All Select Hide All to hide all the columns from the table view. Top Select a column in the Display Columns panel and click Top to move the selected column to the top of the list. This will be the first column displayed in your table view.
Chapter 3: General Navigation Searching and Sorting Most of the visualization tables display a maximum of 1,000 rows. When the number of rows that exist in the database is more than can be displayed in a window, page navigation buttons are shown in the top-right corner of the screen (Figure 23). NOTE: If you increase the page size from 1,000 rows, data retrieval may take longer.
Chapter 3: General Navigation Searching Table Data Locally To search table data locally: 1 Select View > Go To > Users (or any other menu item, or click an icon from the Page Bar to get to a table view). In a table view, click the Find text search field displays (Figure 24). icon. A free-form Figure 24 Free-Form Search Fields 2 Enter a keyword on which to base the search. Sorting Table Data Locally To sort the table data locally: 1 In table view, click on a column header.
Chapter 3: General Navigation Searching and Sorting Data in the Entire Database Most table columns allow search and sort on the database; however, certain columns do not have this functionality. To search and sort the database on the server: 1 In a table view, click the Find icon. A search panel displays (Figure 24). 2 Click Database Search. The column headers now have search fields and sort buttons (Figure 25).
Chapter 3: General Navigation 5 Click OK. Your search criteria are applied. 6 Click on the sort button (Figure 25) to apply the sort criteria for that column. You can apply multi-level sorts. The numbers on the sort buttons signify the sorting order. A sort can be applied in either an ascending or a descending order. If you want to reset the sort order, double-click a column to make it the primary sort and reset all other columns.
Chapter 3: General Navigation Using the Status Bar The status bar displays the progress of an action, for example, when you synchronize a device or retrieve data, and when there are any alarms or infections on a device (Figure 27). Figure 27 Status Bar The little green icon on the right corner of the status bar has a tool tip which displays the current OmniVista SafeGuard Manager Server Health parameters. A sample display of current values using tooltip is shown below.
chapter 4 Visualization This section includes the following: ■ ■ ■ ■ ■ Overview Dashboards Configuring Dashboards Viewing Visualization Data Viewing Time-based Data
Chapter 4: Visualization Overview Network visualization is the ability to determine detailed information about what users are doing in the network. Data collected during visualization is aggregated and maintained in a relational database using a set of tables (see Table 10 for more information on the kind of data collected). By having the events be user-based, network visualization allows an administrator to monitor data in a manner that presents the data in a drillable and easily digestible format.
Chapter 4: Visualization Dashboards The OmniVista SafeGuard Manager command center comes with three pre-defined realtime dashboards: ■ Security Incidents ■ User Sessions with Incidents ■ Network Awareness These dashboards display current day counters. Security Incidents The Security Incidents dashboard refreshes every 60 seconds but can also be refreshed using the F5 key. You can access this dashboard (Figure 28) by clicking the Incidents tab on the dashboard.
Chapter 4: Visualization The Incidents dashboard displays the following information: ■ Security Level Meter ■ User Sessions Summary ■ Device Status ■ Authentication Failures ■ Policy Incidents ■ Malware Incidents by Category ■ Incidents for Unauthenticated Users ■ Top User Roles with Incidents/Incident Counts Security Level Meter The Security Level Meter (top-left panel) shows weighted incidents per user. The gauge moves to the right as the incidents grow.
Chapter 4: Visualization Device Status The Device Health pie chart shows the connectivity health of a device. Devices that are healthy show up in green and devices that cannot be reached, show up in red. Figure 31 Device Health You can access Device Management by clicking on the Device Health panel. For more information on Device Management, see Chapter 5, Device Configuration.
Chapter 4: Visualization Policy Incidents The Policy Incidents bar chart shows various types of policy incidents, all policy incidents, Web, IM, or network connectivity incidents only. For more information on policy incidents, see Viewing Policy Incidents.
Chapter 4: Visualization Incidents for Unauthenticated Users The Incidents for Unauthenticated Users chart summarizes the various incidents in the network that are caused by unauthenticated users: ■ Users with Policy Incidents—number of unauthenticated users that are violating resource access policies. ■ Users with Malware Incidents—number of unauthenticated users that are violating malware policies. ■ Posture—number of unauthenticated users that are causing posture incidents.
Chapter 4: Visualization Top User Roles with Incidents/Incident Counts The Top User Roles with Incidents bar chart displays the top user roles that are generating the maximum number of policy, malware, or posture incidents. Figure 37 Top User Roles with Incidents Click on any bar to display the associated top roles with most incidents window.
Chapter 4: Visualization Network Awareness The Network Awareness dashboard displays various application usage patterns and statistics for active users. The modules are automatically refreshed every 5 minutes. You can also use the F5 key to refresh the modules. In the Network Awareness dashboard, double-click on the module header to display the associated detail information.
Chapter 4: Visualization The Network Awareness dashboard displays the following information: ■ Top 10 User Sessions by Bandwidth ■ Top 10 User Sessions with Most Blocked Incidents ■ Top 10 Destinations ■ Top 10 Web Sites ■ Top 10 Applications by Flow Count ■ Bottom 10 Applications by Flow Count ■ Top 10 Applications by Bandwidth (Bar Chart) Top 10 User Sessions by Bandwidth The Top 10 User Sessions by Bandwidth table displays the name and usage of the top 10 user sessions by bandwidth.
Chapter 4: Visualization Top 10 Destinations The Top 10 Destinations table displays IP addresses of the top 10 destinations that users frequently visited, with the destination IP address that has the most hits being displayed at the top. Figure 41 Top 10 Destinations Top 10 Web Sites The Top 10 Web Sites table displays the names of the top 10 sites visited by users, including the number of times each site was visited.
Chapter 4: Visualization Top 10 Applications by Flow Count The Top 10 Application by Flow Count table displays the names and the number of instances (destination IP and port pairs) of the top 10 applications by instances. Figure 43 Top 10 Application by Flow Count Click on the column header to display a list of applications, including all application instance details. You can also place the mouse cursor on the pie chart to display tooltips.
Chapter 4: Visualization Top 10 Applications by Bandwidth (Bar Chart) The Top 10 Applications by Bandwidth bar chart displays the names and usage of the top 10 applications by bandwidth. The bandwidth is shown in terms of percentage (%) usage. Figure 45 Top 10 Applications by Bandwidth (Bar Chart) Click on this panel to display a list of applications, including application details.
Chapter 4: Visualization Configuring Dashboards If you find that the default pre-defined dashboards do not conform to your needs, OmniVista SafeGuard Manager allows you to copy the existing dashboards and then customize them accordingly or create new ones from scratch. Each dashboard comprises of the following three tabs: ■ Layout—The Layout tab is where you define how the modules are positioned and displayed in a panel. This is where you also define the order in which the dashboards are to be displayed.
Chapter 4: Visualization Defining Modules within a Dashboard To create a new dashboard: 1 Click the Dashboard icon from the Page Bar or from the menu, select View > Go To > Dashboard (Ctrl + 0). The Dashboard displays. 2 Click the Configure icon from the Action Bar. The Dashboard Configuration screen displays (Figure 46). Figure 46 Dashboard Configuration 3 Click New. The Add New Layout window displays (Figure 47).
