Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
ServerIron ADX Security Guide 187
53-1002440-03
SSL debug and troubleshooting commands
6
SSL debug and troubleshooting commands
This section describes SSL debug and troubleshooting commands.
Diagnostics
You can run diagnostic tests on the SSL hardware devices to verify proper functionality. Please note
that the diagnostic tests should not be run while SSL traffic is being processed. Also, the system
should be reloaded after running the diagnostic test-suite. The diagnostic test-suite can be initiated
from the MP or from individual BPs.
To run diagnostics from the MP,
ssl diag ServerIronADX# ssl diag <BP-slot> <BP-cpu>
<BP-slot> and <BP-cpu> refer to the BP that the diagnostic test-suite is run from
SSL chip 1: All diag tests PASSED
SSL chip 2: All diag tests PASSED
…
SSL: Diags PASSED
The above command runs all diagnostic tests on all SSL hardware modules, and logs whether the
tests passed or failed in brief.
If additional information is needed, the diagnostic tests can be run from any BP wherein detailed
information is logged on the BP console.
To run diagnostics from the BP,
SSL operations submitted to the hardware can be run in 2 modes - Blocking and Non-blocking.
Blocking mode means that the CPU is polling for the result after submitting the operation to the
hardware, and Non-blocking mode means that the CPU receives a callback once the operation has
completed. The default mode is Blocking. To change the mode,
ServerIronADX1/1# ssl bp-diag mode [ blocking | non-blocking]
There are multiple SSL devices in the system. The default module is the first module (0). To select a
specific module,
ServerIronADX1/1# ssl bp-diag module <SSL device ID [0...5]>
SSL operations submitted to the hardware can be in 2 modes - Direct and Scatter-Gather. Direct
mode means that the data for any input/output variable is in one location, and Scatter-Gather
mode means that the data for any input/output variable could come from multiple non-contiguous
blocks. The default mode is Direct. To enable scatter-gather,
ServerIronADX1/1# ssl bp-diag scatter-gather [ enable | disable ]
ServerIronADX1/1# ssl bp-diag
all All diagnostic tests
crypto-3des Crypto 3DES Test
crypto-aes Crypto AES Test
crypto-hmac Crypto HMAC Test
crypto-mod-ex Crypto Mod-Ex Test
crypto-rc4 Crypto RC4 Test
key-mem Key Memory Test
load-ucode Load Microcode Test
random-num Random Number Generator Test
read-write-regs Read Write Registers Test