Nokia Firewall
Device Management
Supports Management Module SM-NOK1000
TT TTii ii tt tt ll ll ee ee pp pp
aa aa ee ee
D e v i c e M a n a g e m e n t Page 2 N o k i a F i r e w a l l
Copyright NoticeDocument 9035001-01. Copyright © September 2001 AprismaManagement Technologies, Inc., 121 Technology Drive, Durham, NH03824 USA. All rights reserved worldwide. Use, duplication, or disclosureby the United States government is subject to the restrictions set forth inDFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19.
Liability DisclaimerAprisma Management Technologies, Inc. (“Aprisma”) reserves the right tomake changes in specifications and other information contained in thisdocument without prior notice. In all cases, the reader should contactAprisma to inquire if any changes have been made.
The hardware, firmware, or software described in this manual is subject tochange without notice.
IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS,DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANYINCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGESWHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS)ARISING OUT OF OR RELATED TO THIS MANUAL OR THEINFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEENADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THEPOSSIBILITY OF SUCH DAMAGES.
Trademark, Service Mark, and Logo InformationSPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registeredtrademarks of Aprisma Management Technologies, Inc., or its affiliates.APRISMA , APRISMA MANAGEMENT TECHNOLOGIES , the APRISMAMANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS ,DCM, VNM, SpectroGRAPH , SpectroSERVER , Inductive ModelingTechnology , Device Communications Manager , SPECTRUM SecurityManager , and Virtual Network Machine are unregistered trademarks ofAprisma Management Technologies, Inc., or its affiliates. For a completelist of Aprisma trademarks, service marks, and trade names, go tohttp://www.aprisma.com/manuals/trademark-list.htm.
All referenced trademarks, service marks, and trade names identified inthis document, whether registered or unregistered, are the intellectualproperty of their respective owners. No rights are granted by AprismaManagement Technologies, Inc., to use such marks, whether byimplication, estoppel, or otherwise. If you have comments or concerns
about trademark or copyright references, please send an e-mail [email protected]; we will do our best to help.
Restricted Rights Notice(Applicable to licenses to the United States government only.)
This software and/or user documentation is/are provided withRESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure bythe government is subject to restrictions as set forth in FAR 52.227-14(June 1987) Alternate III (g)(3) (June 1987), FAR 52.227-19 (June 1987),or DFARS 52.227-7013 (c)(1)(ii) (June 1988), and/or in similar orsuccessor clauses in the FAR or DFARS, or in the DOD or NASA FARSupplement, as applicable. Contractor/manufacturer is AprismaManagement Technologies, Inc., 121 Technology Drive, Durham, NH03824. In the event the government seeks to obtain the software pursuantto standard commercial practice, this software agreement, instead of thenoted regulatory clauses, shall control the terms of the government'slicense.
Virus DisclaimerAprisma makes no representations or warranties to the effect that thelicensed software is virus-free.
Aprisma has tested its software with current virus-checking technologies.However, because no anti-virus system is 100 percent effective, westrongly recommend that you write-protect the licensed software andverify (with an anti-virus system in which you have confidence) that thelicensed software, prior to installation, is virus-free.
Contact InformationAprisma Management Technologies, Inc.121 Technology DriveDurham, NH 03824Phone: 603.334.2100U.S. toll-free: 877.468.1448Web site: http://www.aprisma.com
D e v i c e M a n a g e m e n t Page 3 N o k i a F i r e w a l l
ContentsINTRODUCTION 4
Purpose and Scope ........................................................4Required Reading ...........................................................4Supported Devices..........................................................5The SPECTRUM Model ..................................................5
TASKS 8
DEVICE VIEW 9
Interface Icons ..............................................................10Interface Icon Subviews Menu......................................11Interface Status View ....................................................11Secondary Address Panel ............................................12
DEVICE TOPOLOGY VIEWS 13
Device Topology View ..................................................13
APPLICATION VIEWS 14
Application Icons ...........................................................15Supported Applications .................................................15
Common Applications................................................15Device Specific Applications......................................17
Checkpoint Application .................................................17Firewall InformationView ...........................................17
RateShape Application .................................................18
RateShape Performance View ..................................18Rule Status Table View .........................................18Aggregation Class Status Table View ...................19
Virtual Router Redundancy Protocol (VRRP) Application20
PERFORMANCE VIEWS 21
Device Performance View.............................................22Port Performance View .................................................22
CONFIGURATION VIEWS 23
Device Configuration View............................................23Interface Configuration View.........................................24IPSO Configuration View ..............................................24
IPSO Additional Configuration View..........................26RateShape Configuration View.....................................26
Rule Table View ........................................................27Aggregation Class Table View ..................................28VRRP Configuration View .........................................29
MODEL INFORMATION VIEWS 33
INDEX 34
D e v i c e M a n a g e m e n t Page 4 N o k i a F i r e w a l l
Introduction
This section introduces SPECTRUM Device Management documentation for the Nokia Firewall series ofdevices.
This introduction contains the following topics:
• Purpose and Scope• Required Reading• Supported Devices (Page 5)• The SPECTRUM Model (Page 5)
Purpose and ScopeUse this documentation as a guide for managing Nokia Firewall devices with the SPECTRUM management module SM-NOK1000. This documentation describes the icons, menus, and views that enable you to remotely monitor, configure, and troubleshoot Nokia Firewall devices through software models in your SPECTRUM database.
This documentation consists primarily of information specific to the supported management module. For general information about device management using SPECTRUM, and
for explanations of basic SPECTRUM functionality, refer to the documentation listed under Required Reading.