Chapter 4: Visualization Figure 47 Add New Layout 4 Enter the configuration as follows: Table 7 70 New Layout Attributes Attribute Name Description Name Enter a name for the new dashboard. Number of Columns From the dropdown list, select the number of columns you want in the new dashboard. Number of Rows From the dropdown list, select the number of rows you want in the new dashboard. Reset Resets the dashboard values to the new values.
Chapter 4: Visualization Table 7 New Layout Attributes (continued) Attribute Name Description Fixed Row Location Check the top checkbox if you want the fixed row to display at the top of the dashboard. Check the bottom checkbox if you want the fixed row to display at the bottom. Only specific modules are allowed in the fixed row area. For example, Device Health, User Statistics, Top 3 Role with policy incidents. 5 Click a module to configure it. The Module Selection screen displays (Figure 48).
Chapter 4: Visualization 8 Click Select. The properties of the selected module are applied to the module in the new dashboard. 9 Repeat the process till all modules have been specified. NOTE: Not all modules are configurable. If a module can be cloned or edited, the Clone and Edit buttons are available. 10 Click Edit Order on the Dashboard Configuration dialog box (Figure 46). The Dashboard Tabs Order Editor displays (Figure 49).
Chapter 4: Visualization Table 8 Dashboard Tab Order Editor Buttons Button Name Function De-select Highlight a dashboard in the Selected column and click Deselect to remove it from the selected list. This dashboard will not display as a tab when you go into dashboard view. De-select All Click De-select All to remove all dashboards from the selected list. Top Select a dashboard in the Selected column and click Top to move the dashboard to the top of the list.
Chapter 4: Visualization Figure 50 Layout Configuration 4 Select the number of Rows and Columns using the dropdown lists. 5 Select the checkbox for whether you want the fixed row location to be on top or at the bottom. 6 Select the module that you want to change. The Module Selection screen displays (Figure 48). 7 If it’s a user-configured module, the Edit, Clone, and Delete buttons will be active. Make the modifications as necessary and click OK. NOTE: You can only delete a user-configured module.
Chapter 4: Visualization Using Pre-defined Modules OmniVista SafeGuard Manager allows you to configure custom dashboards. Custom dashboards can be configured using modules that have been pre-defined. Some of these pre-defined modules are: ■ Top 10 Applications by Bandwidth—top 10 applications defined by the percentage of usage. ■ Top 10 Applications by Instances—top 10 applications by the frequency of application instances. ■ Top 10 Destinations—top 10 destination IP addresses.
Chapter 4: Visualization Defining Bars within a Module You can configure multiple bars within a module; however, each module should have at least one bar. Each bar within a module has an action query associated with it (this identifies the query that needs to be executed when you click on a bar). The associated query then retrieves data from the server. The following bar characteristics should be noted when defining bars: ■ System bars cannot be deleted or cloned.
Chapter 4: Visualization 3 Enter the bar configuration as follows: Table 9 Add New Bar Attributes Attribute Description Name Name for the bar. Title Title for the bar. Bar Query Template Name From the dropdown list, select a query template that will retrieve data from the database. Bar Query Template Time Filter Specify a time filter for the bar, this is the time filter that will be applied when collecting counts, for example top 10.
Chapter 4: Visualization Viewing Visualization Data Visualization allows administrators to track what a user is doing, what applications are being used, and what is being done to a network. Such tracking is useful for forensic and postmortem purposes, that is, for debugging and ensuring that the network is performing at its optimum and there are no threats to the network.
Chapter 4: Visualization Viewing Policy Incidents When policy conditions are matched for any given user, policy incidents are created. To view policy incidents: 1 Click the View Policy Incidents icon from the Page Bar or select View > Go To > Policy Incidents (Ctrl + 1) menu item. The All Events view displays with the following information Table 11 Policy incidents Attributes Attribute Description Username Username in violation of a policy. First Occurrence Time the violation first occurred.
Chapter 4: Visualization button in the Find field. For more information on using the search and sort features, see Chapter 3, General Navigation. 3 To view specific incidents by status, location, role, or category, use the attributes in the left column. For more information on using the left column fields, see Chapter 3, General Navigation. 4 Select a row and click Clear to clear the policy violation and put it in history.
Chapter 4: Visualization Viewing Malware Incidents The term malware is derived from malicious software, which is any program or file that is harmful to a computer system. Common types of malware include computer viruses, worms, Trojan horses, and spyware. When SafeGuard OS detects malware on the system, malware policies specify how the infection is handled. For more information on how SafeGuard OS detects and isolates malware security threats, see the OmniAccess SafeGuard OS Administration Guide.
Chapter 4: Visualization Table 12 Malware Attributes (continued) Attribute Description Protocol Protocol being used: TCP or UDP. History History of the last 8 malware incidents. When you place your cursor on the history column, a tooltip displays up to 8 IP addresses related to the specific incident. This is very helpful for diagnostic purposes, to see what algorithm was used to determine that this is actually an incident and what other IP address are impacted.
Chapter 4: Visualization user machine, allowing you to traverse through the details and see what applications the user is using, the infections and the policy incidents against the user. This is helpful in diagnostics purposes and can help the administrator to narrow down the problem and identify where the problem exists. 8 Click Refresh to get the latest malware events.
Chapter 4: Visualization Viewing Posture Incidents The term “posture” refers to a collection of attributes that play a role in the conduct or health of a device that is seeking network access. Some of these attributes relate to the endpoint device-type and operating system; and other belong to various security applications that might be present on the endpoint, such as anti-virus (AV) scanning software.
Chapter 4: Visualization Viewing User Sessions You can view visualization data, network activity per user or for all users. To view all users: 1 Table 14 From the Dashboard, click on the Total Users row in the User panel, click the View Users icon from the Page Bar, or select the View > Go To > Users (Ctrl +4) menu item. The All Users screen displays with the following information: User Attributes Attribute Description Username User name as detected by the authentication (login ID).
Chapter 4: Visualization button in the Find field. For more information on using the search and sort features, see Chapter 3, General Navigation. NOTE: Some data might be excluded from the display because visualization filters may have been applied. You can disable the filters if you want to store or display all data. Disabling the filters will not retrieve previously filtered data; however, new data will be stored. For more information on visualization filters, see Setting Visualization Filters.
Chapter 4: Visualization 9 Click Export to export the table details into a CSV file that can easily be exported into an Excel worksheet. 10 Click Print to print the data to a networked printer. Viewing Application Types The application view displays the type of application being used (HTTP, FTP, and so forth). To view all application types: 1 Table 15 Click the View Applications icon from the Page Bar or select View > Go To > Applications (Ctrl + 5) menu item.
Chapter 4: Visualization Figure 54 Other Table Views from Application View 6 Click Refresh to view the updated visualization data. 7 Click Export to export the table details into a CSV file that can easily be exported into an Excel worksheet. 8 Click Print to print the data. Viewing Application Instances To view all application instances: 1 Table 16 Click the View Application Instances icon from the Page Bar or select View > Go To > Application Instances (Ctrl + 6) menu item.
