NetXplorer Install_Admin Guide R5

NetXplorer Centralized NetEnforcer and Service Gateway

Management Software Installation and

Administration Guide

P/N D354005 R5

NetXplorer Installation and Administration Guide i

NetXplorer Installation and Administration Guide ii

Important Notice Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to the end users using this manual, regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise. SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL, INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT. Please read the End User License Agreement and Warranty Certificate provided with this product before using the product. Please note that using the products indicates that you accept the terms of the End User License Agreement and Warranty Certificate. WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Copyright Copyright © 1997-2009 Allot Communications. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other language without a written permission and specific authorization from Allot Communications Ltd.

Trademarks Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation and to the owners' benefit, without intent to infringe. Allot and the Allot Communications logo are registered trademarks of Allot Communications Ltd.

NetXplorer Installation and Administration Guide iii

Version History

Doc Revision

Internal Build

Product Version

Published

4b v4b4 NX9.2.0 (Beta) 07.04.09

4 v4b6 NX9.2.1 25.06.09 (GA)

5 v5b1 NX10.1.0 26.09.09

5 v5b2 NX10.1.0 29.09.09

5 v5b3 NX10.1.0 30.09.09

5 v5b4 NX10.1.0 05.10.09

5 v5b5 NX10.1.0 18.10.09

5 v5b6 NX10.1.1 20.10.09 (GA)

5 v5b8 NX10.1.1 19.11.09 (Post GA)

5 V5b9 NX10.1.1 27.12.09 (Post GA)

5 V5b10 NX10.1.1 13.01.10 (Post GA)

NetXplorer Installation and Administration Guide iv

Important Notice ........................................................................................................................... ii Version H istory ............................................................................................................................. iii

C H APT E R 1: G E T T IN G ST A R T E D .......................................................................... 1-1 Overview...................................................................................................................................... 1-1 Terms and Concepts ................................................................................................................... 1-1 NetXplorer A rchitecture ............................................................................................................ 1-4 Administration Role ................................................................................................................... 1-6

C H APT E R 2: INST A L L A T I O N .................................................................................. 2-1 NetXplorer Server Installation .................................................................................................. 2-1

Windows Installation ................................................................................................................ 2-1 Linux Installation ...................................................................................................................... 2-7

NetXplorer C lient Installation................................................................................................. 2-10 Java, WebStart and the NetXplorer Client .............................................................................. 2-10 Accessing NetXplorer ............................................................................................................. 2-13 Enabling NetXplorer Servers .................................................................................................. 2-14

N X Accounting Installation ..................................................................................................... 2-16 Windows Server ...................................................................................................................... 2-16 Linux Server ........................................................................................................................... 2-20

NPP Installation ........................................................................................................................ 2-23 Windows Server ...................................................................................................................... 2-23 Linux Server ........................................................................................................................... 2-26

N X H igh Availability Platform Installation ........................................................................... 2-30 Connecting the HAP ............................................................................................................... 2-30 Network Configuration ........................................................................................................... 2-31

C H APT E R 3: C O N F I G UR A T I O N .............................................................................. 3-1 Overview...................................................................................................................................... 3-1 Working with Devices ................................................................................................................ 3-1 Configuring NetXplorer Users .................................................................................................. 3-8

C H APT E R 4: M O NI T O RIN G C O L L E C T O RS ........................................................ 4-1 Overview...................................................................................................................................... 4-1

Data Collection Process ............................................................................................................ 4-2 Collector Redundancy ............................................................................................................... 4-2 NetXplorer Support................................................................................................................... 4-4

Installing Monitoring Collectors ............................................................................................... 4-5 Collector Groups ....................................................................................................................... 4-8

Configuring Monitoring Collectors .......................................................................................... 4-9 T roubleshooting the Collector ................................................................................................. 4-12

Command Line Interface ........................................................................................................ 4-12

NetXplorer Installation and Administration Guide v

Processes ................................................................................................................................. 4-12 Logs and Snapshots ................................................................................................................ 4-12 Recreating Databases .............................................................................................................. 4-13 Changing IP Addresses ........................................................................................................... 4-13

C H APT E R 5: D A T A B ASE M A N A G E M E N T ............................................................ 5-1 Backup Terms ........................................................................................................................... 5-1 Using Backups to Achieve NX Redundancy ............................................................................ 5-1

Database Management on Windows ......................................................................................... 5-2 Cold Backup ............................................................................................................................. 5-2 Hot Backup ............................................................................................................................... 5-4

Database Management on L inux ............................................................................................ 5-16 Cold Backup ........................................................................................................................... 5-16 Hot Backup ............................................................................................................................. 5-17

C H APT E R 6: C O M M A ND L IN E IN T E R F A C E (C L I) ............................................ 6-1 Provisioning C L I ........................................................................................................................ 6-1

Topology CLI ........................................................................................................................... 6-2 Catalogs CLI ............................................................................................................................. 6-3 Policy CLI ............................................................................................................................... 6-10 Web Updates CLI ................................................................................................................... 6-15

Monitoring C L I ........................................................................................................................ 6-16 Export to CLI .......................................................................................................................... 6-17

C H APT E R 7: T R O UB L ESH O O T IN G ....................................................................... 7-1 T roubleshooting Basics .............................................................................................................. 7-1

First Steps ................................................................................................................................. 7-1 Processes ................................................................................................................................... 7-1 Log Files ................................................................................................................................... 7-2 Snapshots .................................................................................................................................. 7-5 How to restore CFG (allot_cfg) database from the Snapshot-File ............................................ 7-6

Login E r rors ............................................................................................................................... 7-6 Incorrect Java Version .............................................................................................................. 7-6 Lack of Connectivity ................................................................................................................ 7-7 Antivirus Conflict ..................................................................................................................... 7-7

Policy Saving E r rors .................................................................................................................. 7-8 Data Display E rrors ................................................................................................................... 7-9

Data Transmission .................................................................................................................. 7-10 Data Reception ........................................................................................................................ 7-11 Data Loss ................................................................................................................................ 7-11 Stress ....................................................................................................................................... 7-12

Add Device E r rors .................................................................................................................... 7-13 N X-H AP T roubleshooting ....................................................................................................... 7-15

Monitoring the Cluster Status ................................................................................................. 7-15 Viewing Available Resources ................................................................................................. 7-16

NetXplorer Installation and Administration Guide vi

Stopping Heartbeat Service .................................................................................................... 7-17

C H APT E R 8: APPE NDI C ES ....................................................................................... 8-1 Upgrading NetXplorer Server ................................................................................................... 8-1

Standard Upgrade Procedure .................................................................................................... 8-1 Manual Upgrade Procedure ...................................................................................................... 8-3

Upgrading N X-H AP ................................................................................................................... 8-6 Upgrading Distr ibuted Monitoring Collector .......................................................................... 8-8 Events .......................................................................................................................................... 8-9

NetXplorer Installation and Administration Guide vii

F I G UR ES

Figure 1-1: System Architecture .................................................................................................. 1-5

Figure 2-1: Security Warning ....................................................................................................... 2-3

Figure 2-2: NetXplorer InstallShield Wizard Welcome Window ................................................ 2-4

Figure 2-3: Choose Setup Type .................................................................................................... 2-4

Figure 2-4: Choose Destination Location - Custom ..................................................................... 2-5

Figure 2-5: Choose NTP configuration option - Custom ............................................................. 2-5

Figure 2-6: Choose Destination Location - Typical ..................................................................... 2-6

Figure 2-7: Ready to Install the Program ..................................................................................... 2-6

Figure 2-8: Setup Initializing........................................................................................................ 2-6

Figure 2-9: NetXplorer InstallShield Wizard Complete ............................................................... 2-7

Figure 2-10: NetXplorer Java Installation Screen ...................................................................... 2-12

Figure 2-11: NetXplorer Log On Window ................................................................................. 2-13

Figure 2-12 NetXplorer Log On Dialog Box .......................................................................... 2-14

Figure 2-13: NetXplorer Application Server Registration Dialog ............................................. 2-15

Figure 2-14: Security Warning ................................................................................................... 2-17

Figure 2-15: Accounting Manager InstallShield Welcome Window ......................................... 2-18

Figure 2-16: Choose Destination Location ................................................................................. 2-18

Figure 2-17: Ready to Install Window ....................................................................................... 2-19

Figure 2-18: NetXplorer InstallShield Wizard Complete ........................................................... 2-19

Figure 2-19: Security Warning ................................................................................................... 2-24

Figure 2-20: NetPolicy Provisioner InstallShield Welcome Window ........................................ 2-25

Figure 2-21: Choose Destination Location ................................................................................. 2-25

Figure 2-22: NetXplorer IP Address Window ............................................................................ 2-25

Figure 2-23: Ready to Install Window ....................................................................................... 2-26

Figure 2-24: NPP InstallShield Wizard Complete ..................................................................... 2-26

Figure 2-25: Cable Connections for NX High Availability Platform......................................... 2-30

Figure 2-26: RedHat Network Configuration Dialog ................................................................. 2-32

NetXplorer Installation and Administration Guide viii

Figure 2-27: Updating /etc/hosts file .......................................................................................... 2-33

Figure 2-28: Updating /etc/ha.d/ha.cf file Default Gateway ................................................... 2-33

Figure 2-29: Updating /etc/ha.d/ha.cf file Enable SNMP Traps ............................................. 2-33

Figure 2-30: Updating crm-mon ................................................................................................. 2-34

Figure 2-31: Updating cib.xml ................................................................................................... 2-35

Figure 2-32: Specifying NX-HAP IP for Receipt of SNMP Traps ............................................ 2-38

Figure 3-1: NetEnforcer Properties New Dialog ....................................................................... 3-2

Figure 3-2: NetEnforcer Properties Import Dialog .................................................................... 3-2

Figure 3-3: Monitoring Collector Properties New Dialog ......................................................... 3-3

Figure 3-4: Monitoring Collector Properties New Dialog ......................................................... 3-4

Figure 3-5: Collector Group Properties New Dialog ................................................................. 3-4

Figure 3-6: SMP Properties New Dialog ................................................................................... 3-5

Figure 3-7: Device Properties Update dialog ............................................................................... 3-6

Figure 3-8: System Message ........................................................................................................ 3-6

Figure 3-9: NetEnforcer Configuration ........................................................................................ 3-7

Figure 3-10: Users Configuration Editor ...................................................................................... 3-9

Figure 3-11: User Editor ............................................................................................................... 3-9

Figure 4-1: Collector Front View ............................................................................................. 4-1

Figure 4-2: Collector Rear View ............................................................................................... 4-1

Figure 4-3 N+1 Collector Redundancy ....................................................................................... 4-3

Figure 4-4 1+1 Collector Redundancy ......................................................................................... 4-3

Figure 4-5: Connecting the Collector Rear View ..................................................................... 4-5

Figure 4-6: Monitoring Collectors Properties dialog General tab ............................................. 4-6

Figure 4-7: NetEnforcer Properties dialog ................................................................................... 4-7

Figure 4-8: Monitoring Collector Properties - Update ................................................................. 4-8

Figure 4-9: Collector Group Properties New Dialog ................................................................. 4-8

Figure 4-10: Collector Configuration Window - General Tab ..................................................... 4-9

Figure 4-11: SNMP Tab ............................................................................................................... 4-9

Figure 4-12: Date/Time Tab ....................................................................................................... 4-10

NetXplorer Installation and Administration Guide ix

Figure 4-13: IP Properties Tab ................................................................................................... 4-10

Figure 4-14: Securities Tab ........................................................................................................ 4-11

Figure 4-15: Monitoring Collector Properties Update Dialog ................................................. 4-11

Figure 6-1: Database Logs............................................................................................................ 7-2

Figure 6-2: Key Database Logs .................................................................................................... 7-3

Figure 6-3: Application Server Logs ............................................................................................ 7-3

Figure 6-4: NMS.log Example ..................................................................................................... 7-4

Figure 6-5: Install Log .................................................................................................................. 7-4

Figure 6-6: Snapshot File ............................................................................................................. 7-5

Figure 6-7: Restore Policy and Catalogs Dialog .......................................................................... 7-9

Figure 6-8: Events Log ............................................................................................................... 7-10

Figure 6-9: Bucket Manifest ....................................................................................................... 7-11

Figure 6-10: Data Logs ............................................................................................................... 7-12

NetXplorer Installation and Administration Guide 1-1

Chapter 1: Getting Started

Overview NetXplorer is a highly scalable Network Business Intelligence system that enables strategic decision-making based on comprehensive network application and subscriber traffic analysis.