Required ReadingBefore using this document, you should be familiar with the information provided in the following documentation:
• Getting Started with SPECTRUM for Operators
• Getting Started with SPECTRUM for Administrators
• How to Manage Your Network with SPECTRUM
• SPECTRUM Views• SPECTRUM Icons• SPECTRUM Menus
I n t r o d u c t i o n S u p p o r t e d D e v i c e s
D e v i c e M a n a g e m e n t Page 5 N o k i a F i r e w a l l
Supported DevicesSPECTRUM management module SM-NOK1000 currently allows you to model several different types of Nokia Firewall devices. These include the following:
IP330 - This device supports a comprehensive suite of IP-routing functions and protocols, including RIPv1/RIPv2,IGRP, OSPF and BGP4 for unicast traffic, and DVMRP for multicast-traffic. The integrated router functionality eliminates the need for separate intranet and access routers in security applications.
IP440 - In addition to offering complete secu-rity-application software functionality and network services such as frame relay and routing, the 19" rack-mountable Nokia IP440 supports up to 16 physical interfaces. It includes four PCI slots with a wide-range of interface card options, including high-density 10/100 Ethernet, V.35/X.21, T1, and more. As a networking device, the IP440 supports a comprehensive suite of IP-routing protocols: RIPv1/RIPv2, IGRP, OSPF and BGP4 for uni-cast traffic, and DVMRP for multicast traffic.
IP650 - This carrier class firewall supports a comprehensive suite of IP-routing functions and protocols, including RIPv1/RIPv2, IGRP,
OSPF and BGP4 for unicast traffic, and DVMRP for multicast traffic. Its integrated router functionality eliminates the need for separate Intranet and access routers in secu-rity applications. Featuring front access and five standard Compact PCI I/O slots for inter-face cards, the rack-mountable IP650 is 19" wide and 2RU high. A variety of connectivity options are available - high-density 10/100 Ethernet, high-speed ATM or HSSI, and wide area network interfaces such as V.35/X.21 and T-1.
The SPECTRUM ModelSPECTRUM uses a single model type for modeling the supported Nokia Firewall devices. This model type is NokiaFW. This model is represented in SpectroGRAPH views by Device icons. As shown in Figure 1, the appearance of the Device icon varies depending on the view in which it appears.
I n t r o d u c t i o n T h e S P E C T R U M M o d e l
D e v i c e M a n a g e m e n t Page 6 N o k i a F i r e w a l l
Figure 1:Figure 1:Figure 1:Figure 1: Device Icon
The device-specific Icon Subviews menu options available from the Device icon are listed below.
Device icons provide access to the views, subviews, and tables that let you manage the modeled device. Figure 2 shows the model-specific portion of the Icon Subviews menu for a IP440 Device icon in a Topology view. The views listed below are accessible directly from this menu and are described individually in subsequent sections of this documentation.
• Device View (Page 9)• Device Topology Views (Page 13)• Application Views (Page 14)• Performance Views (Page 21)• Configuration Views (Page 23)• Model Information Views (Page 33)
Option Accesses the...
Fault Management
For further information refer to How to Manage Your Network with SPECTRUM documentation.
Device Device View (Page 9)
Model Name
XYZ_Mxxx
Model Name
IP440
Small Device icon appears inTopology and Application views
Large Device icon appears inDevice Topology, Location, andDevice Interface views.
Device Topology Device Topology Views (Page 13)
Application Application Views (Page 14)
Configuration Configuration Views (Page 23)
Model Information
Model Information Views (Page 33)
Primary Application
Menu options that let you select either Gen Bridge App or MIB-II as the primary application.
Option Accesses the...
D e v i c e M a n a g e m e n t Page 7 N o k i a F i r e w a l l
Figure 2:Figure 2:Figure 2:Figure 2: Device Icon Subviews Menu Options
DeviceDevTopApplicationConfiguration
Model Name
IP440
- >
Fault IsolationModel InformationPrimary Application
D e v i c e M a n a g e m e n t Page 8 N o k i a F i r e w a l l
Tasks
This section identifies various management and troubleshooting tasks that can be performed for models ofNokia Firewall devices using the views, icons, and labels referenced within this document.
Application Information (examine)• Application Views (Page 14)
Device (configure)• Configuration Views (Page 23)
Device Performance (monitor)• Device View (Page 9)• Device Performance View (Page 22)
File Transfer (initiate/examine)• Firewall InformationView (Page 17)
Interface Mask and Address (examine)• Secondary Address Panel (Page 12)
IPSO Configuration (configure)• IPSO Configuration View (Page 24)
Model Information (examine)• Model Information Views (Page 33)
Port Configuration (examine/modify)• Interface Icons (Page 10)• Device Configuration View (Page 23)
A Port (examine/enable/disable)• Interface Status View (Page 11)
Port Statistics (monitor)• Performance Views (Page 21)
RateShape Configuration (configure)• RateShape Configuration View (Page 26)
Virtual Router Configuration (configure)• VRRP Configuration View (Page 29)
D e v i c e M a n a g e m e n t Page 9 N o k i a F i r e w a l l
Device View
This section describes the Device view and subviews available for models of Nokia Firewall devices inSPECTRUM.
Access: From the Icon Subviews menu for the Deviceicon, select Device .
This view (Figure 3) uses icons and labels to represent the device and its components, such as modules, ports, and applications. The view provides dynamic configuration and performance information for each of the device’s serial and network I/O ports, which are represented by Interface icons in the bottom panel of the view. The middle panel of the view displays a Device icon, which lets you monitor the device operation and access other device-specific views.