Chapter 4: Visualization Table 16 Application Instances Attributes (continued) Attribute Description Packets In Total number of incoming packets. Packets Out Total number of outgoing packets Application Instances Total number of application instances. Deny Traffic from Host side IP Deny traffic originating from host-side IP address. Deny Traffic to Host-side IP Deny traffic that is directed to host-side address.
Chapter 4: Visualization Viewing Application Flows To view application flows: 90 1 Click the View Application Flows icon from the Page Bar or select View > Go To > Application Flows (Ctrl + 7) menu item. The Application Flows view displays, giving a detailed view of all user activity for the selected user. 2 Search the data displayed locally in the table view by clicking the Find icon in the Action Bar. A free-form text search field is displayed.
Chapter 4: Visualization Creating Policy Filters OmniVista SafeGuard Manager allows you to create a policy filter from data available in an application flow. To create a policy filter: 1 Click the View Application Flows icon in the Page Bar. 2 Select a data flow line and right-click to select Create Policy Filter. The New Policy Filter screen displays (Figure 56).
Chapter 4: Visualization Table 17 New Policy Filter Attributes Attribute Description Select choice of filter From the dropdown list, select the type of filter. Valid values are: ■ None ■ Block user ■ Deny traffic originating from user ■ Deny traffic to user ■ Deny traffic from user to network IP ■ Deny traffic from network-side IP to user ■ Deny traffic from network-side IP ■ Deny traffic to network-side IP Name Specify a brief name for the new policy filter.
Chapter 4: Visualization Viewing Time-based Data OmniVista SafeGuard Manager allows you to apply time filters in the navigational views. Using these time filters, you can specify a time range for which you want to view data. These navigational views also allow you to view data that can be active or inactive and is within the time range specified. To view data within a specific time range: 1 Click on a Page Bar icon to get a table view (Figure 57).
Chapter 4: Visualization 6 Click Refresh to update the view. Additional Time-based Filtering For certain views (application and users), you can apply additional time filters to exclude or include data from the original time-based query. For example, if your initial query was to show users logged in between 4:00pm to 5:00pm, you can use the additional exclude filters to show users not logged in between 3:00pm to 4:00 pm. To apply additional filtering: 1 Click on the And...
Chapter 4: Visualization Viewing Active Data Against Historical Data Active data is generated while the user is logged in. Data is considered history (inactive) when the user logs out. Whenever any data or events are cleared, they also become part of history. NOTE: Malware and Posture events are host based; therefore, they are not considered history when the user logs out. These events must be cleared for them to be history.
Chapter 4: Visualization 96 OmniVista SafeGuard Manager Administration Guide
chapter 5 Device Configuration This section includes the following: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Managing Devices Configuring Device Objects Templates Editing Device Objects Deleting an Existing Device Synchronizing a Device Device Actions Other Actions Understanding Device Management Display Recommended Device Management Workflow
Chapter 5: Device Configuration Managing Devices This section describes how you can add new devices, delete existing devices, and perform basic device configuration. Checking a Device When you add a device, OmniVista SafeGuard Manager checks to ensure that the device is a Alcatel-Lucent device. No other devices are added.
Chapter 5: Device Configuration Figure 60 4 New Device Dialog Box Enter the following device attributes: Table 18 Add Device Attributes Attribute Description IP Address The Management IP address of the device. SNMP Community String (Read) Simple Network Management Protocol (SNMP) read community name that was configured when the device was initially set up. SNMP Community (Read/Write) SNMP read/write community name that was configured when the device was initially set up. Name Device name.
Chapter 5: Device Configuration NOTE: Make sure that the attributes are specified correctly; otherwise, adding a device fails producing one of the following error messages, “Device unreachable,” or “Device is not a Alcatel-Lucent device,” or “Unable to communicate with IP Address.” 5 Click OK to add the device.
Chapter 5: Device Configuration Adding Multiple Devices To add multiple devices: 1 Select the Device Configuration icon from the Page Bar or select the View > Go To > Config Management menu item. 2 Click the New icon from the Action Bar. 3 Select Multi Device. The Create Devices (Figure 62) dialog box displays. You can populate this table using either the Import From File or the Add Entry option.
Chapter 5: Device Configuration Table 19 Add Device Attributes (continued) 102 Attribute Description Device Show the device name with its IP address. IP Address The Management IP address of the device. SNMP Community String (Read) Simple Network Management Protocol (SNMP) read community name that was configured when the device was initially set up. SNMP Community (Read/Write) SNMP read/write community name that was configured when the device was initially set up. Device Name Device name.
Chapter 5: Device Configuration Configuring Device Objects After you have added the device, you must now configure the device objects. OmniVista SafeGuard Manager allows you to configure the following device objects: ■ Application Groups ■ Application Filters ■ Network Zones ■ Policies ■ Role Derivations ■ Roles ■ LDAP Servers Application Groups An Application group is a collection of application protocols used to filter Layer 4 or Layer 7 applications in rules and policy filters.
Chapter 5: Device Configuration 2 Enter the Application Group attributes as follows: Table 20 Application Group Attributes Attribute Description Name Specify a name for the application group you are creating. Available Applications Highlight an application in the Available Applications column and click Add to add the selected application to the application group. Current Highlight an application in the Current column and click Remove to delete the selected application from the application group.
Chapter 5: Device Configuration Application Filters An application filter is a further refinement of an application. Application filters block an application depending upon an action the user performs. For example, you might allow contractors to use FTP, unless they attempt to upload any document that has the string “spec” in the filename. So when the traffic comes in, SafeGuard matches the FTP traffic against the “spec” parameter in the filename.
Chapter 5: Device Configuration Figure 65 5 New AppFilter Element Specify the application filter attributes as follows: Table 21 Application Filter Elements Attributes Attribute Description Protocol Select an application protocol from the Protocol dropdown list, for example, HTTP, FTP, or CIFS. Attribute Name Select an attribute name (Content type, Host, or User Agent) from the Attribute Name dropdown list.
Chapter 5: Device Configuration Network Zones Network resources can be organized into network zones. These zones or logical groups are collections of nodes and network segments. A zone is an easy way to define the resources for a group and naming that entity. For example, you can define a network zone for the servers for the Finance organization or for the resources that you want to allocate to unauthenticated users. Zone filtering has two major benefits for the device administrator.
Chapter 5: Device Configuration 4 Specify the network zone attributes as follows: Table 22 Network Zone Elements Attributes Attribute Description Type Select a network type from the Type dropdown list, Host IP, Network, IP Range, Host MAC, MAC Mask. IP Address Depending on what you selected in the Type field, enter the IP or the MAC address. 5 Click OK. The network zone element displays in the Elements field of the New NetworkZone dialog box (Figure 66).
Chapter 5: Device Configuration Policies Policies are the rules that govern user access and resources. Policies are used to establish the boundaries and enforce a security philosophy for these users and resources. OmniVista SafeGuard Manager supports the following policies: ■ Malware policies—Specify how the infection is handled when SafeGuard detects malware on the host.