NetXplorer configures NetEnforcer or Service Gateway devices and a central catalog, which enables global policy provisioning. Many network topologies can benefit from more than one NetEnforcer or Service Gateway. In addition, NetXplorer provides a centralized management system for all NetEnforcers or Service Gateways on the network. It provides easy access to devices and configuration parameters via the device tree.

By enabling real time monitoring of network troubleshooting and problem analysis, NetXplorer provides long term reporting for capacity planning, tracking usage and trend analysis; it allows for the proactive management of traffic and system-wide alarms; and it allows for the collection and export of auditing data for billing and quota purposes.

Terms and Concepts This section introduces some of the basic terms and concepts used in NetXplorer.

NetXplorer

NetXplorer is a highly scalable Network Business Intelligence system that centrally manages the NetEnforcer and Service Gateway product line. It enables strategic decision-making based on comprehensive network application and subscriber traffic analysis.

The NetXplorer server can be installed on any server running Windows Server 2003 or Windows XP SP2.



NetEnforcer NetEnforcers are the traffic management devices that inspect and monitor network traffic.

Monitoring Collector

The Monitoring Collector is an Allot appliance that can be added between the NetXplorer Servers and the NetEnforcers or Service Gateways in order to support large numbers of NetEnforcers or Service Gateways or those installed in remote geographic locations.

QoS QoS (Quality of Service) is the ability to define a level of performance in a data communications system. In NetXplorer, QoS is an action applied to a connection when the conditions of a filter are satisfied.

The QoS specified can include the following: Prioritized Bandwidth: Delivers levels of service based on class levels.

During peak traffic periods, the NetXplorer will slow down lower priority applications, resulting in increased bandwidth delivery to higher priority applications.

Guaranteed Bandwidth: Enables the assignment of fixed minimum and maximum amounts of bandwidth to specific Pipes, Virtual Channels and connections. By borrowing excess bandwidth when it is available, connections are able to burst above guaranteed minimum limits, up to the maximum guaranteed rate. Guaranteed rates also assure predictable service quality by enabling time-critical applications to receive constant levels of service during peak and non-peak traffic periods.

Reserved Bandwidth on Demand: Enables the reservation of the minimum bandwidth from the first packet of a connection until the connection ends. This is useful when the bottleneck is not at the link governed by the NetEnforcer or Service Gateway. By limiting other connections (non-guaranteed), the NetEnforcer or Service Gateway reserves enough bandwidth for the required Pipe or Virtual Channel.

T OS Marking: Enables the user to set the ToS bytes in the transmitted frame according to the DiffServ standard or free format.

Access Control: Determines whether a connection is accepted, dropped or rejected. For example, you can specify the following policy: accept 1000 ICMP connections to Server1 and drop the rest. A NetEnforcer or Service Gateway policy can also be to drop all P2P connections or accept new connections with a lower priority

Admission Control: Determines the bandwidth granted to a flow based on your demand (for example, allocated minimum of 10kbps) and the available bandwidth on the line.



Catalog Editors Catalog Editors enable you to define values to define your policy. The possible values for each condition of a filter and for actions are defined in the Catalog entries in the Catalog Editors. A Catalog Editor enables you to give a logical name to a comprehensive set of parameters (a Catalog entry). This logical name then becomes a possible value for a condition or action

Lines A Line represents a physical or logical media in the system. A line provides a way of classifying traffic that enables you to divide the total bandwidth and then manage every Line as if it was an independent link. A Line consists of one or more sets of conditions and a set of actions that apply when all of the conditions are met. A line is an address-based or VLAN-based entity, and is not service-based.

A Line can aggregate several Pipes, acting like a container of Pipes from a QoS point of view. The filter of the Fallback Line cannot be modified or deleted. A connection coming into the NetEnforcer or Service Gateway is matched to a Line according to whether the characteristics of the connection match all of the Conditions of the Line. The connection is then further matched to the Conditions of a Pipe under the Line. The actions defined for the Line influence all the Pipes under the Line. The actions defined for a Pipe are enforced together with the actions of the Line.

Pipes A Pipe provides a way of classifying traffic that enables you to divide the total bandwidth and then manage every Pipe as if it was an independent link. Pipes cannot stand alone and are always contained within a Line. A Pipe consists of one or more sets of conditions and a set of actions that apply when all of the conditions are met. A Pipe can aggregate several Virtual Channels, acting like a container of Virtual Channels from a QoS point of view.

When you add a new Pipe, it always includes at least one Virtual Channel, the Fallback Virtual Channel. The Fallback Virtual Channel filter cannot be modified or deleted. A connection coming into a line is matched to a Pipe according to whether the characteristics of the connection match all of the Conditions of the Pipe. The connection is then further matched to the Conditions of a Virtual Channel under the Pipe. The actions defined for the Pipe influence all the Virtual Channels under the Pipe. The actions defined for a Virtual Channel are enforced together with the actions of the Pipe.

Virtual Channels A Virtual Channel provides a way of classifying traffic and consists of one or more sets of Conditions and a set of actions that apply when all of the Conditions are met. A Virtual Channel is defined within a Pipe and cannot stand alone. A connection matched to a Pipe is further matched to a Virtual Channel according to whether the characteristics of the connection match all of the Conditions of the Virtual Channel.

Conditions



A Condition is defined at the Line level, Pipe level or Virtual Channel level. NetXplorer matches connections to conditions, first at the Line level then at Pipe level and then again at the Virtual Channel level within a Pipe.

Templates Templates enable you to create a "master" Pipe or Virtual Channel that upon saving will create multiple Pipes or Virtual Channels similar to one another. Templates work with host group entries defined in the Host Catalog. For example, if a host group entry in the Host Catalog called Gold Customers consists of Company X, Company Y and Company Z, you could define a Pipe template to be expanded for Gold Customers. This would result in Pipes being created for Company X, Company Y and Company Z when the Policy Editor is saved.

A Pipe or Virtual Channel template enables the fast creation of Pipes and Virtual Channels on source/destination differentiation. This means that you do not need to define similar Pipes and Virtual Channels when the only difference between them is the IP address in the source or destination.

NetXplorer Architecture This section introduces the NetXplorer concept and explains its components and architecture.

NetXplorer uses a highly scalable architecture that enables the monitoring of all NetEnforcer or Service Gateway devices from a single user interface. In addition, NetXplorer can utilize distributed monitoring collectors, which increase the scalability of your deployment. The collectors gather short-term network usage statistics from the NetEnforcers or Service Gateways.

NetXplorer's server-based, distributed architecture consists of four tiers: multiple NetEnforcer or Service Gateways and associated distributed collectors, a NetXplorer server and GUI clients.



F igure 1-1: System A rchitecture

NetXplorer architecture consists of four layers:

1. NetEnforcer layer: NetEnforcers or Service Gateways are the traffic management devices that inspect and monitor network traffic. There can be one or more NetEnforcers or Service Gateways on a network. They manage network policies and collect network usage data.

2. Monitoring Collectors: Monitoring collectors increase scalability by supporting large numbers of NetEnforcers or Service Gateways or those installed in remote geographic locations. Monitoring collectors are fully managed via the NetXplorer GUI.

3. Server Layer: The NetXplorer server is the actual application, which includes the databases and an integrated data collector. The NetXplorer server manages and communicates with the different clients that access the system, and facilitates NetEnforcer or Service Gateway configuration, policy provisioning, alarms, monitoring and reporting. The integrated data collector included in the NetXplorer streamlines the required collection of data from the managed NetEnforcer or Service Gateway devices. The Server layer includes additional servers such as SMP Servers, NPP Servers and stand along Accounting Servers.



4. User Interface Layer: The different clients connected to the NetXplorer Server are the NetXplorer GUI application users. Any network computer capable of connecting to the NetXplorer server can support the GUI interface.

The system offers simple integration with external systems using a wide range of interfaces, including SNMP, CSV Files (for report data export), XML and CLI.

Administration Role NetXplorer uses a role-based security model. The role defined for each authorized user indicates the scope of operations that can be performed by that user. The Administrator role gives Admin users complete read/write privileges in the NetXplorer application including read/write configuration privileges.

The main functions of the Administrator role include:

1. User Registration

2. Device and Network Management

3. Monitoring Collectors Management

4. Database Maintenance

This document defines the main concepts and describes the various activities related to the installation and configuration of NetEnforcer or Service Gateways and the NetXplorer, Monitoring Collectors, as well as the main tasks associated with Database Maintenance, such as backup and restore, changing location and installing the NetXplorer on a remote data base.


Chapter 2: Installation

NetXplorer Server Installation

Windows Installation

Installation Prerequisites This section describes the minimum hardware and software requirements for installing NetXplorer on a Windows Server.

Server Hardware Requirements Minimum Specifications for Managing 1-2 NetEnforcer A C-400/800/1000/2500 Devices

Intel Pentium 4 2.8 GHz and up Intel Chipset based (925 or 955) 2 GB RAM DDR Dual channel 1 x 80 GB HDD, 8 MB Cache (SATA interface recommended) Windows XP Professional Service Pack 2

Minimum Specifications for Managing an A llot Service gateway, A C-10000, A C-5000 or more than 2 NetEnforcer A C-400/800/1000/2500 Devices

Dual Xeon 3.0 GHz and up 4 GB RAM DDR Dual channel RAID (0 or 10) Controller with 256MB Battery Backed Write Cache

(BBWC) 5x36 GB HDD SCSI U320 15k RPM or larger (capacity depends on

overall storage needs, allowing for 100 GB per Service Gateway or AC-10000/AC-5000, 20 GB per AC-2500/AC-1000 and 10 GB per AC-800/AC-400)

Windows Server 2003 Enterprise Edition Service Pack 1or Windows Server 2003 Standard Edition Service Pack 1

Software Requirements Any Real-Time Virus Protection programs or automatic

Defragmentation/Backup software must be disabled on the NetXplorer server or the Allot folder needs to be excluded from protection/defragmentation.



Java SDK 1.6 should be installed on the Server machine. For details on how to install the Java SDK see Installing Java 1.6 SD K on page 2-2

No other database applications (for example, SQL database) should be installed on the NetXplorer server machine.

No application should be listening to port 80 at the time of the installation.

Pre-Installation Checklist Before you begin the installation process, it is important that you perform the following steps.

1. Verify that the minimum required space is available on the hard disk

2. Verify that there is at least 4 GB of available Virtual Memory.

NOTE: Set the Virtual Memory on your computer by selecting Start/Settings/Control Panel/System. Open the Advanced tab and click the Performance Settings button. Open the Advanced tab and click the Change button under Virtual Memory to select a new value.

3. Verify that the Java SDK 1.6 is installed, including runtime environment. If it is not installed, install it now, as described in Installing Java 1.6 SD K below.

Installing Java 1.6 SDK The Java 1.6 SDK, including the run time environment, must be installed before you can install NetXplorer.

To install the Java SDK:

1. Browse to <target folder> and run the jdk-1_6_0_10-windows-i586-p.exe file on the installation CD. The Security Warning is displayed.

2. Click Run. The License Agreement is displayed.

3. Read the license agreement and select to indicate your agreement, and then click Next. The Custom Setup dialog is displayed.

4. Click Next to accept the default installation location,

OR

Click Change to browse and select an alternate installation location, and then click Next.



NOTE The necessary program features are selected by default. You do not need to change these default settings.

The Browser Registration dialog is displayed.

5. Verify that Microsoft Internet Explorer is selected and click Install. The Installing Java SDK dialog is displayed. The progress bar indicates the status of the installation process.

6. When the installation process is done, the Complete window is displayed.

7. Click F inish.

Installation Instructions After you have performed the pre-installation checks and have verified that the Java SDK is installed, you are ready to install NetXplorer.

To install NetXplorer:

1. Run the setup.exe file on the installation CD or from a net-mounted disk.

NOTE Do not attempt to run the setup file from a net long address, such as \\file_server\.

2. The following dialog is displayed.

F igure 2-1: Security Warning



3. Click Run. The following window is displayed.

F igure 2-2: NetXplorer InstallShield Wizard W elcome Window

Click Next to continue.