Figure 3:Figure 3:Figure 3:Figure 3: Device View
File View HelpTools
Model NameContactDescriptionLocation
Sys Up TimeManufacturerDevice TypeSerial Number
Network Address
Interface Description
Filter Physical
Interface Options PanelDevice Icon
XYZ_Mxxx
Model Name
1Ethernet
0:0:1D:F:FD:B6
ei0
0.0.0.0
ON
5SFTWARLPBK
0:0:1D:F:FD:B6
lo0
0.0.0.0
ON
9ATM8023
0:0:1D:F:FD:B6
zn1
0.0.0.0
ON
512AAL5
UAAL5
0.0.0.0
ON
2ATMCPU
0.0.0.0
ON
6ATM portCPU.1
0.0.0.0
ON
ATM7A1
0.0.0.0
ON
ATM7B1
0.0.0.0
ON
ATM7B2
0.0.0.0
ON
ATM7B3
0.0.0.0
ON
ATM8B1
0.0.0.0
ON
ATM8B2
0.0.0.0
ON
ATM8B3
0.0.0.0
ON
ATM8B4
0.0.0.0
ON
10
2783905 2783909
11
7
3 4
8
Interface Icons
Bookmarks
Model Name of type XYZ_Mxxx of Landscape node: Primary
Primary Application Gen Bridge App
D e v i c e M a n a g e m e n t Page 10 N o k i a F i r e w a l l
Interface IconsFigure 4 shows a close-up of an Interface icon from the Device view. Most of the informational labels on the icon also provide double-click access to other views, as explained in the following label descriptions.
Figure 4: Interface Icon
Interface Number LabelThis label displays the interface (port) number.
IF Status LabelThis label displays the current status of the interface for the primary application selected, e.g., Gen Rtr App or MIB-II App. Table 1 lists the possible label color representations. Note that the color of the label also depends on the interface’s current Administrative Status, which you set in the Interface Status View (Page 11). This view can be accessed by double-clicking the label.
Interface Type LabelThis label identifies the interface type (Ethernet, ATM, etc.). Double-click this label to access the Interface Configuration View (Page 24).
c
f
b
1ethernet
0:0:1D:F:FD:B6
a
a Interface Number Label
b IF Status Label
c Interface Type Label
d Network Type Label
e Physical Address Label
f IP Address Label
fxp0
0.0.0.0
d
e
ON Table 1: Interface Status Label Colors
ColorOperational
StatusAdministrative
StatusLabelText
Green up up ON
Blue down down OFF
Yellow down up OFF
Red testing testing TEST
D e v i c e V i e w I n t e r f a c e I c o n S u b v i e w s M e n u
D e v i c e M a n a g e m e n t Page 11 N o k i a F i r e w a l l
Network Type LabelThis label identifies the type of network to which the interface is connected. Double-click the label to open the Model Information view for the interface.
Physical Address LabelThis label displays the physical (MAC) address of the interface. Double-click this label to open the IF Address Translation Table.
IP Address LabelThis label displays the IP address for the interface. Double-click this label to open the Secondary Address Panel (Page 12), which lets you change the address and mask for the interface.
Interface Icon Subviews MenuTable 2 lists the device-specific interface Icon Subviews menu options and the views to which they provide access.
Interface Status ViewAccess: From the Icon Subviews menu for the Interfaceicon in the Device view, select IF Status .
This view provides information on the operational status of the interface and allows you to enable or disable the port.
Table 2: Interface Icon Subviews Menu
Option Accesses the...
Detail Interface Detail view, which displays packet, error, and discard breakdown statistics for the interface.
IF Status Interface Status View (Page 11).
IF Configuration Interface Configuration View (Page 24).
IF Address Translation Table
Interface Address Translation Table, which identifies the physical and network address for the interface.
Secondary Address Panel
Secondary Address Panel (Page 12).
Thresholds Interface Threshold view, which lets you set the on/off alarm thresholds for load, packet rate, error rate, and % discarded for the interface.
Model Information
Model Information Views (Page 33).
D e v i c e V i e w S e c o n d a r y A d d r e s s P a n e l
D e v i c e M a n a g e m e n t Page 12 N o k i a F i r e w a l l
Operational StatusThe current state of the interface (Up, Down, Unknown, Dormant , Not Present , Lower LayerDown, or Testing ).
This button allows you to select the desired administrative state of the interface (On, Off , or Testing ).
Secondary Address PanelAccess: From the Icon Subviews menu for the Interfaceicon in the Device view, select Secondary Address Panel .
This panel provides a table of IP addresses and masks obtained from the Address Translation table within the device’s firmware. You can change the current address displayed in the IP Address field by selecting an entry from the table in this panel and clicking the Update button.
Administrative Status
D e v i c e M a n a g e m e n t Page 13 N o k i a F i r e w a l l
Device Topology Views
This section provides brief descriptions of the Device Topology views available for models of Nokia Firewalldevices.
Device Topology views show the connections between a modeled device and other network entities. There is one Device Topology view available for Nokia Firewall devices:
• Device Topology View
Device Topology ViewAccess: From the Icon Subviews menu for the Deviceicon, select DevTop.
The lower panel of the Device Topology view (Figure 5) uses interface icons to represent the device’s serial/network I/O ports. These icons provide the same information and menu options as those in the Device View. If there is a device connected to a particular interface, a device icon appears on the vertical bar above the interface icon.
Figure 5:Figure 5:Figure 5:Figure 5: Device Topology View
File View HelpTools
1Ethernet
0:0:1D:F:FD:B6
ei0
0.0.0.0
ON 2ATM
0:0:1D:F:FD:B6A2
0.0.0.0
ON 3ATM
0:0:1D:F:FD:B6CPU
0.0.0.0
ON
XYZ_Mxxx
Model Name
Bookmarks
Graphic of<manufacturer>
Device
Model Name of type Model Type of Landscape node: Primary
D e v i c e M a n a g e m e n t Page 14 N o k i a F i r e w a l l
Application Views
This section describes the main Application view and the associated application-specific subviews available formodels of Nokia Firewall devices.