Chapter 5: Device Configuration whether a user’s machine is scanned (checked) or whether the user is allowed to bypass the check. EPV policies cannot be assigned to a role. NOTE: Only Malware and User policies can be assigned to a role. For more information on roles, see Roles. Traffic Flow Unlike competitive products, Alcatel-Lucent devices are not packet-based or packetbased control mechanisms. Instead, the system initiates policy enforcement on TCP connections or groupings of UDP packets.
Chapter 5: Device Configuration Policy Enforcement The order in which a policy is enforced depends on two factors: 1 Ranking of the policy 2 Precedence of the policy Policies have an internal ranking system that stacks the policies in the order shown in Figure 68.
Chapter 5: Device Configuration Figure 69 Policy and Filter Precedence Policy A is applied before policy B. Filter precedence is applied after policy precedence. user role technician policy A precedence 110 filter f1 precedence 2100 policy B precedence 210 filter f1 precedence 1100 Figure 70 Configured Roles and Policies Precedence numbers fall into three ranges. User policies are divided into two bands to provide flexibility of overriding system policies, if needed.
Chapter 5: Device Configuration Designing a Policy Workflow A policy workflow is simply an approach to planning, organizing, and implementing a policy management strategy. Before configuring your rules, roles and policies, it is helpful to do some ground work. 1 Determine your corporate philosophy to security. There are two schools of thought on how to execute a policy system. One method creates a wall where all users are initially denied access. You then punch holes, or exceptions into the wall.
Chapter 5: Device Configuration 7 Configure the roles that apply to the policies and associate the policy to the user. For more information on roles, see Role Derivations and Roles. Creating a New Policy To create a new policy: 1 Select Policies from the navigation tree (Figure 61) and select User Policy, Malware Policy, EPV Policy, or User Override Policy from the New dropdown list in the Action Bar. For this example, we have selected User Policy. The New UserPolicy dialog box displays (Figure 66).
Chapter 5: Device Configuration Table 24 Policy Attributes (continued) Attribute Name Description Event Severity Specify a severity level for the policy event from the dropdown list, Critical, Major, Minor, or Informational. 3 Filter expressions improve the accuracy and consistency of configuration commands deployed to the network. Click New to define policy filters. The New Policy Filter dialog box displays (Figure 72).
Chapter 5: Device Configuration Table 25 Policy Filter Attributes (continued) Attribute Name Description Precedence Use the up and down arrows to assign a priority level or precedence to the policy. Each policy filter has an associated precedence which sorts the filters within the policy. The precedences have a valid range of 1 (highest) to 65535 (lowest). If a precedence number is not specified, the system assigns a precedence. Action From the dropdown list, assign an action for the policy filter.
Chapter 5: Device Configuration Table 25 Policy Filter Attributes (continued) Attribute Name Description Traffic To/Destination Type Select a destination type to which you want to restrict traffic.
Chapter 5: Device Configuration 5 Click OK. The policy filter you defined displays in the Policy Filters panel of the New User Policy dialog box. 6 Click OK. The new user policy displays in Policies object of the navigation tree. You can create more than one policy using the same process. 7 Select a policy and click Edit to change the values of an existing policy. 8 Select a policy and click Delete to remove a policy. A confirmation box is displayed asking you to confirm the deletion.
Chapter 5: Device Configuration Role Derivations Role derivation for a user is achieved by matching a set of authentication protocolspecific attributes and their values to a role. The attributes are obtained by user authentication against an external RADIUS, Kerberos, or another server. These attributes are sent by the authentication server to the network access device when an access request is successfully accepted. Role derivation rules are not applied when authentication fails.
Chapter 5: Device Configuration Figure 73 2 Role Derivation Rule Set Enter information in the user-configurable fields as follows: Table 26 Role Derivation Rule Set Attributes Attribute Name Description Name Rule map name in character string. Precedence Use the up and down arrows to assign a priority level or precedence to the rule map. Apply Rule Set Check this box if you want to apply the rule set. Description Description for the role derivation rule set in a character string.
Chapter 5: Device Configuration Figure 74 4 New Rule Map Condition Enter information as follows: Table 27 New Rule Map Condition Attributes Attribute Name Description Attribute Class From the dropdown list, select an attribute class of System, RADIUS, or AD. Attribute Name From the dropdown list, select an attribute name. Match Condition From the dropdown list, select a condition of does or does not. Operation From the dropdown list, select an operation for the match condition.
Chapter 5: Device Configuration 9 Select a role derivation and click Copy to clone the configuration of the selected role derivation. Roles You set up users in the authentication database by assigning them a set of roles, usually defined first by department and then by mapping a set of authentication protocol-specific attributes and their values to a role. The attributes are obtained by user authentication against an external RADIUS, Kerberos, or another server.
Chapter 5: Device Configuration ■ Default roles cannot be deleted. For more information on how policies are applied, see the OmniAccess SafeGuard OS Administration Guide. NOTE: Role names are case sensitive. The “software engineer” role is not the same as “Software Engineer” role. The procedure for creating a role is: 1 Create the role by giving it a name. 2 Define the parent role, if necessary. 3 Apply either a user policy or a malware policy to the role.
Chapter 5: Device Configuration Table 28 Role Derivation Rule Set Attributes Attribute Name Description Parent Role From the dropdown list, select a role to be assigned as a parent role. Assigned Policies Displays the policies assigned using the New Policies dialog box. 3 Click New to assign policies for this role. The New RolePolicy dialog box displays (Figure 77).
Chapter 5: Device Configuration 7 Select a role and click Edit to change the configuration of an existing role. 8 Select a role and click Delete to remove it from the list. A confirmation box is displayed asking you to confirm the deletion. 9 Select a policy and click Up or Down to change the precedence. LDAP Servers LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server.
Chapter 5: Device Configuration Figure 78 2 New LDAP Server Enter information in the user-configurable fields as follows: Table 30 New LDAP Server Attributes 126 Attribute Name Description IP Address Enter an IP address for the LDAP server. Use SSL Select the checkbox if you want LDAP to use the Secure Socket Layer (SSL) encryption to secure data transmissions. Port Number Use the up/down arrows to specify a port number for the LDAP server.
Chapter 5: Device Configuration 6 Select an existing LDAP server and click Copy in the Action Bar to copy the settings of the selected server. Editing Device Objects To edit a device: 1 Select the Device Configuration icon from the Page Bar or select the View > Go To > Config Management menu item. 2 Click the Edit icon from the Action Bar. The Edit Device (Figure 79) dialog box displays.
Chapter 5: Device Configuration 3 Table 31 You can edit the device properties: general, connectivity, SNMP server settings, and device settings using the following attributes: Edit Device Attributes Attribute Name Description General Properties: Name A unique name of the device that you are editing. Managed Select the Yes checkbox if the device is to be managed.