4. The NetXplorer License Agreement is displayed.

Click Next to continue

5. Read the license agreement and select to indicate your agreement, and then click Next. The Choose Setup Type dialog is displayed.

F igure 2-3: Choose Setup Type

6. To install all program components in a single location, select Typical and click Next. Then skip ahead to step 10.

OR

To install each component in a different location, select Custom and click Next.

NOTE Allot strongly recommends using the Custom installation option.



7. If you selected Custom in step 5, the following dialogs are displayed.

F igure 2-4: Choose Destination Location - Custom

8. Accept the default destination locations or browse and select an alternate location for one or more of the components, and then click Next. The Choose NTP configuration option dialog is displayed.

NOTE If alternate locations are chosen for one or more components, they must be in a subdirectory on one of the root directories (like C:\Allot or D:\Allot) and not on the root directory itself (C:\ or D:\).

NOTE It is recommended that the system files and the different monitoring files be installed on different physical drives in order to improve overall performance.

F igure 2-5: Choose N TP configuration option - Custom

9. Select either the Use local clock or the Use External N TP server radio button. If you select an external NTP server, enter the

Next.

NOTE Allot strongly recommends using an external NTP server.



10. If you selected Typical in step 5 the following dialog is displayed.

F igure 2-6: Choose Destination Location - Typical

11. Accept the default destination location or browse and select an alternate location, and then click Next.

F igure 2-7: Ready to Install the Program

12. Click Install to begin the installation. The Setup Status dialog is displayed.

After a few moments the following popup is displayed.

F igure 2-8: Setup Initializing

NOTE The installation may take up to 30 minutes to complete.



13. When the installation is complete the following dialog is displayed.

F igure 2-9: NetXplorer InstallShield Wizard Complete

14. Select Y es, I want to restart my computer now and click F inish. The installation process is complete.

Linux Installation

Installation Prerequisites This section describes the minimum hardware and software requirements for installing NetXplorer on a Linux Server.

Server Hardware Requirements Minimum Specifications for Managing 1-2 NetEnforcer A C-400/800/1000/2500 Devices

Intel Pentium 4 2.8 GHz and up Intel Chipset based (925 or 955) 1 GB RAM DDR Dual channel 1 x 100 GB HDD, 8 MB Cache (SATA interface recommended) Red Hat Enterprise Linux Server 5.2 or 5.3, 32 or 64 bit installed

Minimum Specifications for Managing an A llot Service Gateway, A C-10000, A C-5000 or more than 2 NetEnforcer A C-400/800/1000/2500 Devices

DUAL Xeon 2.8 GHz and up 4 GB RAM DDR Dual channel RAID (0 or 10) Controller with 256MB Battery Backed Write Cache

(BBWC)



5x36 GB HDD SCSI U320 15k RPM or larger (capacity depends on overall storage needs, allowing for 100 GB per Service Gateway or AC-10000/AC-5000, 20 GB per AC-2500/AC-1000 and 10 GB per AC-800/AC-400)

Red Hat Enterprise Linux Server 5.2 or 5.3, 32 or 64 bit installed

Software Requirements NetXplorer Server should be installed on a machine running

Red Hat Enterprise Linux Server 5 32 or 64 bit. NetXplorer Client software should be installed on a machine

running Windows XP Professional and Microsoft Internet Explorer.

Any Real-Time Virus Protection programs or automatic Defragmentation/Backup software must be disabled on the NetXplorer server or the Allot folder needs to be excluded from protection/defragmentation.



FQDN of the server should be defined (to check run -

Check that NTP service is installed. The Config ntp service should be configured to start when the unit is rebooted by entering the following command: chkconfig --levels 35 ntpd on

NTP service should be configured to update the time from an external NTP server and deliver the time service to Allot devices.

If the OS is not installed yet, configure the server so that the CD is the first boot device, insert the RedHat5 Installation CD #1 and reboot the host. Follow the on-screen instructions using the default installation options on all steps except for the steps listed below

Hostname: give fully qualified host name (e.g., NXlinx.allot.local)

Firewall: disabled (during configuration after reboot) SELinux: disabled (during configuration after reboot) Time: configure correct time according to time zone chosen



NTP server: may be configured during configuration after the IP address is configured (select the checkbox about synchronize before starting)

Installation Instructions

To install the software:

1. Confirm all the hardware and software requirements.

2. Confirm that there is at least 20GB of free space on the /opt directory.

3. Run rpm -ivh <filename>.rpm Example: rpm -ivh NetXplorer-8.1-1.i386.rpm

NOTE You may discover the filename by using the following command: cd / find|grep -i netxplorer-

Package dependencies are checked, and error message issued if additional are packages needed. The JDK 6 (Java development kit) package is included in the installation set.

4. To install the packages, run rpm ivh <JDK filename>.rpm (version numbers may differ).

5. Configure the NTP service to start on system start by entering the following command: chkconfig --levels 35 ntpd on

6. Manually edit the /etc/host files as follows: 127.0.0.1 localhost.localdomain localhost 10.50.18.1 NX1-lin.allot.local NX1-lin

7. Reboot the machine. Confirm that NTP and NetXplorer services are running.

8. To start/stop/check the status of the services use commands such as:

service ntpd start

service netxplorer stop

service netxplorer status



Uninstallation Instructions 1. Check what version of software is installed on the server by

running the following command: rpm -qa |grep netxplorer

2. To uninstall NetXplorer run the following command rpm -e <netxplorer version> Example: [root@REDHATNX NX811b10]# rpm -e netxplorer-8.1.1-10

NetXplorer Client Installation

Java, WebStart and the NetXplorer Client NetXplorer works with a technology known as WebStart from Sun Microsystems. WebStart enables you to run the NetXplorer Client software by simply double-clicking

having to access the NetXplorer Client through an Internet browser.

Hardware Requirements It is recommended that the NetXplorer Client be installed on a machine with the following minimum specifications:

Pentium 4 512MB RAM Windows XP/Microsoft Internet Explorer

Software Requirements NetXplorer Client software should be installed on a machine running

Windows XP Professional and Microsoft Internet Explorer. Any Real-Time Virus Protection programs or automatic

Defragmentation/Backup software must be disabled on the NetXplorer client or the Allot folder needs to be excluded from protection/defragmentation.

Java JRE 1.6 should be installed on the client machine. For details on how to install the Java JRE see Installing Java 1.6 JR E on page 2-17.




Firewall Settings In some networks, workstations running the NetXplorer GUI and NetEnforcers or Service Gateway can be separated from the NetXplorer server by a firewall for security reasons. In order to allow the client to communicate with the NetXplorer server the following ports should be opened in the Firewall:

TCP/80 HTTP TCP/1098 The RMI service bind address TCP/1099 JNP server bind address TCP/4444 RMI Object ports

To enable the communication between the NetXplorer and the NetEnforcer or Service Gateways the following ports in the Firewall should be opened:

TCP/80 HTTP UDP/161 SNMP UDP/162 SNMP Trap UDP/123 NTP TCP/123 NTP

Installing Java 1.6 JRE The Java 1.6 JRE must be installed on your computer as a prerequisite to working with the NetXplorer User Interface.

To install Java 1.6 JRE:

1. Open your Internet browser, and access http://<<NetX-addr>> The following window is displayed.



F igure 2-10: NetXplorer Java Installation Screen

2. Click the Install Java JRE First link if you do not have Java 1.6 JRE installed on your computer.

3. Click on the appropriate link and follow the on-screen instructions to install the Java 1.6 JRE on your computer.

Initializing WebStart 1. With the Java 1.6 JRE installed, access http://<<NetXplorer-IP-

address> once again. The Application Starting window is displayed.

When the loading process is complete for the first time, the Security Warning is displayed, prompting you to confirm that you want to allow NetXplorer User Interface software access to your computer.



2. The NetXplorer Log On window is displayed.

F igure 2-11: NetXplorer Log On Window

A shortcut icon to the NetXplorer installation is placed on your desktop and in your Start menu.

Accessing NetXplorer Once you have completed the initial setup, as described in the previous chapter, you can access to NetEnforcer or Service Gateway via your Web browser. The first time that you connect to NetEnforcer or Service Gateway, you may be prompted to install Java plug-in 1.6. Refer to Installing Java 1.6 JRE, page 2-16, for further information.

To connect to NetXplorer:

1. In Internet Explorer, browse to http:<<NetXplorer IP>> and select Launch NetXplorer in the NetXplorer Control Panel.

OR

Start menu.



2. The Java Application Starting window is displayed.

3. The NetXplorer Log On dialog is displayed.

F igure 2-12 NetXplorer Log On Dialog Box

4. In the User Name field, enter admin and in the Password field, enter allot or the password that was established at set up. This is the default user name and password. They may be different if you changed them during the initial configuration.

5. Click Log On. The NetXplorer GUI is displayed.

NOTE It may take a few moments for the NetXplorer GUI to load.

Enabling NetXplorer Servers In order to manage more than one NetEnforcer or Service Gateway as well as certain features using NetXplorer, NetXplorer Server must be enabled by entering the appropriate key. This key may be entered at installation or at any time following. For more information concerning the NetXplorer Server contact Allot Customer Support at [email protected].

To enable NetXplorer Server:

mailto:[email protected]



1. Select Tools > NetXplorer Application Server Registration from the NetXplorer Menu bar. The NetXplorer Application Server Registration dialog box appears.

F igure 2-13: NetXplorer Application Server Registration Dialog

2. Enter the Server Registration Key and Serial Number provided by Allot to enable the NetXplorer Server functionality.

3. An Expiration Date will be generated automatically after clicking Save.

4. If Subscriber Management is enabled by the key that has been entered, it will be indicated (along with the type and the maximum number of subscribers) after SMP Enabled. For more information, see the SMP User Guide.

5. If Policy Provisioning is enabled by the key that has been entered, it will be indicated (along with the maximum number of accounts) after NPP Enabled. For more information, see the NPP User Guide.

6. If Classification of Hosts by Country is enabled by the key that has been entered, it will be indicated after Host Catalog Country C lassification Enabled.

7. If Accounting information is enabled by the key that has been entered, it will be indicated after Accounting Enabled.

8. If Service Catalog updates via the web are enabled by the key that has been entered, it will be indicated after Protocol Updates Enabled.



9. The Maximum number of devices covered by the entered key is indicated.

10. Click Save to enter the key and close the dialog box.

NX Accounting Installation

Windows Server

Installation Prerequisites

Hardware Requirements Minimum Specifications

Intel Pentium 4 2.8 GHz and up Intel Chipset based (925 or 955) 2 GB RAM DDR Dual channel 1 x 80 GB HDD, 8 MB Cache (SATA interface

recommended) Windows XP Professional Service Pack 2

Software Requirements NetXplorer Accounting software should be installed on a

machine running Windows 2003 Server or Windows XP Professional.


Java SDK 1.6 should be installed on the Accounting Server. For details on how to install the Java SDK see Installing Java 1.6 SD K on page 2-2.

No other database applications (for example, SQL database) should be installed on the NetXplorer Accounting machine.





1. Verify that a minimum of 20 GB is available on the disk


NOTE Set the Virtual Memory on your computer by selecting Start/Settings/Control Panel/System. Open the Advanced tab and click the Performance Settings button. Open the Advanced tab and click the Change button under Virtual Memory to select a new value.

3. Verify that the Java SDK 1.6 is installed, including runtime environment. If it is not installed, install it now, as described in Installing Java 1.6 SD K on page 2-2.

Installation Instructions NX Accounting may be installed on the same machine as NetXplorer Server, or on a separate machine. In either case you need to identify the IP address of the NetXplorer during the installation process.

NOTE Be sure that all the Ports are operable as detailed in the Firewall section in this Installation and User Guide, and that Java SDK is installed.

On the NetXplorer CD (or in a folder supplied to the End-User) the installation files are in a directory called ACCT.

To install the accounting manager:

1. Browse to the ACCT directory and run the setup.exe file on the installation CD or from a net-mounted disk.

NOTE Do not attempt to run the setup file from a long address






F igure 2-15: Accounting Manager InstallShield Welcome Window

4. Click Next.

The NetXplorer License Agreement is displayed.

5. Read the license agreement and select to indicate your agreement, and then click Next. The Choose Destination Location window is displayed.