Access: From the Icon Subviews menu for the Deviceicon, select Application.
When a device is modeled, SPECTRUM automatically creates models for each of the applications supported by the device. The Application view displays these models (as Application icons), shows their current status, and provides access to application-specific subviews.
Figure 6 is an example of an Application view in its default mode (Icon) where each of the application models is represented by an Application icon. The Application icons are arranged hierarchically under a Device icon, with major applications in the top row and their respective minor applications stacked directly below.
You can also see the applications displayed by name only, in list format, by selecting View > Mode > List.
Figure 6:Figure 6:Figure 6:Figure 6: Application View
SpectroGRAPH: Application: Model Name
Model Name
Contact
Description
Location
Network Address System Up Time
Manufacturer
Device Type
Serial Number
Model Name
6E132_25
Model Name
Model Type
File View Tools Bookmarks
Model Name of type <model type> of Landscape node: Primary
Help
D e v i c e M a n a g e m e n t Page 15 N o k i a F i r e w a l l
Application IconsWhen the Application view is in Icon mode, each of the application models is represented by an Application icon (Figure 7). Double-clicking the Model Name label (a) at the top of the icon opens the associated Model Information view—see Model Information Views (Page 33). For some applications, the Model Type label (c) at the bottom of the icon is also a double-click zone, which opens an application-specific view. Any views accessible through these double-click zones are also accessible from the Application icon’s Icon Subviews menu.
Figure 7:Figure 7:Figure 7:Figure 7: Application Icon
Supported ApplicationsSPECTRUM’s applications can be grouped within two general categories as follows:
• Applications associated with non proprietary MIBs. See Common Applications below.
• Applications associated with device-specific MIBs. See Device Specific Applications (Page 17).
Common ApplicationsFor the most part, these applications represent the non proprietary MIBs supported by your device. Listed below (beneath the title of the SPECTRUM document that describes them) are some of the common applications currently supported by SPECTRUM. Nokia Firewall devices support both common and device-specific applications.
• Routing Applications- Generic Routing- Repeater
aaaa Model Name Label / Model Information View
bbbb Condition Status Label
cccc Model Type Label / Application-Specific View
(a)
(b)
(c)
172.59.203.24
IP2_App
IP2_App
Note:Note:
The documents listed below (in bold font) are available for viewing at:
www.aprisma.com/manuals/
A p p l i c a t i o n V i e w s S u p p o r t e d A p p l i c a t i o n s
D e v i c e M a n a g e m e n t Page 16 N o k i a F i r e w a l l
- AppleTalk- DECnet- OSPF- OSPF2- BGP4- VRRP
• Bridging Applications- Ethernet Special Database- Spanning Tree- Static- Transparent- PPP Bridging- Source Routing- Translation- QBridge
• MIB II Applications- SNMP- IP- ICMP- TCP- System2- UDP
• Transmission Applications- FDDI- Point to Point- DS1
- DS3- RS-232- WAN- Frame Relay- Token Ring- Ethernet- Fast Ethernet- rfc1317App- rfc1285App- rfc1315App- 802.11App- SONET
• Technology Applications- APPN- ATM Client- DHCP- PNNI- rfc1316App- DLSw
A p p l i c a t i o n V i e w s C h e c k p o i n t A p p l i c a t i o n
D e v i c e M a n a g e m e n t Page 17 N o k i a F i r e w a l l
Device Specific ApplicationsThe views and subviews available for Nokia Firewall device-specific applications are described in the rest of this section.
• Checkpoint Application• RateShape Performance View (Page 18)• Virtual Router Redundancy Protocol (VRRP)
Application (Page 20)
Checkpoint ApplicationThis major application (model type CheckpointApp) provides access to the following application-specific subview:
• Firewall InformationView
Firewall InformationViewAccess: From the Icon Subview menu for theCheckpointApp application, select Firewall .
This view contains the following information:
General Information
This section of the Firewall Information view provides the following information:
ProductFirewall - 1 product.
Module StateThe state of the module.
Last SNMP FW EventThe last SNMP trap sent via “fw”.
Major VersionFirewall - 1 major version.
Minor VersionFirewall -1 minor version.
Filter Information
This section of the Firewall Information view provides the following information:
NameThe name of the loaded filter.
DateThe date the filter was installed.
Packet Information
This section of the Firewall Information view provides the following information:
Accepted PacketsThe number of accepted packets
Rejected PacketsThe number of rejected packets.
A p p l i c a t i o n V i e w s R a t e S h a p e A p p l i c a t i o n
D e v i c e M a n a g e m e n t Page 18 N o k i a F i r e w a l l
Dropped PacketsThe number of dropped packets.
Logged PacketsThe number of logged packets.
RateShape ApplicationThis major application (model type NkIpsoRateApp) provides access to the following application-specific subviews:
• IPSO Configuration View (Page 24)• RateShape Configuration View (Page 26)• RateShape Performance View (Page 18)
RateShape Performance ViewAccess: From the Icon Subviews menu for theNkIpsoRateApp application, select RateShapePerformance .
This view displays the Access List Status Table which provides the following information:
ifIndexIdentifies the MIB-II interface which this access list stat entry is responsible for.
IndexA unique value identifying this table entry.
DirectionThe data source for this access list.
Pkts PassedNumber of packets successfully exiting this access list.
Bytes PassedNumber of bytes successfully exiting this access list.
Clicking this button opens the Rule Status Table View.
Clicking this button opens the Aggregation Class Status Table View (Page 19).
Rule Status Table ViewAccess: From the RateShape Performance view, click theRules button.
This view provides the following information:
ifIndexA unique value corresponding to the interface to which this rule is applied.