Chapter 5: Device Configuration Table 31 Edit Device Attributes (continued) Attribute Name Description Device Settings: Malware Mode From the dropdown list, select one of the following malware modes: Protection Mode (only for switches) Update Interval (seconds) ■ Disabled—Disables malware detection in the switch. Malware processing will be bypassed. ■ Log Only—Enables malware detection in the device but no action is taken. Only logs are created. ■ Block Host—Blocks the entire host.
Chapter 5: Device Configuration Figure 80 Editing or Deleting Multiple Device Objects Highlight multiple objects of the same type to perform a multi edit or deletion. 7 130 To delete objects of the same type, highlight multiple objects (Figure 80) and click Delete. The Confirm Deletion dialog box displays. If the objects that you selected for deletion are not of the same type, the error message, “There are no common editable fields for the selected objects” displays.
Chapter 5: Device Configuration Editing Interfaces Interface is the slot or port associated with the device. To edit an interface: 1 Select the Device Configuration icon from the Page Bar or select the View > Go To > Config Management menu item. 2 Select Interfaces in the navigation bar and highlight a port that you want to edit. 3 Click the Edit icon from the Action Bar. The Edit Interface (Figure 79) dialog box displays.
Chapter 5: Device Configuration Templates Templates are a convenient way to create a boilerplate for objects that share many of the same attributes. Templates consist of template definitions and template data. The template definition contains the logic and variables to be populated with template data. It defines the actions that need to be taken for any device to which the template is attached. The template helps in creating the configuration that is downloaded to a device.
Chapter 5: Device Configuration Creating a New Template To create a new template: 1 Select Templates from the navigation tree (Figure 61) and click New the Action Bar. The New Template dialog box displays (Figure 83). in Figure 83 New Template 2 The new template comprises of the template objects (application group, application filters, policies, and so forth) you have already defined. Specify the name for the template in the Name field.
Chapter 5: Device Configuration 5 From the current column, choose the devices that you want to disassociate from the template. 6 Click OK. The new template is now associated with the selected devices. Importing Templates To import a new template: 1 In Device view, select Templates from the Navigation Tree. 2 Select Import from the Page Bar. The Import Template dialog box appears (Figure 84).
Chapter 5: Device Configuration Figure 85 3 New File Enter the attributes as follows: Table 33 Edit Interface Attributes Attribute Name Description Type From the dropdown list, select Template Configuration. Source From the dropdown source list, select Template. Browse for the source where you saved your templates. Name Enter a descriptive name for the template. Version Provide a version so template cannot be overridden. Device Type Select a device type: Switch, Controller, or any.
Chapter 5: Device Configuration Deleting an Existing Device To delete an existing device: 1 Click the Device Configuration icon from the OmniVista SafeGuard Manager Page Bar. The Config Management panel displays (Figure 86). Figure 86 Config Management 2 In the navigation tree, select the device you want to delete, and click the Delete icon from the Action Bar. The Delete Objects dialog box displays (Figure 87).
Chapter 5: Device Configuration 4 Click Execute to perform the deletion. The selected device is removed from the list of added devices. 5 Click Cancel to cancel the deletion. Polling a Device Polling is done automatically; no user interface exists. OmniVista SafeGuard Manager checks to see if the connection to the device still exists and if the SNMP agent is running.
Chapter 5: Device Configuration Manually Synchronizing a Device To manually synchronize a device from the Config Management window: 1 Click the Config Management icon from the Page Bar or select the View > Go To > Config Management menu item. 2 From the list of devices, select the device from which you want to synchronize data. 3 Select Device Actions > Synchronize Configuration from the Action Bar. A confirmation dialog box displays. 4 Select Yes to proceed with the synchronization.
Chapter 5: Device Configuration The following menu items are available: Table 34 Device Actions Menu Menu Item Available Actions Manage Configuration ■ ■ Synchronize Configuration (Ctrl+Shift+Y)— synchronizes the configuration such that you see the latest data from the device. Deploy Changes (Ctrl+Shift+D)—deploys the configuration changes. Manage Files ■ Save Running Config (Ctrl+Shift+S)—saves the running configuration such that the configuration changes persist after a device reboot.
Chapter 5: Device Configuration Figure 88 Manage Configuration Dialog Box (Synchronize Configuration) 140 2 From the Select Action dropdown list, select Synchronize Configuration. 3 Select the device for which you want to synchronize data. 4 Click Execute. Data synchronization begins and synchronization details are shown in the Action Details (lower-half) section of the screen. 5 Click Cancel to cancel the synchronization. 6 Click Get Status to get the current device status.
Chapter 5: Device Configuration Deploy Changes To deploy changes on a device: 1 Select Device Actions > Manage Configuration > Deploy Changes (Ctrl+Shift+D) from the Config Management window. The Manage Configuration dialog box displays (Figure 89). Figure 89 Manage Configuration Dialog Box (Deploy Changes) 2 Select the deploy options (system, policy, or/and AAA) that you want to apply. 3 Select the device to which you want to deploy the changes. 4 Click Execute.
Chapter 5: Device Configuration Save Running Config To save a running config: 1 Select Device Actions > Manage Configuration > Save Running Config (Ctrl+Shift+S) from the Config Management window. The Manage Configuration dialog box displays (Figure 90). Figure 90 Save Running Config 142 2 Select the device for which you want to save the running config. 3 Click Execute. The status is displayed in the Action Details (lower-half) section of the screen.
Chapter 5: Device Configuration Backup CLI Configuration OmniVista SafeGuard Manager allows you to create configuration versions for a device and distribute a specific version to the device when needed. You can create configuration versions for a specific device using one of the following two ways: ■ Multiple devices, using Device Actions > Manage Configuration > Backup CLI Configuration.
Chapter 5: Device Configuration 6 Click Cancel to cancel the backup. 7 Click Get Status to get the current device status. 8 Click Clear Details to clear status details. Viewing CLI Configuration Versions Any CLI configuration versions that you have created can be viewed under the device hierarchy tree. To view CLI configuration versions: 1 Select the device for which you want to view CLI configuration versions. 2 In the device hierarchy, select the Backed Up CLI Configuration tree node.
Chapter 5: Device Configuration Upgrade Software To upgrade a software image: 1 Select Device Actions > Manage Software > Upgrade Software (Ctrl+Shift+U) from the Config Management window. Or, right-click on any device and select Device Actions > Distribute Image. The Software Upgrade dialog box displays (Figure 92).
Chapter 5: Device Configuration Table 35 Software Upgrade Dialog Box Attributes Column Name Description Action Status Shows the upgrade status. Possible values are: ■ Scheduled ■ In progress ■ Copying ■ Booting ■ Success ■ Failure 3 Click Execute to start copying the new software image. 4 Click Cancel to cancel the upgrade. 5 Click Get Status to get the current device status. 6 Click Clear Details to clear status details.
Chapter 5: Device Configuration Figure 93 Distribute File Dialog Box Click on a file in the Select File field to select the file version you want. Click on the Device Location header to select a different device location. 2 Enter the user configurable fields as shown below: Table 36 Distribute File Dialog Box Attributes Column Name Description Select File Type Select the type of file you want to distribute.