F igure 2-16: Choose Destination Location

6. Accept the default destination locations or browse and select an alternate location, and then click Next.

The Enter NetXplorer Server IP Address window is displayed.



7. Type in the IP address of the NetXplorer Server, and click Next.

F igure 2-17: Ready to Install Window

8. Click Install to begin the installation. The Setup Status window is displayed.

When the installation is complete the following dialog is displayed.

F igure 2-18: NetXplorer InstallShield Wizard Complete


10. The NX Accounting functionality must be enabled by entering the appropriate key in the NetXplorer GUI. This key may be entered at installation or at any time following. For information, see the NetXplorer Operations Guide.

NOTE NetXplorer Accounting cannot be upgraded directly. The old version must be uninstalled and the new version of Accounting may then be installed.



Linux Server


Server Hardware Requirements Minimum Specifications


recommended) Red Hat Enterprise Linux Server 5.2 or 5.3, 32 or 64 bit

installed













Hostname: give fully qualified host name (e.g., NXlinx.allot.local);

Firewall: disabled (during configuration after reboot), SELinux: disabled (during configuration after reboot), Time: configure correct time according to time zone chosen NTP server: may be configured during configuration after the

IP address is configured (select the checkbox about synchronize before starting)


To install the accounting manager server in Linux:

1. Confirm all the software and disc pre-installation requirements are available.

2. Run the rpm -ivh <Accounting filename>.rpm Package. Dependencies are checked and error message issued if additional packages are needed. JDK 6 (Java development kit) is included in the installation set.



3. To install the packages, run rpm -ivh <JD K filename>.rpm (version numbers may differ). After the installation is finished, you see the following:

rpm -ivh Accounting-Manager-8.1.0-5.i386.rpm Preparing... ########################################### [100%]

1: Accounting-Manager ########################################### [100%]

Installation finished.

Please set NetXplorer IP Address by running accounting/bin/set_acct_nx_ip.sh.

Than, please reboot your device.


5. To set the NetXplorer IP address, run the following: /opt/allot/accounting/bin/set_acct_nx_ip.sh

6. Reboot the machine.

7. Check that NTP and NetXplorer services are running.


service ntpd start

service accounting_manager stop

service accounting_manager status

9. The NX Accounting functionality must be enabled by entering the appropriate key in the NetXplorer GUI. This key may be entered at installation or at any time following. For information, see the NetXplorer Operations Guide.




NPP Installation

Windows Server By default, the NetPolicy Provisioner is installed on the same machine as NetXplorer Server during the standard NetXplorer installation. NPP functionality is then enabled by entering the appropriate License Key.

The following procedure is for installing NPP on another Windows Server, without NetXplorer.

Installation Prerequisites

Hardware Requirements Minimum Specifications


recommended) Windows XP Professional Service Pack 2

Software Requirements NetPolicy Provisioner software should be installed on a

machine running Windows 2003 Server or Windows XP Professional.


Java SDK 1.6 should be installed on the NPP Server. For details on how to install the Java SDK see Installing Java 1.6 SDK on page 2-2.

No other database applications (for example, SQL database) should be installed on the NPP machine.





1. Verify that a minimum of 20 GB is available on the disk


NOTE: Set the Virtual Memory on your computer by selecting Start/Settings/Control Panel/System. Open the Advanced tab and click the Performance Settings button. Open the Advanced tab and click the Change button under Virtual Memory to select a new value.

3. Verify that the Java SDK 1.6 is installed, including runtime environment. If it is not installed, install it now, as described in Installing Java 1.6 SDK on page 2-2.

Installation Instructions NPP may be installed on the same machine as NetXplorer Server, or on a separate machine. In either case you need to identify the IP address of the NetXplorer during the installation process.

NOTE Be sure that all the Ports are operable as detailed in the Firewall section in this Installation and User Guide, and that Java SDK is installed.

On the NetXplorer CD (or in a folder supplied to the End-User) the installation files are in a directory called NPP.

To install NPP:

1. Browse to the NPP directory and run the setup.exe file on the installation CD or from a net-mounted disk.

NOTE Do not attempt to run the setup file from a long address






F igure 2-20: NetPolicy Provisioner InstallShield Welcome Window

4. Click Next. The NetXplorer License Agreement is displayed.

5. Read the license agreement and select to indicate your agreement, and then click Next. The Choose Destination Location window is displayed.

F igure 2-21: Choose Destination Location

6. Accept the default destination locations or browse and select an alternate location for one or more of the components, and then click Next. The Enter NetXplorer Server IP Address window is displayed.

F igure 2-22: NetXplorer IP Address Window



7. Type in the IP address of the NetXplorer Server, and click Next.

F igure 2-23: Ready to Install Window

8. Click Install to begin the installation. The Setup Status window is displayed.

When the installation is complete the following dialog is displayed.

F igure 2-24: NPP InstallShield Wizard Complete


10. NPP functionality must be enabled by entering the appropriate key in the NetXplorer GUI. This key may be entered at installation or at any time following. For information, see the NetXplorer Operations Guide.

Linux Server By default, the NetPolicy Provisioner is installed on the same machine as NetXplorer Server during the standard NetXplorer installation. NPP functionality is then enabled by entering the appropriate License Key.

The following procedure is for installing NPP on another Linux Server, without NetXplorer.




Server Hardware Requirements Minimum Specifications


recommended) Red Hat Enterprise Linux Server 5.2 or 5.3, 32 or 64 bit

installed













Hostname: give fully qualified host name (e.g., NXlinx.allot.local);

Firewall: disabled (during configuration after reboot), SELinux: disabled (during configuration after reboot), Time: configure correct time according to time zone chosen NTP server: may be configured during configuration after the

IP address is configured (select the checkbox about synchronize before starting)


To install the NPP on Linux:

1. Confirm all the software and disc pre-installation requirements are available.

2. Run the rpm ivh <NPP filename>.rpm Package. Dependencies are checked, and error message issued if additional packages are needed. JDK 6 (Java development kit) is included in the installation set.



3. To install the packages, run rpm -ivh >JD K filename>.rpm (version numbers may differ). After the installation is finished, you see the following:

rpm -ivh NetPolicy-Provisioner-8.1.0-5.i386.rpm

Preparing... ########################################### [100%]

1:NetPolicy-Provisioner ########################################### [100%]

Installation finished.

Please set NetXplorer IP Address by running /opt/allot/npp/bin/set_npp_nx_ip.sh.

Then, please reboot your device.


5. To set the NetXplorer IP address, run the following: /opt/allot/accounting/bin/set_acct_nx_ip.sh

6. Reboot the machine.

7. Check that NTP and NetXplorer services are running.


service ntpd start

service npp stop

service npp status

9. NPP functionality must be enabled by entering the appropriate key in the NetXplorer GUI. This key may be entered at installation or at any time following. For information, see the NetXplorer Operations Guide.



NX High Availability Platform Installation When a NetXplorer High Availability Platform is supplied, the customer will receive the following hardware components with the necessary software pre-installed:

2 x NetXplorer Servers

1 x NetXplorer Shared Storage Device

The administrator responsible for installation needs to connect the devices and then perform a basic network configuration as outlined below.

Connecting the HAP In a High Availability Cluster configuration, the NX servers are connected by two physical links. In addition, each NX server is connected to each of the controllers on the RAID Storage device with dedicated SAS cables).

The diagram below shows the rear-views of the RAID storage server and the 2 x NetXplorer servers that make up the NX-HAP solution. The physical connections are shown below:

F igure 2-25: Cable Connections for N X High Availability Platform

The connections are as follows:



1. A straight copper cable is used to connect between eth2 on one NX server and eth2 on the second NX server. (illustrated in green above)

2. A null modem serial cable (RS 232) is used to connect between the Serial COM port on one NX server and the Serial COM port on the second NX server. (illustrated in red above)

3. Two Serial SCSI (SAS) cables connect between the first controller on the RAID storage device and the SAS HBA connection in the first PCIe low profile slot of each NX server (illustrated in orange above)

4. Two further Serial SCSI (SAS) cables connect between the second controller on the RAID storage device and the SAS HBA connection in the second PCIe low profile slot of each NX server (illustrated in orange above)

5. Each NX server is connected to the management network via eth0 (illustrated in blue above) with an additional link via eth1, as required.

6. Each controller on the storage device is connected to the management network by a copper Ethernet link (illustrated in blue above)

Network Configuration Follow the step-by-step instructions below to give an IP address to each NX in the cluster and a virtual IP address to the High Availability Cluster itself.

NOTE Allot strongly recommends that this procedure be carried out by or under the supervision of an Allot engineer.

To update NX IPs in the Network Configuration Dialog:

1. On NX-1, from the RedHat OS Start menu, choose Administration / Network

2. Choose the Devices tab on the Network Configuration dialog

3. Double click on the bond0 interface. Unlike the screen capture below, eth0 will be inactive and bond0 will be active.



F igure 2-26: RedHat Network Configuration Dialog

4. Enter the following details:

IP address

Subnet

Default Gateway

5. From the DNS tab, enter the Primary DNS address.

6. Save the configuration change by choosing SA V E from the file menu.

7. Repeat steps 1-6 above for NX-2

To update NX IPs in the /etc/hosts file:

1. On NX-1 edit the /etc/hosts file by entering vi/etc/hosts

2. Change the IP address of each NetXplorer from the default addresses:



F igure 2-27: Updating /etc/hosts file

3. operating system

a) From the System menu choose Administrator/Server Settings/Services

b) Restart


To update the Default Gateway IP in ha.cf file:

1. On NX-1 edit the /etc/ha.d/ha.cf file

2. instead of 11.0.0.1

F igure 2-28: Updating /etc/ha.d/ha.cf file Default Gateway

3. Ensure that the unmarked lines (in bold below) are indeed unmarked to enable SNMP traps to be sent from the NX Cluster:

F igure 2-29: Updating /etc/ha.d/ha.cf file Enable SN MP T raps

4. Restart the heartbeat service by entering service heartbeat restart

5. Repeat steps 1-4 on NX-2

#respawn hacluster /usr/lib/heartbeat/ipfail respawn root /usr/lib64/heartbeat/pingd -m 100 -d 5s respawn root /usr/lib64/heartbeat/hbagent # # Access control for client api

# ping 11.0.0.1 #

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

11.0.0.1 nx1.allot.com nx1

11.0.0.2 nx1.allot.com nx2



<nodes>

<node id="a4fb160c-30be-4744-8822-a9f1f790f675" uname="nx2.allot.com" type="normal"/>

<node id="37f206c8-a973-48db-bfbe-a7db915fefed" uname="nx1.allot.com" type="normal"/>

<expression attribute="#uname" id="a4fb160c-30be-4744-8822-a9f1f790f675" operation="eq" value="nx2.allot.com"/>

<expression attribute="#uname" id="37f206c8-a973-48db-bfbe-a7db915fefed" operation="eq" value="nx1.allot.com"/>

To update NX IPs in the cib.xml file:

1. On either NetXplorer, enter crm_mon

2. In the crm_mon output, note and record the HEX value listed for:

Node: NX-1

Node: NX-2

3. Stop the heartbeat service on NX-1 by entering service heartbeat stop

4. Stop the heartbeat service on NX-2 by entering service heartbeat stop

5. On NX-1 go to the directory called /home/install/new and edit the cib.xml file

6. The HEX values for both NX-1 and NX-2 appear in two places in the file

values for NX-1 and NX-2 noted from the crm_mon output in step 2 above

F igure 2-30: Updating crm-mon

7. Repeat steps 5-6 above on NX-2

To update the Virtual IP in the cib.xml file:

1. On On NX-1 go to the directory called /home/install/new and edit the cib.xml file

2. Look for the line beginning: nvpair ID. Edit the virtual IP value here.

3. Repeat steps 1-2 on NX-2



F igure 2-31: Updating cib.xml

4. Delete all files from the directory /var/lib/heartbeat/crm

5. Copy the newly edited cib.xml file to /var/lib/heartbeat/crm

6. Change the owner of the file by entering: chown hacluster :haclient /var/lib/heartbeat/crm/*

7. Change the rights to the cib.xml file by entering: chmod 600 cib.xml (in /var/lib/heartbeat/crm)

To verify a successful completion:

1. Start the heartbeat service on node NX-1 by enter ing service heartbeat start

2. Now that just heartbeat is running on NX-1 alone, verify that the GUI can be accessed from the virtual IP

3. Stop the service on node NX-1 by entering service heartbeat stop

4. Start the heartbeat service on node NX-2 by entering service heartbeat start

5. Now that just heartbeat is running on NX-2 alone, verify that the GUI can be accessed from the virtual IP

6. Restart the heartbeat service on node NX-1 by entering service heartbeat start

NOTE The heartbeat process typically takes approx. 5 minutes to start

To verify that NX-HAP is prepared to perform backups:

1. Check that the directory /opt/Sybase/data has sybase.allot as its owner. If sybase.allot is not the owner, change this by entering the command: chown sybase.allot /opt/sybase/data

2. If the /opt/Sybase/data/backup directory exists, check that this directory and its subdirectories all have sybase.allot as its owner. If sybase.allot is not the owner, change this by entering the command: chown R sybase.allot /opt/sybase/data/backup

<nvpair id="39163b78-bf63-47dc-bb7a-7e1557d29a5b" name="ip" value="10.4.60.112"/>



Configuring Redundancy of the NX Management Interfaces

1. On NX-1, locate the following two files from /etc/sysconfig/network-scripts/

ifcfg-eth0

ifcfg-eth1

2. Change ifcfg-eth0 as shown in B O L D and R E D below. You will need to remove the remark from several fields and add the

address value in the output below is just an example do not change the value on your device)

3. Change ifcfg-eth1 as shown in B O L D below. You will need to

below is just an example do not change the value on your device)

# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet #DEVICE=eth0 #BOOTPROTO=none #BROADCAST=10.255.255.255 #HWADDR=00:1A:64:08:6D:86 #IPADDR=10.90.90.67 #IPV6INIT=yes #IPV6_AUTOCONF=yes #NETMASK=255.0.0.0 #NETWORK=10.0.0.0 #ONBOOT=yes #GATEWAY=10.0.0.1 #TYPE=Ethernet DEVICE=eth0 BOOTPROTO=none HWADDR=00:1A:64:08:6D:86 ONBOOT=yes MASTER=bond0 SLAVE=yes USERCTL=no TYPE=Ethernet



4. Take the file ifcfg-bond0 from the Allot Knowledge Base and copy it to /etc/sysconfig/network-scripts/

5. Unmark the lines shown in bold/red below and enter the IP Address of the NX Server (IPADDR), the Default Gateway (GATEWAY), Subnet (Network) of the NX server as shown below:

6. Reboot the NX Server by entering Reboot.


DEVICE=bond0 USERCTL=no ONBOOT=yes BROADCAST=10.255.255.255 NETWORK=10.0.0.0 NETMASK=255.0.0.0 GATEWAY=10.0.0.1 IPADDR=10.90.90.67 TYPE=Ethernet #MTU=1500

# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet #DEVICE=eth1 #BOOTPROTO=dhcp #HWADDR=00:1A:64:08:6D:88 #ONBOOT=no #DHCP_HOSTNAME=nx-1.allot.com #TYPE=Ethernet DEVICE=eth1 BOOTPROTO=none HWADDR=00:1A:64:08:6D:88 ONBOOT=yes MASTER=bond0 SLAVE=yes USERCTL=no TYPE=Ethernet



To add Virtual IP Target for receipt of SNMP traps:

1. Open the NetXplorer GUI.

2. From Network in the Network Pane, right click and choose Configuration

3. Select the SNMP Tab

4. -HAP

cluster to ensure that traps are sent here.

F igure 2-32: Specifying N X-H AP IP for Receipt of SN MP T raps


Chapter 3: Configuration

Overview This chapter describes the processes used to configure, add and change NetEnforcers, Service Gateways and other devices as well as how to register and maintain users.

The NetXplorer, once installed on the network, enables the central configuration of managed NetEnforcers, Service Gateways and Monitoring Collectors. It has an easy GUI interface that provides access to all the devices via a device tree. All available configuration parameters can be accessed via the GUI.

Monitoring Collectors may be added between the NetXplorer Servers and the NetEnforcers or Service Gateways, in order to support sparse and remote geographic regions.

In order to manage more than one NetEnforcer or Service Gateway device using NetXplorer, the NetXplorer Server must be enabled by entering the appropriate key. This key may be entered at installation or at any time following.

Working with Devices In order for NetXplorer to manage a Device (NetEnforcer or Service Gateway, SMP, etc), it must be added to the NetXplorer's network and properly configured. The IP address of the NetEnforcer or Service Gateway is required for this procedure.

NOTE Initial configuration of the NetEnforcer or Service Gateway should be performed on the NetEnforcer or Service Gateway (via the CLI interface) before it is added to the NetXplorer configuration. Refer to the hardware manual for the specific NetEnforcer or Service Gateway model for details.

To add a NetEnforcer or Service Gateway:

1. In the Navigation pane, right-click Network in the Network of the Navigation tree and select New NetEnforcer from the popup menu.

OR

Select Network in the Network pane of the Navigation tree and then select New NetEnforcer from the Actions menu.

The NetEnforcer Properties - New dialog is displayed.



F igure 3-1: NetEnforcer Properties New Dialog

2. Enter the User Name and Password of the NetXplorer administrator and the IP address of the NetEnforcer or Service Gateway in the designated fields.

3. Assign a Monitoring Collector or Collector Group to the NetEnforcer or Service Gateway from the drop down menus. This means that the new NetEnforcer or Service Gateway will transmit its monitoring data to that Collector or Group only. If it does not matter which Collector is used, select <system defined>. If you do not have any Monitoring Collectors on the Network, select No Collector.

4. Click O K . The NetEnforcer or Service Gateway is added to the Navigation tree. The Add NetEnforcer operation can take up to a couple of minutes to complete.

To Import a NetEnforcer or Service Gateway:

1. A NetEnforcer or Service Gateway can be imported into NetXplorer if it already exists on the network but has not previously been part of this NetXplorer network or had NetXplorer enabled. When a NetEnforcer or Service Gateway is imported, its policy tables and catalogs remain intact and are imported into the NetXplorer database.

2. Select Import NetEnforcer from the Tools menu.

The NetEnforcer Properties - Import dialog is displayed.

F igure 3-2: NetEnforcer Properties Import Dialog



3. Enter the User Name and Password of the NetXplorer administrator and the IP address of the NetEnforcer or Service Gateway in the designated fields.

4. Assign a Monitoring Collector or Collector Group to the NetEnforcer or Service Gateway from the drop down menus. This means that the new NetEnforcer or Service Gateway will transmit its monitoring data to that Collector or Group only. If it does not matter which Collector is used, select <system defined>. If you do not have any Monitoring Collectors on the Network, select No Collector.

5. Click O K . The NetEnforcer or Service Gateway is added to the Navigation tree. The Import NetEnforcer operation can take up to a couple of minutes to complete.

To add a Monitoring Collector

1. In the Navigation pane, right-click Servers in the Network pane of the Navigation tree and select New Collector from the popup menu.

OR

Select Servers in the Network pane of the Navigation tree and then select New Collector from the Actions menu.

The Monitoring Collector Properties - New dialog is displayed.

F igure 3-3: Monitoring Collector Properties New Dialog

2. On the General tab, enter the Name and IP address of the Monitoring Collector.

3. In the Backup if Monitoring Collector Fails area, select one of the two radio buttons, No Backup or . If

is selected, select the backup Monitoring Collector from the drop down menu.



F igure 3-4: Monitoring Collector Properties New Dialog

4. In the Associated NetEnforcers tab, a list of all NetEnforcer or Service Gateways transmitting monitoring information to this Collector appears. They are assigned by right clicking on a NetEnforcer or Service Gateway in the Network pane and selecting Properties.

5. Click Save. The Monitoring Collector is added to the Navigation tree. The Add Monitoring Collector operation can take up to a couple of minutes to complete.

NOTE For more information concerning Monitoring Collectors, see the NetXplorer Administration Guide.

To add a Collector Group

Collector Groups are made up of two Collectors, providing 1+1 redundancy.

1. In the Navigation pane, right-click Servers in the Network pane of the Navigation tree and select New Collector G roup from the popup menu.

The Collector Group Properties - New dialog is displayed.

F igure 3-5: Collector G roup Properties New Dialog

2. In the Collector Group tab Select the two Collectors (already part of the network) to be included in the group. Collector 2 will act as the backup for Collector 1.

3. Those NetEnforcer or Service Gateways associated to the added Collectors will be listed in the Associated NetEnforcers tab.



4. Click Save. The Collector Group is added to the Navigation tree. The Add Collector Group operation can take up to a couple of minutes to complete.

To add an SMP

NOTE This feature is only available with the appropriate license key, enabling Subscriber Management. Contact Allot Customer Support at [email protected] for more information concerning your license.

1. In the Navigation pane, right-click Servers in the Network pane of the Navigation tree and select New SMP from the popup menu.

OR

Select Servers in the Network pane of the Navigation tree and then select New SMP from the Actions menu.

The SMP Properties - New dialog is displayed.

F igure 3-6: SMP Properties New Dialog

2. Enter the Name and IP address of the SMP.

3. Select the SMP Type using the radio buttons. Select either Subscriber Mapping, Subscriber Mapping Short Term Collector or Subscriber Mapping Short Term Collector Quota Management.

4. Click Save. The SMP is added to the Navigation tree. The Add SMP operation can take up to a couple of minutes to complete.

NOTE

To change the IP of a NetEnforcer or Service Gateway:

1. Select the NetEnforcer or Service Gateway device in the Navigation tree and then select Properties from the Actions menu.

The Device Properties-Update dialog is displayed.




F igure 3-7: Device Properties Update dialog

2. Enter the User name, Password of the NetXplorer administrator

3. Enter the new IP address of the NetEnforcer or Service Gateway in the designated field

4. Click Save

NOTE If you change the IP of the NetEnforcer or Service Gateway, you must also change the IP in the device configuration of the NetXplorer.

To Remove a NetEnforcer or Service Gateway from the network:

1. Right-click Network and select a NetEnforcer or Service Gateway and select Delete.

The following Delete message is displayed.

F igure 3-8: System Message

2. Click Yes to delete the NetEnforcer or Service Gateway.

To configure a NetEnforcer or Service Gateway via the NetXplorer:

1. In the Navigation pane, select and right-click the NetEnforcer or Service Gateway in the Navigation tree and select Configuration from the popup menu.

OR

Select the NetEnforcer or Service Gateway in the Navigation tree and then select Configuration from the View menu.

OR



Select the NetEnforcer or Service Gateway in the Navigation tree and then click the Configuration icon on the toolbar.

The Configuration window for the selected NetEnforcer or Service Gateway is displayed.

F igure 3-9: NetEnforcer Configuration

2. Configure the NetEnforcer or Service Gateway parameters, as required.

3. Click or select Save from the File menu to save the changes to the NetEnforcer or Service Gateway configuration.

NOTE For detailed descriptions of the parameters in each of the NetEnforcer Configuration tabs, refer to NetEnforcer Configuration Parameters in the NetXplorer Operations Manual.

The NetEnforcer Configuration parameters available in the NetEnforcer Configuration window are grouped on the following tabs:

General indicates the NetEnforcer or Service Gateway .

Identification and K eys includes parameters that provide system information and activation keys

SN MP enter the contact person, location, system name and description for SNMP purposes

Security includes security and authorization parameters

NI C includes parameters to configure the system interfaces to either automatically sense the direction and speed of traffic or use default parameters as well as parameters to define ports



Networking includes parameters that enable you to configure network topology

IP Properties enables you to modify the IP and host name configuration of your network interfaces as well as the DNS and connection control parameters

Date/Time includes the date, time and NTP server settings for the NetEnforcer or Service Gateway

Service Activation - includes IP and Port Redirection Parameters

Slots and Boards- includes device layout to provide schematic device components layout (when applicable) and status information

After modifying configuration parameters you must select Save in order for the changes to take effect. The save process prompts a rebooting of the NetEnforcer or Service Gateway. Rebooting is required to ensure that some saved parameter values are committed and activated on the NetEnforcer or Service Gateway.

Configuring NetXplorer Users NetXplorer implements a role-based security model. The role defined for each authorized user indicates the scope of operations that can be performed by the user.