Rules
Aggregation Class
A p p l i c a t i o n V i e w s R a t e S h a p e A p p l i c a t i o n
D e v i c e M a n a g e m e n t Page 19 N o k i a F i r e w a l l
IndexThe “rsRuleIndex” value of the rule this entry describes.
DirectionThe data source for this rule.
Drop PktsThe number of packets that exceeded this rate limit.
Drop OctetsThe number of bytes that exceeded this rate limit.
Pkts PassedNumber of packets successfully exiting this rule.
Bytes PassedNumber of bytes successfully exiting this rule.
Aggregation Class Status Table ViewAccess: From the RateShape Performance view, click theAggregation Class button.
This view provides the following information:
ifIndexThe value of “ifIndex” which corresponds to the interface for which this aggregation class handles tokens.
IndexA unique value identifying this entry in the table.
DirectionThe data source for this aggregation class.
Shaped PktsThe number of packets shaped by this rate limit.
Shaped OctetsThe number of octets shaped by this rate limit.
Enqueued PktsThe number of packets enqueued by this rate limit.
Enqueued OctetsThe number of packets enqueued by this rate limit.
Dropped PktsThe number of packets which exceeded this rate limit.
Dropped OctetsThe number of octets which exceeded this rate limit.
Pkts Passed InThe number of packets passed in successfully exiting this aggregation class.
Pkts Passed OutThe number of packets passed out successfully exiting this aggregation class.
A p p l i c a t i o n V i e w s V i r t u a l R o u t e r R e d u n d a n c y P r o t o c o l ( V R R P ) A p p l i c a t i o n
D e v i c e M a n a g e m e n t Page 20 N o k i a F i r e w a l l
Bytes Passed InThe number of bytes passed in successfully exiting this aggregation class.
Bytes Passed OutThe number of bytes passed out successfully exiting this aggregation class.
Virtual Router RedundancyProtocol (VRRP) ApplicationThis major application (model type rfc2338App) provides access to the following application-specific subview:
• VRRP Configuration View (Page 29)
D e v i c e M a n a g e m e n t Page 21 N o k i a F i r e w a l l
Performance Views
This section provides brief descriptions of the Performance views available for the Nokia Firewall devices inSPECTRUM.
Performance views display performance statistics in terms of a set of transmission attributes, e.g., cell rates, frame rates, % error, etc. A typical view is shown in Figure 8. The instantaneous condition of each transmission attribute is recorded in a graph. The statistical information for each attribute is presented in the adjacent table.
Generally, you determine performance at the device level through Performance views accessed from the Device and Application icons. You determine performance at the port/interface level through Performance views accessed from Interface icons.
For more information on Performance views, refer to the SPECTRUM Views documentation.
The following paragraphs list the performance attributes displayed for each Performance view supported by this management module.
Figure 8: Performance View
SpectroGRAPH: Type Routing
Model Name
Contact
Description
Location
Network Address System Up Time
Manufacturer
Device Type
Serial Number
Log
100.0
10.00
1.00
0.10
0.01
000:40:0 0:30:0 0:20:0
Value Average Peak Value
* Frame Rate
% Delivered
% Forwarded
% Transmit
% Error
DetailGraph Properties Scroll to Date-Time
File View Tools Bookmarks
% Discarded*Frames per second
type routing of type IP Routing of Landscape node: Primary
Primary Application
D e v i c e M a n a g e m e n t Page 22 N o k i a F i r e w a l l
Device Performance ViewAccess: From the Icon Subviews menu for the Deviceicon, select Performance .
Current and historical frame transmission information is provided via the following attributes.
• Frame Rate• % Delivered• % Forwarded• % Transmit• % Error• % Discarded
Port Performance ViewAccess: From the Icon Subviews menu for the DeviceInterface icon, select Performance .
Current and historical packet transmission information is provided via the following attributes.
• Load• Packet Rate• % Error
% Discarded
D e v i c e M a n a g e m e n t Page 23 N o k i a F i r e w a l l
Configuration Views
This section describes the various Configuration views and subviews available for models of Nokia Firewalldevices.
Configuration views allow you to view and modify current settings for the modeled device and its interfaces, ports, and applications. The following Configuration views are available for models of Nokia Firewall devices:
• Device Configuration View• Interface Configuration View (Page 24)• IPSO Configuration View (Page 24)• RateShape Configuration View (Page 26)
Device Configuration ViewAccess: From the Icon Subviews menu for the Deviceicon, select Configuration .
This view (Figure 9) provides status and configuration information about the device as a whole as well as on a port-by-port basis. It also provides button access to the Interface Address Translation View and a subview that lets you establish redundancy for the model. Fields and
column headings within the Device Configuration view and its subviews are explained in detail in SPECTRUM Views.
Figure 9:Figure 9:Figure 9:Figure 9: Device Configuration View
SpectroGRAPH:
* File V iew H elp
Primary Application
System Up Time
Manufacturer
Device Type
Serial Number
Network AddressNameContactDescriptionLocation
Device Configuration View
Index Description Type Bandwidth Physical Address
PrintInterface Configuration Table
Interface Address Translation
Contact Status Number of Interfaces
Tools B ookmarks
Redundacny and Model reconfiguration Options
Operation Status
C o n f i g u r a t i o n V i e w s I n t e r f a c e C o n f i g u r a t i o n V i e w
D e v i c e M a n a g e m e n t Page 24 N o k i a F i r e w a l l
Interface Configuration ViewAccess: From the Icon Subviews menu for a selectedInterface icon, select IF Configuration .
This view provides the following information for the selected interface:
Operation StatusThe current operational state of the interface. Possible values are: up, down, testing, and unknown .
Admin. StatusThe desired operational state of the interface. Possible values are: up, down, or testing .
Last ChangeThe “System UpTime” value when the interface entered its current operational state.