Chapter 5: Device Configuration Table 36 Distribute File Dialog Box Attributes Column Name Description Device Location Clicking on this field brings up a dialog box that lets you choose the device location to which you want to distribute the file. Select the appropriate location from the dropdown list and click OK. The new location will display in the Device Location column. Action Status Shows the file download status. 3 Click Execute to distribute the file.
Chapter 5: Device Configuration Reboot Device You can reboot a single device or multiple devices from the OmniVista SafeGuard Manager Configuration Management window. To reboot a device: 1 Select Device Actions > Reboot Device from the Config Management window. Or, right-click on any device and select Device Actions > Reboot Device (Ctrl+Shift+B). The Reboot Device dialog box displays (Figure 94). Figure 94 Reboot Device Dialog Box Click on a boot image file to select the boot image version you want.
Chapter 5: Device Configuration Table 37 Reboot Device Dialog Box Attributes Column Name Description Action Status Shows the reboot status. 3 Click Execute to reboot the selected device. NOTE: If the software image is not found to be compatible with the bootloader image, OmniVista SafeGuard Manager will not execute boot on the selected device. 4 Click Cancel to cancel reboot. 5 Click Get Status to get the current device status.
Chapter 5: Device Configuration 2 Enter the information as shown below: Table 38 Refresh Dialog Box Attributes Column Name Description Select Action Select “Refresh Roles” if you want to refresh roles or select “Refresh Policies” to refresh all policies on the selected device. Select Device Select the checkbox next to the device for which you want to refresh policies or roles. Device Device name, including the IP address. Local Changes Shows if the device changes were made locally to a device.
Chapter 5: Device Configuration Other Actions You can execute show commands, delete visualization, create or update templates, using the Other Actions menu available through Config Management. To access the pull-down Other Actions menu: 1 Select the Device Configuration icon from the Page Bar or select the View > Go To > Config Management menu item. 2 Click the down arrow next to the Other Actions menu in the Action Bar to see the menu items.
Chapter 5: Device Configuration Execute Show Commands OmniVista SafeGuard Manager allows you to execute a show command on any of the selected devices. To execute a show command: 1 Select Other Actions > Execute Show Command from the Config Management window. Or, right-click on the device for which you want to execute a show command to access the Other Actions menu. The Show Command dialog box displays (Figure 96). Figure 96 2 Show Command Select a show command from the dropdown list.
Chapter 5: Device Configuration ICS Admin When you first reboot the device, OmniVista SafeGuard Manager uploads the ICS portal configuration along with the device configuration. This configuration persists in the OmniVista SafeGuard Manager server as a file that allows you to deploy the configuration at a later stage. To change the ICS configuration: 1 Select the device for which you want to save the ICS configuration file. 2 Select Other Actions > ICS Admin.
Chapter 5: Device Configuration Update Template To update or make any changes to an existing template: 1 Select Other Actions > Update Template from the Config Management window. Or, in the navigation tree, select the template you want to update and click Edit. The Edit Template dialog box displays (Figure 98). Figure 98 2 Edit Template For the Cleanup Device Configuration, select Yes if you want to cleanup device configuration.
Chapter 5: Device Configuration Discard Non-template Changes To discard any changes that were made to the device but not to the template: 1 Select Other Actions > Discard Non-template Changes from the Config Management window. The Discard Non-template Changes dialog box displays (Figure 99). Figure 99 156 Discard Non-template Changes 2 Select the device on which you want to discard any non-template changes. 3 Click Execute to discard changes.
Chapter 5: Device Configuration Understanding Device Management Display OmniVista SafeGuard Manager can be used to manage partial configuration of SafeGuard devices.
Chapter 5: Device Configuration Figure 100 Show Device Hierarchy Legend Show/Hide icon Strike through objects denote changes observed on a template object. You can either accept or discard this change. To discard this change, select the changed object, right click, and select Delete to delete the selected object. To accept the changed object and add it to a template, select the object, right-click, then select the Add to Template.
Chapter 5: Device Configuration Recommended Device Management Workflow You can create and share workflows across several devices. The following steps help you create a simple workflow that can be shared across devices: 1 Add the device from which you want to share the configuration. For more information on adding devices, see Adding a New Device. 2 Create a template from that device. To create a template, select the device and click Create Template in the Action Bar.
Chapter 5: Device Configuration 160 OmniVista SafeGuard Manager Administration Guide
chapter 6 Query and Reports This section includes the following: ■ ■ Query Reports
Chapter 6: Query and Reports Query Queries are available in OmniVista SafeGuard Manager for querying visualization data, reporting, and for creating bars in dashboard configuration. You can create additional queries using the Save Query Template. OmniVista SafeGuard Manager provides you with an easy way of using these queries in customized dashboards. You can create a bar then assign it to a module that was created prior to saving the new query.
Chapter 6: Query and Reports Figure 102Save Query Template - General Tab 3 Enter the template settings on the Save Query Template - General tab as follows: Table 41 Save Query Template Settings Setting Name Description Table Query: Title Name by which the query template is to be saved. Description Brief description for the query template. Apply Time Stamp If this checkbox is selected, the time range filters you specify are applied. This checkbox is selected as a default.
Chapter 6: Query and Reports Table 41 Save Query Template Settings Setting Name Description Max Row Number Specify the number of rows you want displayed as the query result. Count Query Template: Save Count Query Select the Count Query checkbox if you want the count query to be used in dashboard configuration to create a bar. The rest of the fields will be enabled only if this checkbox is selected. Count Query Name Name by which the count query is to be saved.
Chapter 6: Query and Reports Figure 103Save Query Template - Details Tab 5 The Details tab shows the template settings as follows: Sorting Order Sorting order that has been previously set using the Database Search button of the Find feature. Conditions Conditions that have been previously set using the Database Search button of the Find feature. 6 Click OK to save the template settings. The newly created Query template displays under the Custom Queries node in the Navigation Tree.
Chapter 6: Query and Reports 8 Select a query and right-click it to delete the selected query. A confirmation box will display to verify deletion. NOTE: Monitoring users cannot create or delete queries. Queries are not available for Layer 7 events. Reports Reports use the existing Query mechanism to represent the high-level network health. Administrators can use reports to view the top destinations visited and then decode at the application layer.
Chapter 6: Query and Reports Figure 104 Reports Screen 2 Select Report Definitions in the navigation tree and click New in the Action Bar. The Report Definition Editor displays (Figure 105).
Chapter 6: Query and Reports 3 Enter the information as shown below: Table 42 Report Definitions Define Description Name Specify a textual name for the report. Description Specify a description for the report you are creating. Time Window Select Relative to specify a relative time for the query: daily, hourly, weekly, or monthly. You can also select how many hours per day for which you want the reporting data. Select Absolute to enter a specific time.
Chapter 6: Query and Reports 5 Click Run in the Action Bar to start the reporting process. NOTE: Reports can be generated directly by clicking Run or can be scheduled by creating report schedules. The same report definition can be used in more than one schedule. Reports typically process a large set of data and can be slow. To edit an existing report definition: 1 Click the Reports icon from the Page Bar, or select the View > Go To > Reports (Ctrl +9) menu item.