There are three types of NetXplorer roles, as follows: Regular: Read/write privileges in the NetXplorer application not

including User Configuration definitions. Monitor: Read-only access. Administrator: Read/write privileges in the NetXplorer application,

which includes read/write privileges to define User Configurations.

This section describes the processes used to register and maintain users. It includes how nformation and how to delete a user.

To Add a New User:

1. Select the Users Configuration Editor from the Tools menu.

2. The Users Configuration Editor dialog is displayed, listing all currently defined NetXplorer users.



F igure 3-10: Users Configuration Editor

3. Click Add.

The User Editor dialog is displayed.

F igure 3-11: User Editor

4. Enter the name of the user in the User Name field.

5. Enter a password for the user in the Password field and then again in the Confirm PW field.

NOTE The user password must be at least six characters in length and include at least one numerical digit.

6. Set the permissions level of the user by selecting the radio button for the required role (Administrator, Regular or Monitor).

7. (Optional) Enter the user's contact information in the Email and phone fields. You can also enter a brief description in the designated field.



8. Click O K .

9. The new user has been added to the list of users in the Users Configuration Editor dialog.

To edit user information:

1. In the Users Configuration Editor dialog (Figure 3-18), select the user whose information you want to edit

2. Click Edit.

The User Editor dialog is displayed.

3. Edit the user parameters, as required

4. Click O K .

To delete a user:

1. In the Users Configuration Editor dialog, select the user(s) to be deleted

2. Click Delete.

3. A confirmation message is displayed.

4. Click Yes to confirm the deletion.

The user is no longer able to access the NetXplorer.

WARNING There must be at least one Administrator user in the system.


Chapter 4: Monitoring Collectors

Overview

F igure 4-1: Collector F ront V iew

F igure 4-2: Collector Rear V iew

utilizes Distributed Monitoring Collectors. The collectors gather short-term network usage statistics from the NetEnforcer or Service Gateways.

Distributed monitoring collectors increase the scalability of your deployment. Each collector can support several NetEnforcers or Service Gateways. By deploying distributed collectors, you can increase the total number of NetEnforcers or Service Gateways supported by a single NetXplorer server. This is possible because the NetXplorer can split the storage of the real-time monitoring data between several short-term databases.

A second reason for using distributed monitoring collectors is to overcome connectivity issues in distributed networks. In order to support data collection, the line speed between the NetEnforcer or Service Gateway and the collector must be at least 10Mbps mainly for the high throughput devices such as AC-1000 and 2500. If you are working with a low throughput device, for example an AC-400 with 2 or 10 Mbps, statistics can be collected over slower connections without the need for distributed collectors.



Up until now, the collectors have always been situated on the NetXplorer server. However, some cases the networks have topology that does not allow for a 10Mbps line between the NetEnforcer or Service Gateway and the server. This can happen for example when the network is spread out over remote geographical locations. In such cases, the use of collectors is necessary. The line between the NetEnforcers or Service Gateways and their collectors will be at least 10Mbps. The line between the collectors and the NetXplorer server can be of lower capacity however, a collector is needed for each network zone that cannot guarantee a 10Mbps connection to the server.

A third reason for deploying distributed monitoring collectors is redundancy. If a collector is unavailable, data from the NetEnforcer or Service Gateways, which this collector supports, can automatically be collected by a defined backup collector.

Data Collection Process In addition to any external collectors which may be deployed, the NetXplorer server has its own internal short-term collector.

NOTE This short-term collector cannot be deleted even if there are external collectors.

Traffic statistics are collected in buckets. There are 30-second buckets and 5-minute buckets. The buckets are imported into the database by the collector per sample period. In a NetXplorer implementation, which does not include external collectors, the buckets are loaded into the short-term database, located on the NetXplorer, every 30 seconds or 5 minutes. Long-term buckets are created every hour on the NetXplorer and are then loaded into the long-term database on the same machine.

Implementations with external monitoring Collectors also collect samples in 30-second buckets and 5-minute buckets. The buckets are imported to the collector at every sample period. The data contained in the buckets is stored in the short-term database of the collector. The samples in the Database are aggregated into one-hour buckets, which are then loaded into the long-term database on the NetXplorer once an hour. Therefore, a NetXplorer implementation that includes external collectors will have additional traffic sent once an hour, namely, the long-term bucket. The short-term data, however, arriving every 30 seconds, will have a shorter distance to travel. This could be of great importance when NetEnforcers or Service Gateways do not have constant connectivity to the server. External monitoring collectors can significantly lower the burden on the NetXplorer server.

The monitoring data is saved on the NetXplorer server, and can be displayed in the GUI

Collector Redundancy In case a collector is unavailable, data from the NetEnforcers or Service Gateways that this collector supports can automatically be collected by a defined backup collector.

There are two types of redundancy models possible:



One type of redundancy model is the N+1 model. In this case, several collectors are all backed up by a single collector dedicated to this purpose. This solution takes into account that the probability of more than one collector failing is very low. However, it may be difficult to locate the backup collector in close proximity to all of the configured collectors.

F igure 4-3 N+1 Collector Redundancy

Where high performance redundancy is of particular importance, or where the network topology does not allow for the use of a single collector for backup, you will need to use the 1 to 1 redundancy model. In this situation, each collector has a dedicated backup collector as part of a Collector Group.

F igure 4-4 1+1 Collector Redundancy



NetXplorer Support Each NetXplorer server can support up to five external short-term collectors in addition to its one built-in internal collector.

Each collector can support a single Service Gateway (SG-Omega or SG-Sigma) or NetEnforcer AC-10000, up to two (2) NetEnforcers of the AC-5000 series, up to five (5) NetEnforcers of the AC-2500 or AC-10000 series, up to ten (10) NetEnforcers of the AC-800 or up to fifteen (15) NetEnforcers of the AC-400 series.

You can also combine NetEnforcers of different models according to this formula. For example, one collector can support three AC-1000s and six more AC-400s.

T -term collector can support additional NetEnforcers according to the same ratios.

NOTE This is a simple calculation based on a series of conservative assumptions. It is important to consult with Allot HQ to verify the exact number of collectors required.



Installing Monitoring Collectors Once the Collector has been physically installed, the following steps must be taken in installing Monitoring Collectors:

Set the collector s initial parameters

Physically connect the Collector to the network

Add the Collector to the NetXplorer using the NetXplorer user interface

Associate NetEnforcers or Service Gateways to the Collector.

To set initial parameters of the Monitoring Collector:

1. Connect a monitor and keyboard to the appropriate connectors of the Monitoring Collector.

F igure 4-5: Connecting the Collector Rear V iew

2. When prompted, enter admin for the login and allot for the password.

3. Enter the following command to set the IP address, network mask and default gateway: go config ips ip <IP ADDRESS>:<NETWORK MASK> -g <DEFAULT GATEWAY>

4. The Collector should be set to STC (short term collector) mode. This can be checked by running the following command: dev_setup.sh v command. If the device mode is not set to STC use the following command to set it as an STC appliance: dev_setup.sh m stc



Change the password by entering the following command: passwd

5. When prompted, enter a new password, between 5 and 8 characters in length and press <enter>.

6. Enter the new password a second time when prompted to confirm the change.

To add the new Monitoring Collector to the network:

1. Open NetXplorer.

2. In the Navigation pane, right-click Servers in the Network pane in the Navigation tree and select New Collector from the popup menu.

The Monitoring Collector Properties - New dialog is displayed.

F igure 4-6: Monitoring Collectors Properties dialog General tab

3. On the General tab, enter the IP address of the Monitoring Collector.

4. Enter a name for the Monitoring Collector.

5. In the Backup if Monitoring Collector Fails area, select one of the two radio buttons, No Backup or On Failure, T ransfer To

6. If you select On Failure, T ransfer To, select the backup Monitoring Collector from the drop down menu.

7. Click Save. The Monitoring Collector is added to the Navigation tree. The New Collector operation can take up to a couple of minutes to complete.

NOTE There are no NetEnforcers or Service Gateways associated with this collector yet, therefore the Associated NetEnforcers tab is disabled.

8. Repeat this process as often as required to add further Collectors to the network.



To assign NetEnforcers to the new Monitoring Collector:

1. In the Navigation pane, right-click a NetEnforcer or Service Gateway in the Navigation tree and select Properties from the popup menu.

The NetEnforcer Properties - Update dialog is displayed.

F igure 4-7: NetEnforcer Properties dialog

2. Assign a Monitoring Collector to the NetEnforcer or Service Gateway from the drop down menu. This means that the NetEnforcer or Service Gateway will transmit its monitoring data to that Collector only. If it does not matter which Collector is used, select <system defined>.

3. If there is currently a collector associated with this NetEnforcer or Service Gateway, its unique name is displayed. Select a new monitoring collector from the drop down menu.

4. Click Save.

To verify that the new collector has been associated with the NetEnforcer or Service Gateway, select the collector in the Navigator pane and click Properties. You should see the NetEnforcer or Service Gateway in the Associated NetEnforcer tab.

NOTE: You cannot change the association from this dialog, only from the NetEnforcer properties dialog.

To view the NetEnforcers or Service Gateways associated with a Monitoring Collector

1. Right-click the selected collector and choose properties. The Associated NetEnforcers tab is not disabled and you can view a list of all NetEnforcer or Service Gateways transmitting monitoring information to this Collector.



F igure 4-8: Monitoring Collector Properties - Update

Collector Groups Collector Groups are made up of two Collectors, providing 1+1 redundancy for each other.

To add a Collector Group

1. In the Navigation pane, right-click Servers in the Network pane of the Navigation tree and select New Collector G roup from the popup menu.

The Collector Group Properties - New dialog is displayed.

F igure 4-9: Collector G roup Properties New Dialog

2. In the Collector Group tab Select the two Collectors (already part of the network) to be included in the group. Collector 2 will act as the backup for Collector 1.

3. Those NetEnforcers or Service GatewayCollectors will be listed in the Associated NetEnforcers tab.

4. Click Save. The Collector Group is added to the Navigation tree. The Add Collector Group operation can take up to a couple of minutes to complete.



Configuring Monitoring Collectors To configure a Monitoring collector, you will use two dialogs. The first is the Configuration dialog and the second is the Properties dialog.

- Configuration

1. In the Navigation pane, right-click the Collector and select Configuration

The configuration window for that collector is displayed.

The dialog shows the following tabs:

General V

F igure 4-10: Collector Configuration Window - General Tab

SN MP - Add a contact person, location and system name for SNMP purposes

NOTE The Collector, as well as the NetEnforcer or Service Gateway supports SNMP (Simple Network Management Protocol) that includes standard MIB II traps.

F igure 4-11: SN MP Tab

Date/Time Configure the time zone according to the geographical location of the collector



NOTE The NTP server cannot be changed

F igure 4-12: Date/Time Tab

IP Properties Inset the IP Address, Network Mask, Default Gateway, Host Name, Domain Name, Primary Server and the Secondary Server

NOTE server aware of this change by changing the IP in the ColleProperties dialog.

F igure 4-13: IP Properties Tab

Security Check the appropriate boxes to apply general security attributes. Select the radio button to limit access to specific hosts

NOTE If you select Unrestricted Access Allowed, any host can access the system.



F igure 4-14: Securities Tab

- Properties

1. In the Navigation pane, right-click the Collector and select Properties

2. The Monitoring Collectors Properties dialog is displayed.

F igure 4-15: Monitoring Collector Properties Update Dialog

The dialog shows two tabs:

General Set the name, IP and backup setting of the Collector

Associated NetEnforcers - View the NetEnforcer or Service Gateways currently associated with this collector.

NOTE Collector Role shows the collectors as configured. It will show a collector as backup only if the configured collector is unavailable and the backup collector is operating instead.



Troubleshooting the Collector

Command Line Interface To connect to the collector using an SSH connection

1. Login as user admin with the password allot.

2. Enter go config, with no additional parameters, to view all the available configuration commands

3. Enter go config plus parameter to view the available commands for that parameter

For example, enter go config ips to view the available CLI options for ips

Processes To check that all of the collector's processes are running, enter the command keeper Mgr l

The processes that should be running include:

dbserv9

AllSnmpAgent

The following processes must be running to insure proper data collection

Converter.exe

Loader.exe

Poller.exe

Logs and Snapshots Log files for the collector are located in the following directory: opt/allot/log.