IP Address/Network MaskThis window provides a list of the user-defined IP addresses and network masks for the interface.
Physical AddressThe Ethernet (MAC) address of the interface.
BandwidthThe estimated bandwidth of the interface, measured in bits per second. For interfaces that do not vary in bandwidth, or for which no
accurate estimate can be made, a nominal bandwidth is provided.
Packet SizeThe largest packet that can be transmitted or received by the port, displayed in octets.
Queue LengthThe length of the outbound packet queue, in packets.
IPSO Configuration ViewAccess: From the Icon Subviews menu for theNkIpsoRateApp application, select Configuration .
This view provides the following information:
CardThis area of the IPSO Configuration View provides the following information:
IndexThe number of the slot in which this card is plugged.
StatusThe operational status of this card. Possible values are: enabled or disabled .
C o n f i g u r a t i o n V i e w s I P S O C o n f i g u r a t i o n V i e w
D e v i c e M a n a g e m e n t Page 25 N o k i a F i r e w a l l
TypeThe “ifType” value for any interface(s) on this card. Please refer to RFC1213.
ConfigThis area of the IPSO Configuration View provides the following information:
IndexThe index for this configuration, with 1 representing the currently running database and traversing from newest to oldest.
File PathThe absolute pathname and filename that holds a record of this configuration.
Date/TimeThe date and time this file was last changed.
Log TableThis section of the IPSO Configuration View provides the following information on the most recent configuration changes to the system:
IndexThe unique index of this configuration change entry.
DescriptionA description of the nature of the configuration change.
Serial NumberThe serial number of this device.
SIMM TotalThe total memory capacity, in megabytes, contained in the SIMM sockets.
MB TypeThe type of motherboard populating this device.
MB Rev NumberAn string value representing the type of motherboard populating this device.
MB Serial NumberThe serial number of the motherboard.
Log SizeA maximum limit on the number of entries which may be recorded in the Log Table.
Clicking this button opens the IPSO Additional Configuration View (Page 26).
Additional Configuration
C o n f i g u r a t i o n V i e w s R a t e S h a p e C o n f i g u r a t i o n V i e w
D e v i c e M a n a g e m e n t Page 26 N o k i a F i r e w a l l
IPSO Additional ConfigurationViewAccess: From the IPSO Configuration View, click theAdditional Configuration button.
This view provides the following information:
FanThis area of the IPSO Additional Configuration View provides the following information:
IndexA unique value representing this particular fan.
StatusThe operational status of this fan. Possible values are: running and notRunning .
PowerThis area of the IPSO Additional Configuration View provides the following information:
IndexA unique value representing this power supply.
TemperatureAn indication of whether or not this power supply’s internal temperature is over the recommended operation temperature limit. Possible values are: normal and overTemperature .
Oper StatusThe operational status of this power supply. Possible values are: running and notRunning .
ImageThis area of the IPSO Additional Configuration View provides the following information on resident kernel images on this system:
IndexA unique value for the image represented by this entry.
Version No.The version number of this image.
Serial No.The serial number of this image.
Time of LoadThe date and time when this image was first transferred onto this device.
RateShape Configuration ViewAccess: From the Icon Subviews menu for theNkIpsoRateApp application, select RateShape Config .
This view displays the Access List table which provides the following information:
C o n f i g u r a t i o n V i e w s R a t e S h a p e C o n f i g u r a t i o n V i e w
D e v i c e M a n a g e m e n t Page 27 N o k i a F i r e w a l l
ifIndexThe “ifIndex” of the MIB-II interface for which this access list entry is responsible.
IndexA unique value identifying this Access List.
DirectionThe data source for this access list.
NameAunique descriptor for this access list.
Row StatusThe current status of this access list. Possible values are: active , notInService , notReady , createAndGo , createAndWait , and destroy .
Clicking on this button opens the Access List Add View, which enables you to create an Access List within the Access List Table by entering an instance and then selecting its desired status.
Clicking this button opens the Rule Table View.
Clicking this button opens the Aggregation Class Table View (Page 28).
Rule Table ViewAccess: From the RateShape Configuration view click onthe Rules button.
This view provides the following information:
ifIndexThe “ifIndex” of the MIB-II interface for which this access list entry is responsible.
IndexAn arbitrary value for rate limit objects.
DirectionThe data source for the Rate Limit object.
TOSThe TOS field of the type of packet which this rule governs.
ActionThe forwarding Action associated with this rule. Possible values are: drop , accept , reject , condition , and skip .
Add New Access List
Rules
Aggregation Class
C o n f i g u r a t i o n V i e w s R a t e S h a p e C o n f i g u r a t i o n V i e w
D e v i c e M a n a g e m e n t Page 28 N o k i a F i r e w a l l
Src AddrThe source IP address for this rule.
Src Addr MaskThe mask of source address for this rule.
Dest AddrThe destination IP address for this rule.
Dest Addr MaskThe mask of destination address for this rule.
ProtocolThe number of IP protocol that rule applies on.
Src Start PortThe start of the source range of port number(s) of the IP protocol for this rule.
Src End PortThe end of the source range of port number(s) of the IP protocol for this rule.
Dest Start PortThe start of the destination range of port number(s) of the IP protocol for this rule.
Dest End PortThe end of the destination range of port number(s) of the IP protocol for this rule.
Agg Class IndexThe index to the aggregation class (queue) if the value of Action is enqueue .
EstablishedIndicates whether this rule is effective on previously-established TCP connections.
Row StatusThe current status of this rule. Possible values are: active , notInService , notReady , createAndGo , createAndWait , and destroy .
Aggregation Class Table ViewAccess: From the RateShape Configuration view click onthe Aggregation Class button.