Chapter 6: Query and Reports 4 Click New to create a new schedule or Edit to modify an existing schedule. The Report Schedule Editor displays (Figure 107). Figure 107Report Schedule Editor 5 Select the schedule frequency: Monthly, Weekly, Daily, or Hourly. 6 Specify the start time by using the up and down arrows. 7 Select Enabled or Disabled for the status. 8 Click Apply to save the schedule changes. The next time you run a report, the new schedule is used.
Chapter 6: Query and Reports Figure 108 Generated Reports 2 Select the report you want to view. 3 Select View HTML from the Action Bar to view the report in HTML format. Figure 109 Report in HTML Format 4 Select View CSV from the Action Bar to view the report in CSV format.
Chapter 6: Query and Reports Figure 110 Report in CSV Format NOTE: When you generate a report either through a schedule or interactively, if Enable Report Delivery is checked in the Mailer tab of Server Settings, then an email is sent. This email can be in a zip format if any graphs are included in the report definition. You have to open the zip file and select View HTML to view the report. For more information on mailer settings, see Mailing Malware and Report Notifications.
chapter 7 Managing the Server This section includes the following: ■ ■ ■ ■ ■ ■ User Authentication User Accounts File Repository Client Settings Server Settings General
Chapter 7: Managing the Server User Authentication An integral part of any security solution is access control, which is the way you control user access into the network and what services users are allowed to use after they have access. Authentication, Authorization, and Accounting (AAA) is an industry accepted framework that implements access control. This section focuses on the authentication component and how an administrator can set user authentication using OmniVista SafeGuard Manager.
Chapter 7: Managing the Server 3 Enter the user configurable fields as follows: Table 43 Edit User Authentication Attributes Attribute Description Authentication Server Select RADIUS to apply an external authentication server. IpAddress Enter the IP address on which the communication to the RADIUS server can be established. Port Enter the port number on which the communication to the RADIUS server can be established. Secret Key Enter the shared secret key.
Chapter 7: Managing the Server ■ If you choose to change the authentication method from “RADIUS” to “Local,” the password has to be set explicitly for all users before the users can log in. NOTE: Whenever, the authentication method is changed from “RADIUS” to “Local,” all user accounts, except the admin account, are put in a “disabled” state. These accounts will stay in a disabled state unless the administrator resets the passwords for these accounts.
Chapter 7: Managing the Server Adding a New User To add a new user: 1 Select Tools > OmniVista SafeGuard Manager Users > User Accounts... The Account Management window displays. 2 Click Add on the Account Management window to add a new user. The Add User Account dialog box displays (Figure 112). Figure 112 Add User Account 3 Enter a name in the User Name field. 4 Enter a password for the user in the Password field and then confirm it in the Confirm Password field.
Chapter 7: Managing the Server Enabling Dual-Admin or 4-Eye Mode The dual-administrator or 4-Eye administrator role cannot log into the client on their own. However, if another user with a different administrator role logs into the client, then the 4-Eye admin role is required to enable an administrator role to enter the 4-Eye admin mode.
Chapter 7: Managing the Server Figure 114 4-Eye-Admin Mode Settings 6 Enter the user name and password for the 4-Eye administrator role to log in. 7 Click OK to log in. After you log in, you can view the hidden information. File Repository File repository allows you to manage device files in an OmniVista SafeGuard Manager repository.
Chapter 7: Managing the Server 2 The Manage File Repository screen displays the following information: Table 44 Manage File Repository Columns 180 Column Name Description Type Type of file in the repository. Name Name of the file. When the file type is image, the file name is automatically translated to .img. For example “SafeGuardOS-2.2.1.5-cp.img. The translation is required to avoid duplication of images. Version Shows the version of the image on the device.
Chapter 7: Managing the Server Figure 116 New File 8 Enter the required information as follows: Table 45 New File Attributes Attribute Name Description Image Select the type of file you want to add to the repository using the dropdown list. Following file types are available: ■ Image ■ Boot loader ■ ICS portal configuration ■ ICS policy configuration ■ Captive portal web page ■ Other File Source Shows if the file is available in the network files system. Source Click the ellipses (...
Chapter 7: Managing the Server 9 Click OK. The selected file is added to the repository and displays in the Manage File Repository screen. NOTE: You can distribute these files to one or many devices at the same time. For more information, see Distribute File. Client Settings OmniVista SafeGuard Manager allows you to choose and set the order in which you view the columns in a given table view. These settings are remembered in Windows for each user and are applied when you visit the same table again.
Chapter 7: Managing the Server Server Settings The following server settings can be performed from the OmniVista SafeGuard Manager client: ■ Setting Visualization Filters ■ Exporting the Database ■ Backing Up the Database ■ Restoring the Database ■ Mailing Malware and Report Notifications Setting Visualization Filters OmniVista SafeGuard Manager allows you to set up visualization filters. Filters allow you to selectively view events based on VLAN ID, application type, or user role.
Chapter 7: Managing the Server Figure 119 New Visualization Filter Group 4 Specify a name for the new visualization filter group. NOTE: A filter group can contain one or more filter depending on the filter type: VLAN, Application, or User Role. A filter group name is unique and two filter groups cannot have the same name. Filters apply only to Layer 7 and flows data. 5 Select the Enable checkbox if you want the visualization filters to be enabled.
Chapter 7: Managing the Server 7 Specify the filter information as shown below: Table 46 New Visualization Filter Attributes Attribute Description Type From the dropdown list, select whether the visualization filter is to be based on VLAN ID, Application, or User Role. Note: Filters of the same type have the OR condition applied, whereas filters across different types have the AND condition applied.
Chapter 7: Managing the Server Exporting the Database The Database Export feature allows you to export Visualization data that includes user details, user application usage details, flow data, Layer 7 data, devices and corresponding ports details.
Chapter 7: Managing the Server Table 47 Export Database Settings Setting Name Description Database URL URL for the database to which you want to export. Username Name for the user authenticated to perform the database export. Password Password associated with the username. Interval Use the dropdown list to specify a time interval for the database export.
Chapter 7: Managing the Server Purging the Database Database purge performs a cleanup of user data, application usage details, flow and Layer 7 data. To cleanup or purge the database: 1 Select Tools > Server Settings. The Edit Server Settings screen displays. 2 Select the Purge Database tab (Figure 122). Figure 122 Edit Server Settings - Purge Database 188 3 Select the Enable checkbox to enable the database purge. The checkbox is selected as the default.
Chapter 7: Managing the Server Backing Up the Database The Database Backup feature allows you to backup Visualization data that includes user details, user application usage details, flow data, Layer 7 data, devices and corresponding ports details and any generated reports. You may want to back up your database periodically to protect its integrity or for historical purposes.
Chapter 7: Managing the Server 4 Click Backup Now to back up the database immediately. The bottom-half of the screen (Last Action Status) shows the status of the last backup or if you used Backup Now, the status of the current backup. 5 Click OK to apply the settings. Deleting backed up directories OmniVista SafeGuard Manager server keeps track of the backup destination directories. You can either delete these directories or use them for restoring the database.