To take a snapshot of a Collector, run the following script on the Collector: host:/opt/allot/bin$ create_snapshot_logs.sh

Snapshots can be found in the tmp folder located at: host:/opt/allot/tmp$



Recreating Databases To recreate the default database of the collector, login to the collector as root user and use the following command: ./recreate_db.sh stc

Output Example

NetXplorerCollector:/opt/allot/bin# ./recreate_db.sh stc Create(initialization) database - allot_stc Adaptive Server Anywhere Initialization Utility Version 9.0.2.3397 Creating system tables Collation sequence: ISO1LATIN1 Creating system views Setting permissions on system tables and views Setting option values Initializing UltraLite deployment option Database "/opt/sybase/data/db/stc/allot_stc.db" created successfully Create user - nms Create dbspaces Create tables Load default data into database Get mediation device type for stc database Mediation device type is 1 Configure parameters Version name is 8.1.0b07 Create stored procedures and user defined functions Add common STC/LTC stored procedures and user defined functions Create database events Create database remote server/table Configure database Pre-allocate space for dbspaces Fri Jan 23 18:44:13 GMT 2009 !!! This script will work up to 60-120 minutes !!! Fri Jan 23 19:39:03 GMT 2009 NetXplorerCollector:/opt/allot/bin# reboot

Changing IP Addresses To change the IP address of the NetEnforcer or Service Gateway and Collector:

1. Stop the NX Server process (in Windows Services).



2. Copy the original CFG folder on the server to another place for backup. It is located in $Allot\data\db.

3. Start the NX Server process again.

4. Login and delete the NEs and Collector from the NX server (that enables us not to affect the device policy on the NetEnforcer or Service Gateways during the process). The NE's must be deleted before the collector (right-click on each and choose delete).

5. Stop the NX Server process again.

6. Change the IP address and reboot the server.

7. Now logon to the collector as admin. Reboot it with the command 'reboot'.

8. Log back onto the Collector again and change the IP address and gateway to change the ip on the collector run the follow command: go config ips -ip oob:<C URR E N T C O L L E C T O R IP>:255.255.255.0 -g <N E W C O L L E C T O R IP>

9. Reboot the collector.

10. Log back onto the NX Server, stop the service, and copy the backup CFG folder back to its original location.

11. Start the NX server process.

12. Right click on the configuration of the collector and change it to the new IP address.


Chapter 5: Database Management

The NetXplorer is a centralized management system, which enables the ongoing collection and consolidation of data from multiple NetEnforcer or Service Gateway devices that enable users to produce consolidated reports. The key to a centralized system is the ability to consolidate information from all the managed groups that are being monitored. Because NetXplorer allows for the ongoing collection and consolidation of data from multiple NetEnforcer or Service Gateway devices, users are able to produce consolidated reports based the information collected.

In order to manage the collected data, there are three databases:

C F G Tables - Configuration parameters

ST C Database Short term database

L T C Tables Long term database

Backup Terms Full Backup A backup process that copies all of the data to a location from

which we can create an entire database.

Incremental Backup A process that preserves only the changes made since the latest backup, either full or incremental, the latest of them.

Database Restore A process to create a database using the backup copy. Typically, the restore process consists of copying the latest full backup to the

performed after that last full backup.

Backup generation Backups are kept cyclically as generations. Each generation is a full set of backup files capable of restoring the database to the point in time in which its last iteration was created. Each generation typically consists of one full backup and several incremental backups.

Incremental Backup ser ial number Within a certain generation, incremental backups are performed one after another, each one being part of a certain serial number.

Using Backups to Achieve NX Redundancy The following scenario is one suggestion for using backups to achieve NetXplorer redundancy:



1. Install two NetXplorer servers, one used exclusively as backup.

2. Schedule regular backups for the CFG and STC databases.

3. Perform a manual backup of the LTC database once per day/week/months (depending on the requirements)

4. In the event that the main NetXplorer server fails, assign the same IP to the backup NetXplorer server.

5. Restore the CFG, STC, and LTC database backups to the new NetXplorer.

Database Management on Windows Backup Types

Cold backup Performed with the NetXplorer server offline.

Hot backup Performed without interrupting NetXplorer operation

Cold Backup To perform a Cold backup:

1. Stop the NetXplorer Service.

Click Start on the Windows Task Bar and select Settings > Control Panel.

Double-click Administrative Tools and open Services.

Right-click NetXplorer Server in the list of Services and select Stop from the drop-down menu.

Check the allot_ltc.txt, allot_stc.txt log files located under Allot Home Directory\Logs in order to verify that NetXplorer services are not running: The following lines should appear in both allot_ltc.txt, allot_stc.txt log files: " Disable all events " " End of current events "

2. Copy Allot Home Directory\data\db folder to a backup directory

3. Restart the NetXplorer Service.





Right-click NetXplorer Server in the list of Services and select Start from the drop-down menu.

NOTE If a customer is upgrading from a previous NetXplorer version the backup directory will be located at Allot Home Directory\data\db.

To restore the Cold backup:






2. Restore the database by copying the backup to the following folder: /opt/sybase/data/backup/cfg O R d:\allot\data\backup. If you get a "Confirm Folder Replace" pop-up window, then press "Yes to All".







Hot Backup Database Types

Configuration Tables (C F G) Full backup and periodical incremental backups, manually or scheduled. Full backup is performed once a day while the incremental backup is performed every hour. All values are configurable by the user and can be changed according to requirements.

Short Term Collector Database (ST C) Full backups only, manually or scheduled. STC full backup only backs up a set of files that hold the values kept in key tables (such as param) but the actual traffic data is N O T saved. The restore process, therefore, recreates a new database from scratch, performs a delete and then loads the key tables mentioned.

Long Term Collector table (L T C) Full backups only. This is a manual process only

Backing up CFG Tables NOTE The following commands should not be cut and pasted into the DOS

window, but typed in. They may not function properly unless entered manually.

To perform an incremental hot backup manually:

1. Open a Microsoft DOS window on the NetXplorer Server.

2. Open the Allot\Bin directory (by default D:\Allot\bin).

3. At the prompt enter the following command:

db_maint a backup n cfg t incremental

To perform a full hot backup manually:




db_maint a backup n cfg t full

To check the hot backup parameters:






db_maint a backup_status n cfg sa list

The backup parameters will indicate what scheduled backups are enabled, when they are scheduled, and how many generations will be backed up.

To enable incremental scheduled hot backups:

NOTE Incremental scheduled hot backup is enabled by default.




db_maint a backup_status n cfg t incremental sa enable

To schedule an incremental hot backup for a specific time:




db_maint a backup_status n cfg t incremental sa change_sched ns <TIME>



To set the amount of time between scheduled incremental hot backups:



3. Enter the following command:

db_maint a backup_status n cfg t incremental sa change_sched ni <VALUE> nt <UNIT OF TIME>

For example, to set a period of 2 hours between incremental backups, enter the following command

db_maint a backup_status n cfg t incremental sa change_sched ni 2 nt hours

To schedule a full hot backup for a specific time:




db_maint a backup_status n cfg t full sa change_sched ns <TIME>



To set the amount of time between scheduled full hot backups:




db_maint a backup_status n cfg t full sa change_sched ni <VALUE> nt <UNIT OF TIME>

For example, to set a period of 20 hours between full backups, enter the following command

db_maint a backup_status n cfg t full sa change_sched ni 20 nt hours

To change the backup directory:




db_maint a backup_status n cfg sa change_dir nd <NEW LOCATION PATH>

For example, to change the database directory to cfg1, enter the following command

db_maint a backup_status n cfg sa change_dir nd D:\backup\cfg1



To change the number of generations:




db_maint a backup_status n cfg sa change_gen ng <VALUE>

Restoring CFG Tables





db_maint a backup_status n cfg sa list

The backup parameters will indicate the generation numbers of the backups.

The increment number must be found in the correct folder under the backup folder (for example: D:\Allot\backup\cfg\5\incremental).

To restore the database:











db_maint a restore n cfg s <D:\Allot\backup\cfg or LOCATION PATH> g <GENERATION NUMBER> i <INCREMENT NUMBER> d <D:\Allot\data\db\cfg or LOCATION PATH> -b <TEMP LOCATION TO KEEP CURRENT CONFIGURATION>







Backing up STC Databases





db_maint a backup n stc t full





db_maint a backup_status n stc sa list






db_maint a backup_status n stc t full sa change_sched ns <TIME>







db_maint a backup_status n stc t full sa change_sched ni <VALUE> nt <UNIT OF TIME>


db_maint a backup_status n stc t full sa change_sched ni 20 nt hours

To change the hot backup directory:




db_maint a backup_status n stc sa change_dir nd <NEW LOCATION PATH>


db_maint a backup_status n cfg sa change_dir nd D:\backup\cfg1







db_maint a backup_status n stc sa change_gen ng <VALUE>

Restoring STC Databases





db_maint a backup_status n stc sa list

The backup parameters will indicate the generation numbers of the backups












db_maint a restore n stc s <D:\Allot\backup\stc or LOCATION PATH> g <GENERATION NUMBER> i 0 d <D:\Allot\data\db\stc or LOCATION PATH>







Backing up LTC Tables





db_maint a backup n ltc t full





db_maint a backup_status n ltc sa list





db_maint a backup_status n ltc sa change_dir nd <NEW LOCATION PATH>


db_maint a backup_status n ltc sa change_dir nd D:\backup\cfg1




1. Access the NetXplorer via Telnet.



db_maint a backup_status n ltc sa change_gen ng <VALUE>

Restoring LTC Tables


1. Access the NetXplorer via Telnet.



db_maint a backup_status n ltc sa list













db_maint a restore n ltc s <D:\Allot\backup\ltc or LOCATION PATH> g <GENERATION NUMBER> d <D:\Allot\data\db\ltc or LOCATION PATH>





Database Management on Linux Backup Types

Cold backup Performed with the NetXplorer server offline.

Hot backup Performed without interrupting NetXplorer operation

Cold Backup To perform a Cold backup:

1. Telnet to the NetXplorer Server


As root user run the following command: service netxplorer stop

Wait for the following message - Stopping NetXplorer Server (this may take a few minutes) [OK]

3. Copy the /opt/Sybase/data/db directory to a backup directory

4. Restart the NetXplorer Service

As root user run the following command: service netxplorer start

To restore the Cold backup:







3. Copy the backup directory to /opt/Sybase/data/db



Hot Backup Database Types

Configuration Tables (C F G) Full backup and periodical incremental backups, manually or scheduled. Full backup is performed once a day while the incremental backup is performed every hour. All values are configurable by the user and can be changed according to requirements.

Short Term Collector Database (ST C) Full backups only, manually or scheduled. STC full backup only backs up a set of files that hold the values kept in key tables (such as param) but the actual traffic data is N O T saved. The restore process, therefore, recreates a new database from scratch, performs a delete and then loads the key tables mentioned.

Long Term Collector table (L T C) Full backups only. This is a manual process only

Backing up CFG Tables NOTE The following commands should not cut and pasted into the telnet

session, but typed in. They may not function properly unless entered manually.

To perform an incremental hot backup manually:

1. Telnet to the NetXplorer Server.

2. Open the /opt/allot/bin/ directory.

3. Enter the following command as the root user:

./db_maint_sudo.sh a backup n cfg t incremental







./db_maint_sudo.sh a backup n cfg t full





./db_maint_sudo.sh a backup_status n cfg sa list


To enable incremental scheduled hot backups:




./db_maint_sudo.sh a backup_status n cfg t incremental sa enable

To schedule an incremental hot backup for a specific time:




./db_maint_sudo.sh a backup_status n cfg t incremental sa change_sched ns <TIME>



To set the amount of time between scheduled incremental hot backups:




./db_maint_sudo.sh a backup_status n cfg t incremental sa change_sched ni <VALUE> nt <UNIT OF TIME>

For example, to set a period of 2 hours between incremental backups, enter the following command

./db_maint_sudo.sh a backup_status n cfg t incremental sa change_sched ni 2 nt hours





./db_maint_sudo.sh a backup_status n cfg t full sa change_sched ns <TIME>





./db_maint_sudo.sh a backup_status n cfg t full sa change_sched ni <VALUE> nt <UNIT OF TIME>


./db_maint_sudo.sh a backup_status n cfg t full sa change_sched ni 20 nt hours

To change the backup directory:






./db_maint_sudo.sh a backup_status n cfg sa change_dir nd <NEW LOCATION PATH>





./db_maint_sudo.sh a backup_status n cfg sa change_gen ng <VALUE>

Restoring CFG Tables





./db_maint_sudo.sh a backup_status n cfg sa list

The backup parameters will indicate the generation numbers of the backups.