This view provides the following information:
ifIndexThe value of “ifIndex” which corresponds to the first interface for which this aggregation class handles tokens.
IndexThe unique value identifying this aggregation class (queue).
DirectionThe data source for this aggregation class.
NameA description of this aggregation class.
C o n f i g u r a t i o n V i e w s R a t e S h a p e C o n f i g u r a t i o n V i e w
D e v i c e M a n a g e m e n t Page 29 N o k i a F i r e w a l l
Mean RateThe peak bandwidth when Burst Rate and Burst Duration are not set. When mean rate and burst duration are set, the mean rate specifies the long-term rate which the packet stream will be shaped to, but the packet stream can burst above that rate, with no penalty, for as long as the burst duration specifies.
Burst RateThe maximum burst peak rate in kilobits per second before being shaped. This value is obsolete and will no longer be supported.
Burst DurationThe number of milliseconds this aggregation class needs to transmit Burst Rate. If this is not set to a non-zero value, Mean Rate is the peak rate.
Row StatusThe current status of this aggregation class. Possible values are: active , notInService , notReady , createAndGo , createAndWait , and destroy .
VRRP Configuration ViewAccess: From the Icon Subviews menu for the rfc2338Appapplication, select Configuration .
This view provides the following information:
Node VersionThe particular version of the VRRP supported by this node.
Trap ControlIndicates whether the VRRP-enabled router will generate SNMP traps for events defined in this MIB.
Packet SourceThe IP address of an inbound VRRP packet.
Authorization Error TypePotential types of configuration conflicts. Possible values are: invalidAuthType , authTypeMismatch , and authFailure .
VRRP Operations TableThis area of the VRRP Configuration view contains the follwoinf information:
IndexThe Virtual Router Identifier
Virt MAC AddressThe virtual MAC address of the virtual router. This is derived as follows: 00-00-5E-00-01-<VRID>. Where the first three octets consist of the IANA’s OUI; the next two octets indicate the address block of the VRRP protocol; and the remaining octets consist of the VRID.
C o n f i g u r a t i o n V i e w s R a t e S h a p e C o n f i g u r a t i o n V i e w
D e v i c e M a n a g e m e n t Page 30 N o k i a F i r e w a l l
StateThe mandatory state of the virtual router. Possible values are described in Table 3.
Admin StateThis value will enable/disable the virtual router function. Setting the value to up, will transition the state of the virtual router from initialize to backup or master ; setting the value to down, will transition the router from master or backup to initialize . State transitions may not be immediate; they sometimes depend on other factors, such as the interface (IF) state.
PriThis value specifies the priority to be used for the virtual router master election process. Higher values imply higher priority. A priority of ’0’, although not settable, is sent by the master router to indicate that this router has ceased to participate in VRRP and a backup virtual router should transition to become a new master.
IP Addr CntThe number of IP addresses that are associated with this virtual router.
Master Ip AddrThe master router’s real (primary) IP address. This is the IP address listed as the source in VRRP advertisement last received by this virtual router.
Primary IP AddrIn the case where there is more than one IP address for a given ‘ifIndex’, this object is used to specify the IP address that will become the Master Ip Addr, should the virtual router transition from backup to master. If this object is set to 0.0.0.0, the IP address which is numerically lowest will be selected.
Table 3: State Values
Value Description
initialize Indicates the virtual router is waiting for a startup event.
backup Indicates the virtual router is monitoring the availability of the master router.
master Indicates the virtual router is forwarding packets for IP addresses that are associated with this router.
C o n f i g u r a t i o n V i e w s R a t e S h a p e C o n f i g u r a t i o n V i e w
D e v i c e M a n a g e m e n t Page 31 N o k i a F i r e w a l l
Auth TypeAuthentication type used for VRRP protocol exchanges between virtual routers. Possible values are described in Table 4.
Auth KeyThe Authentication Key. This value is set according to the value in Auth Type . If the length of the value is less than 16 octets, the agent will left adjust and zero fill to 16 octets. The value of this object is the same for a given “ifIndex.”
Adv IntvThe time interval, in seconds, between sending advertisement messages. Only the master router sends VRRP advertisements.
Preempt ModeControls whether a higher priority virtual router will preempt a lower priority master.
Up TImeThis is the value of “sysUpTime” when this virtual router transitioned out of “initialized”.
ProtocolThe particular protocol being controlled by this Virtual Router. Possible values are: ip , bridge , decnet , and other .
StatusThe row status variable, used in accordance to installation and removal conventions for conceptual rows. The state that this value transitions to when set is based on a determination of whether the read-write objects in the row have been correctly initialized for virtual router operation. A row in which not all of the values are correctly set is considered ‘incomplete’. Possible values are described in Table 5.
Table 4: Authentication Values
Value Description
noAuthentication VRRP protocol exchanges are not authenticated.
simpleTextPassword Exchanges are authenticated by a clear text password.
ipAuthenticationHeader Exchanges are authenticated using the IP authentication header.
D e v i c e M a n a g e m e n t Page 32 N o k i a F i r e w a l l
Table 5: Status Values
Value Description
active When this value is read, it indicates that all the read-write objects (in the row) required for virtual router operation have been correctly initialized such that the respective virtual router can be made operational by setting the Admin State to ‘up’. When set to ‘active’, no other objects in the conceptual row, with the exception of Admin State can be modified.
notInService When set, allows the values in the row tobe modified by a management station, thus changing the operational characteristics of the corresponding virtual router.
notReady The agent sets the value to this state to indicate that the conceptual row exists but is lacking initialization of one or more objects required for virtual router operation.
createAndGo This is set by a management station wishing to create a new instance of a virtual router and to have its status automatically set to ‘active’, making it available for use by a virtual router. Upon receiving a request to set Status to this value, the agent transitions the Status to ‘active’ if the other settable objects in the row have been correctly initialized. If the row is incomplete, the agent transitions the state to ‘notReady’.
createAndWait This is set by a management station wishing to create a new instance of a virtual router but not make it available for use. When this value is set, Status transitions to ‘notInService’ if the row has been correctly initialized; if the row is incomplete, Status will become ‘notReady’.
destroy Deletes the conceptual row, and hence, the corresponding instance of a virtual router.