Chapter 7: Managing the Server Restoring the Database You can restore data from a previously backed up directory. To restore the database: 1 Select Tools > Server Settings. The Edit Server Settings screen displays. 2 Select the Restore Database tab (Figure 124). Figure 124 Edit Server Settings - Restore Database 3 From the Select/Enter Restore Directory dropdown list, select an existing backup directory or enter a new directory.
Chapter 7: Managing the Server Mailing Malware and Report Notifications The OmniVista SafeGuard Manager server has emailing capabilities that allow the administrator to set up the mailer such that automatic email notifications are sent to a specified user/administrator. The following two types of data events automatically trigger an email notification: ■ when malware incidents are detected ■ when reports are generated To set up the mailer: 1 Select Tools > Server Settings.
Chapter 7: Managing the Server 3 Specify the settings as follows: Table 49 Mailer Settings Setting Name Description Mailer: Enable Select the Enable checkbox to make sure that the mailer is enabled. From Email Address Email address of the server administrator. SMTP Server URL for the SMTP server. Malware: Enable Malware Notification Select the Enable Malware Notification checkbox if you want to send automatic email notifications upon malware detection.
Chapter 7: Managing the Server Periodic Tasks OmniVista SafeGuard Manager allows you to configure device health statistics collection interval and enable or disable statistics data collection. To enable statistics data collection: 1 Select Tools > Server Settings. The Edit Server Settings screen displays. 2 Select the Periodic Tasks tab (Figure 126).
Chapter 7: Managing the Server 6 Click OK to apply the settings. NOTE: Statistics are collected only for active devices. If a device is deleted, all associated statistics are deleted from the device health table. For more information on viewing device health and statistics, see Device Health. General The General tab in the Server Settings allows you to set free disk space thresholds and import image version matrix.
Chapter 7: Managing the Server 4 Click Import Image Version Matrix if you want to import the matrix that gives image version and bootloader compatibility matrix. 5 From the dropdown list, select a Free Disk Space Warning Threshold. 6 Select an action for Critical Threshold. Valid choices are Purge Data and Stop Server. 7 Specify an Unprocessed Flow and Layer7 Data Threshold. 8 If you want to use only internal destinations for the dashboard, select this checkbox.
chapter 8 Audit Logs and Statistics This section includes the following: ■ ■ ■ Audit Logs Device Health Server Health
Chapter 8: Audit Logs and Statistics Audit Logs OmniVista SafeGuard Manager provides logs that indicate who did what and when and on which device. These logs are for user and device operations and can be helpful for auditing purposes. You can choose to view these log entries by time, status, or category. Audit log does not log any debugging log messages. To view audit logs: 1 Click the Audit Log icon in the Page Bar. The Audit Logs screen displays (Figure 128).
Chapter 8: Audit Logs and Statistics Table 50 Audit Log Attributes Attribute Description System/Device Provides the context of the operation. User User ID. Short Message Brief message description of the log. 3 In the details panel, you can view the details of the message logged in by the operation. 4 Click Print in the Action Bar to print the log data or click Export to export the log into a CSV format.
Chapter 8: Audit Logs and Statistics — Delete visualization records — Delete device — Manage or unmanage a device — Communication status change (SNMP, ICC, CLI/GSOAP) ■ Reports — Definition: Add/Modify/Delete — Schedule: Add/Modify/Delete — Report generation — Report email ■ Dashboards — Configuration change 200 OmniVista SafeGuard Manager Administration Guide
Chapter 8: Audit Logs and Statistics Device Health OmniVista SafeGuard Manager allows you to collect, view, and store statistics relating to device health. These statistics are helpful in analyzing each device’s performance and its current connections. Administrators can use this drill-down capability to view device CPU and memory performance, fan or power failure, and any device operation success or failure messages.
Chapter 8: Audit Logs and Statistics Viewing Device Health Statistics To view device health: 1 From the Config Management view, click on the Device Health Statistics node in the navigation tree, or from the Page Bar, select Other Actions > Show Device Health. The Device Health Statistics screen displays (Figure 129). Figure 129 Device Health Statistics 2 The following statistics are displayed: Table 51 Device Health Statistics Attribute Description Timestamp Time the statistics were collected.
Chapter 8: Audit Logs and Statistics Table 51 Device Health Statistics Attribute Description Fan 1 Speed - Fan 6 Speed Speed of the various fans from fan 1 to fan 6. Power Supply 1 Status of the primary power supply. Power Supply 2 Status of the secondary power supply. Message Message relating to the device operation performed. These values are collected periodically from each device and stored in the database. 3 Specify times in the Time Range field to view statistics for a specific time.
Chapter 8: Audit Logs and Statistics Server Health OmniVista SafeGuard Manager allows you to collect, view, and store statistics relating to server health. These statistics are helpful in analyzing server performance. Administrators can use this drill-down capability to view server CPU and memory performance, OmniVista SafeGuard Manager client connections, Layer 7 events, and any application or flows processed.
Chapter 8: Audit Logs and Statistics Viewing Server Health Statistics You can choose to view server health statistics over a specific period of time or the most recent values available. To view server health statistics: 1 Click the Statistic View icon in the page bar. 2 The OmniVista SafeGuard Manager Server Health screen displays (Figure 130).
Chapter 8: Audit Logs and Statistics Table 52 Server Health Statistics Attribute Description Total Memory (MB) Total memory in MB on the server. Total JVM Memory (MB) Memory allocated to Java Virtual Machine (JVM). Application Flow Events Number of application flow events processed in the specified time. Layer 7 Events Number of layer 7 events processed in the specified time. CPU Usage (%) Percentage of CPU being used on the server.
Index Numerics 4-eye mode . . . 178 configuring dashboards . . . 68 application flows . . . 90 configuring device objects . . . 103 application filters . . . 105 application groups . . . 103 network zones . . . 107 policies . . . 109 role derivations . . . 119 roles . . . 122 templates . . . 132 application groups . . . 103 connecting over firewall . . . 41 application instances viewing . . . 88 creating policy filters . . . 91 A active vs. history . . . 95 adding a device . . .
Index manage software . . . 144 reboot device . . . 149 refresh . . . 150 save running config . . . 142 synchronize configuration . . . 139 upgrade software . . . 145 device health . . . 201 statistics . . . 202 device management adding a device . . . 25, 98 checking devices . . . 98 deleting devices . . . 136 polling devices . . . 137 synchronization . . . 137 device templates . . . 132 distribute file . . . 146 dual-admin role . . . 178 E enforcement of policy . . . 111 execute show command . . .
Index Q T query templates . . . 162 templates . . . 132 query . . . 162 R time-based views . . . 93 additional filtering . . . 94 reboot device . . . 149 recommended device management workflow . . . 159 refresh . . . 150 related documentation . . . 10 reports . . . 166 defining . . . 166 generating . . . 170 scheduling . . . 169 requirements client . . . 15 system . . . 15 restoring the database . . . 191 role derivations . . . 119 roles . . . 122 S save running config . . . 142 scheduling reports .
Index 210 OmniVista SafeGuard Manager Administration Guide