Table 5: Status Values
Value Description
D e v i c e M a n a g e m e n t Page 33 N o k i a F i r e w a l l
Model Information Views
This section provides a brief description of the Model Information views available for models of Nokia Firewalldevices.
Access: From the Icon Subviews menu for the Deviceicon, select Model Information .
Model Information views provide descriptive and configuration information about models of devices, interfaces, and applications. Figure 10 shows an example of a Model Information view accessed from the Icon Subviews menu for an IP440 Device icon. Model Information views are also available for each of the Interface icons in the Interface Device and Interface Device Topology views, and for each of the Application icons in the main Application view. Although these views may vary slightly, depending on the particular device being modeled, their basic layout and content are similar for most SPECTRUM management modules. Therefore, these views are described in more detail in SPECTRUM Views.
Figure 10:Figure 10:Figure 10:Figure 10: Model Information View
SpectroGRAPH:
* File V iew H elpTools
Primary Application
System Up Time
Manufacturer
Device Type
Serial Number
Network AddressNameContactDescriptionLocation
Model Information View
MM Version Number
MM Name
MM Part Number
General Information Communication Information
Community Name
DCM TimeOut
DCM Retry
Poll/Log InformationModel Created By
Model Type
Model Creation Time
Poll Interval
Polling StatusModel State
Security String
Mgmnt Protocol
Bookmarks
D e v i c e M a n a g e m e n t Page 34 N o k i a F i r e w a l l
Index
AAddress
Interface IP 11Physical (MAC) 11Translation 12
Admin Status 10Admin. Status 24Aggregation Class Status Table
View 19Bytes Passed In 20Bytes Passed Out 20Direction 19Dropped Octets 19Dropped Pkts 19Enqueued Octets 19Enqueued Pkts 19ifIndex 19Index 19Pkts Passed In 19Pkts Passed Out 19Shaped Octets 19Shaped Pkts 19
Aggregation Class Table View 28Authorization Error Type 29Burst Duration 29Burst Rate 29Direction 28
ifIndex 28Index 28Mean Rate 29Name 28Node Version 29Packet Source 29Row Status 29Trap Control 29VRRP Operations Table 29
Admin State 30Adv Intv 31Auth Key 31Auth Type 31Index 29IP Addr Cnt 30Master Ip Addr 30Preempt Mode 31Pri 30Primary IP Addr 30Protocol 31State 30Status 31Up TIme 31Virt MAC Address 29
ApplicationDevice-specific 17Icons 14
Application Icons 15
Application View 14
BBandwidth 24
CCheckpoint Application 17Condition Status Label 15Configuration views 23
DDevice icon 5, 14Device Topology Views 13
FFile Transfer MIB View 17
Index 32Firewall Information View
Accepted Packets 17Date 17
I n d e x I n d e x
D e v i c e M a n a g e m e n t Page 35 N o k i a F i r e w a l l
Dropped Packets 18Filter Information 17General Information 17Last SNMP FW Event 17Logged Packets 18Major Version 17Minor Version 17Module State 17Name 17Packet Information 17Product 17Rejected Packets 17
Firewall InformationView 17
IIcons
Device 5, 14Interface 10
Image 26Interface
Status 11Type, Device 10
Interface Configuration View 24IP Address/Network Mask 24IPSO Additional Configuration
View 26Fan 26
Index 26Status 26
Image 26
Index 26Serial No. 26Time of Load 26Version No. 26
Power 26Index 26Oper Status 26Temperature 26
IPSO Configuration View 2424
buttonAdditional Configuration 25
Card 24Config 25
Date/Time 25File Path 25Index 25
Log Size 25Log Table 25
Description 25Index 25
MB Rev Number 25MB Serial Number 25MB Type 25Serial Number 25SIMM Total 25Status 24Type 25
LLabels
Application IconCondition Status 15Model Name 15Model Type 15
Last Change 24
MMask 12Mode (Icon or List) 14Model type 5Model Type Label 15
NNetwork Type 11
OOperation Status 24
PPacket Size 24Performance Statistics 21
I n d e x I n d e x
D e v i c e M a n a g e m e n t Page 36 N o k i a F i r e w a l l
Physical Address 24Port Number, Device 10
QQueue Length 24
RRateShape Application 18RateShape Configuration View 26
buttonAdd New Access List 27Aggregation Class 27Rules 27
Direction 27ifIndex 27Index 27Name 27Row Status 27
RateShape Performance View 18button
Aggregation Class 18Rules 18
Bytes Passed 18Direction 18ifIndex 18Index 18Pkts Passed 18
Row 27
Rule Status Table View 18Bytes Passed 19Direction 19Drop Octets 19Drop Pkts 19ifIndex 18Index 19
Rule Table View 27Action 27Agg Class Index 28Dest Addr 28Dest Addr Mask 28Dest End Port 28Dest Start Port 28Direction 27Established 28ifIndex 27Index 27Protocol 28Row Status 28Src Addr 28Src Addr Mask 28Src End Port 28Src Start Port 28TOS 27
SStatistics
Routing Frame Transmission 22
TTasks 8Threshold Information 11
VViews
Configuration 23Device Configuration 23Interface Configuration 24
Virtual Router Redundancy Protocol (VRRP) Application 20
VRRP Configuration View 29