The increment number must be found in the correct folder under the backup folder (for example: /opt/Sybase/data/db/cfg/5/incremental).








./db_maint_sudo.sh a restore n cfg s <LOCATION PATH> g <GENERATION NUMBER> i <INCREMENT NUMBER> d <LOCATION PATH> -b <TEMP LOCATION TO KEEP CURRENT CONFIGURATION>







Backing up STC Databases





./db_maint_sudo.sh a backup n stc t full





./db_maint_sudo.sh a backup_status n stc sa list






./db_maint_sudo.sh a backup_status n stc t full sa change_sched ns <TIME>







./db_maint_sudo.sh a backup_status n stc t full sa change_sched ni <VALUE> nt <UNIT OF TIME>


./db_maint_sudo.sh a backup_status n stc t full sa change_sched ni 20 nt hours





./db_maint_sudo.sh a backup_status n stc sa change_dir nd <NEW LOCATION PATH>





./db_maint_sudo.sh a backup_status n stc sa change_gen ng <VALUE>

Restoring STC Databases





./db_maint_sudo.sh a backup_status n stc sa list










./db_maint_sudo.sh a restore n stc s <LOCATION PATH> g <GENERATION NUMBER> i 0 d <LOCATION PATH>





Backing up LTC Tables





./db_maint_sudo.sh a backup n ltc t full





./db_maint_sudo.sh a backup_status n ltc sa list





./db_maint_sudo.sh a backup_status n ltc sa change_dir nd <NEW LOCATION PATH>







./db_maint_sudo.sh a backup_status n ltc sa change_gen ng <VALUE>

Restoring LTC Tables





./db_maint_sudo.sh a backup_status n ltc sa list








./db_maint_sudo.sh a restore n ltc s <LOCATION PATH> g <GENERATION NUMBER> d <LOCATION PATH>




Chapter 6: Command Line Interface (CLI)

The Server CLI described in this chapter enables you to modify the NetEnforcer, Service Gateway or NetXplorer database from the command line rather than the GUI. The CLI supplies a set of commands to add, change, rename and remove NetEnforcer or Service Gateway entities, such as, Pipes, Virtual Channels or other Catalog entries and change the configuration of the NetEnforcer or Service Gateway. You can also use the CLI to set system parameters and device settings.

There are two types of NetXplorer Server CLI: Provisioning CLI, which enables you to create traffic policies

via CLI without using the NX GUI Monitoring CLI, which enables you to generate .csv based

traffic and subscriber network usage reports via CLI without using the NX GUI

The Allot Command Line Interface is available in both Windows and Linux format. When NetXplorer Server is installed on a Linux server, either format may be used. However, if NetXplorer is installed on a server running Windows, only the Windows CLI is available.

NOTE The computer used to send CLI commands to the NetXplorer or to NetEnforcer or Service Gateway devices must have Java installed and be included in the allowedHosts.properties.

Scripts

Scripts can contain CLI commands in order to automate the data entry process.

Provisioning CLI To use the provisioning CLI in Windows:

1. Unzip the file \<V E RSI O N NU M B E R>\RnD\WSCli.zip on the NetXplorer Software CD to a folder on the computer from which you wish to access the statistics.

2. The newly created folder contains 4 batch files: topologyC L I .bat, policyC L I .bat, catalogsC L I .bat and wuC L I .bat. Each of these files needs to be edited. Open a .bat file using a text editor. Look for the -Dserver parameter. It is set by default to the local host, 127.0.0.1. Change the value to the IP Address of the NetXplorer Server you wish to work with.

3. The NetXplorer server must be configured to allow your computer to use its web services. On the NetXplorer server machine go to: <allot home>\netxplorer\jboss-4.0.2\server\allot\conf. Open the



file allowedHosts.properties with a text editor. Add the IP of the machine the CLI is going to be run on in the following format: <IP>=<IP>.

4. Open cmd and go to the folder to which you extracted the files, run the batch files you require and enter CLI commands.

To use the provisioning CLI in Linux:

1. Go to the /opt/allot/netxplorer/jboss-4.0.5/server/allot/conf directory.

2. Edit the allowedHosts.properties to show either 127.0.0.1=127.0.0.1 OR the IP of the server.

3. Unzip the file \<V E RSI O N NU M B E R>\RnD\WSCli.zip on the NetXplorer Server.

4. The newly created folder contains four .sh files: topologyC L I .sh, policyC L I .sh, catalogsC L I .sh and wuC L I .sh.

5. From the NetXplorer client machine, telnet to the folder on the server to which you extracted the files and enter CLI commands.

There are 4 types of provisioning CLI:

Topology C L I is used to add, import or remove NetEnforcer or Service Gateway devices from the managed network.

Catalog C L I is used to create, delete or modify the catalogs used to build traffic policies

Policy C L I is used to create lines, pipes and VCs (collectively known as

W U C L I is used to update the service catalog to the latest protocol pack and roll-back if necessary.

Topology CLI Topology CLI commands are used to add, import of remove NetEnforcers and Service Gateways to the Network

The Topology CLI syntax on Windows is:

topologyCLI <action> <option> <value> [<value>] [<option> <value>

The Topology CLI syntax on Linux is:

./topologyCLI.sh -<action> <option> -<value> [<value>] [<option> <value>



The following actions are possible: 1. addDevice 2. importDevice 3. deleteDevice 4. help

Add Device topologyCLI addDevice

options: o -uiName <value: name> o -netAddress <value: ip> o -password <value: password>

Import Device topologyCLI importDevice

options: o -uiName <value: name> o -netAddress <value: ip> o -password <value: password>

Delete Device topologyCLI deleteDevice

options: o -uiName <value: device name>

Catalogs CLI Catalogs CLI is used to add, modify and delete catalogs

The Catalogs CLI Syntax in Windows is: catalogsCLI -<action> -<catalog> [<-option> <value>]

The Catalogs CLI Syntax in Linux is: ./catalogsCLI.sh -<action> -<catalog> [<-option> <value>]

Actions

List All catalogsCLI list_all

No required arguments

Get catalog



catalogsCLI get catalog name

Required arguments:

o -name existing name of the required catalog

Delete catalog catalogsCLI delete catalog name

Required arguments:

o -name existing name of the required catalog

Add catalog catalogsCLI add catalog name

Required arguments:

o name - existing name of the required catalog

Arguments:

o See Options for the specific catalog and global options.

Update catalog catalogsCLI update catalog name

Required arguments:

o -name existing catalog name

Arguments:

o See Options for the specific catalog and global options.

Catalogs o tos

o dos

o qos

o vlan

o alert

o action

o time

o host

o host group

o service



o service group

Options

Global

ARGUMENT NAME OPTION REMARKS

Name Catalog name

access_right Access right 0-read only 1-provisioned user 2-super user 3-super provisioned user

Admin Desirable source status 0-unknown 1-enabled 2-disabled 3 deleted

description Catalog description

DoS Catalog Arguments ARGUMENT NAME OPTION REMARKS

max_connections Connections limitation

max_CER Connection establishment rate limitation

violation_action Violation action 2 drop 3 - reject

Vlan Catalog Arguments ARGUMENT NAME OPTION REMARKS

vlan_type Vlan type 0-Do not ignore 1-Ignore Vlan id 2-Ignore priority bits 3 Ignore Vlan id and priority bits

vlan_tag Vlan value

For example, to list all VLAN catalogs, use the following command:

catalogsCLI -list_all vlan For example, to change the value of an existing VLAN catalog, use the following:

catalogsCLI -update vlan name vlan_name tag 256



set to ignore VLAN ID and priority bits, use the following command

catalogsCLI -add -vlan name vlan_name vlan_type 3 -tag 128

For example, to delete a VLAN catalog called vlan_name, use the following command:

catalogsCLI -delete vlan name vlan_name

ToS Catalog Arguments ARGUMENT NAME OPTION REMARKS

tos_type 0-Ignore Tos bytes 1-Differentiated services 2-Free format

tos_byte Tos value

Alert Catalog Arguments ARGUMENT NAME OPTION REMARKS

alert_type Event Name From EVENT_DEF_CORE table

oid OID of the corresponding MIB counter

From ALERT_COUNTER table

is_alarm Alert is an alarm 0-not an alarm 1-is an alarm

mode Alert mode 0-regular 1-applies to every template instance

severity 0-unknown 1-cleared 2-indeterminate 3-critical 4-major 5-minor 6-warning

relation 0-equal 1-greater 2-less 3-not equal

threshold Bad value

normal Normal value




register % time in the sample to start the event (start barrier)

unregister % time in the sample to stop the event(stop_barrier)

Qos Catalog Arguments ARGUMENT NAME OPTION REMARKS

qos_type 1-ignore 2-each VC 3-both VC 4-each pipe 5-both pipe 6-half duplex pipe 7-each line 8-both line 9-half duplex line 10-PCMM 11-SDX 12 -ENH_EACH_VC 13 -ENH_BOTH_VC 14 -ENH_EACH_PIPE 15 - ENH_BOTH_PIPE 16 - ENH_EACH_LINE 17 - ENH_BOTH_LINE 18 - ENH_EACH_SLINE 19 - ENH_BOTH_SLINE

qos_action

direction 0-for both direction 1-for internal (outbound) 2-for external (inbound)

mode

is_reserved Minimum reserved bandwidth on use

Only for pipe

min_bw

max_bw

min_bw_conn




max_bw_conn

mode 0-burst 1- CBR (constant bit rate)

delay if mode=CBR, then max time in microsecond for the package to be in the system (box)

burst for all flows of this VC

bw_type bandwidth type measure 0-absolute value 1- percent from max

priority

Action Catalog Arguments ARGUMENT NAME OPTION REMARKS

location Action source 0 Application server 1-device

action_type action type 1-script 2-email 3-sms 4-stored procedure

actor Script, stored procedure name ; e-mail address

Host Catalog Arguments ARGUMENT NAME OPTION REMARKS

host_type Host type 0 - regular (entries) 1 - data source (queries) 2 - NE for the compression (entries)

device_id host device For common host device ID is null

add_entry New host-entries Syntax: TYPE TYPE values are: Name / ip_address / subnet / range / Mac_address / all_address

remove_entry Entries to remove

For example, to change the value of an existing host catalog called testA, use the following:



catalogsCLI -update host name testA -add_entry ip_address:1.1.1.1 As a further example, to add a new host catalog called testB, use the following:

catalogsCLI -add host name testB -add_entry ip_address:2.2.2.2

Host Group Catalog Arguments ARGUMENT NAME OPTION REMARKS

add_host Host list that will be added to the host group

remove_host Host list that will be removed from the host group

For example, to remove existing hosts from a host group, use the following:

catalogsCLI -update -host_group -name group1 -remove_host host1,host2 -add_host host3

Service Catalog Arguments ARGUMENT NAME OPTION REMARKS

service_type Service type 0 - secondary service - content definition 1-primary service - ports characteristics

application An existing application name

Null for all.

add_port Protocol:port_type:from-port:[to- Protocols {TCP,UDP,IP,NON_IP}. Port types: {SIGNATURE,DEFAULT,PORT_BASED}

remove_port

parent Parent service For service content only.

add_content_item For service content use. Syntax: content_key:content_value remove_content_item

For example, to add a port based citrix service, use the following command:



catalogsCLI -add -service -service_type PRIMARY -name service1 -type 1 -application "Citrix ICA" -add_port TCP:PORT_BASED:1000:1000,UDP:DEFAULT:1100:1111 For example, to add a service content item for uploading 100BAO Peer to peer traffic, use the following command:

catalogsCLI -add -service service_type CONTENT -name "lilach by CLI" -description "added by CLI" -parent "100BAO" -add_item Direction:Upload

Service Group Catalog Arguments ARGUMENT NAME OPTION REMARKS

add_service service list that will be added to the service group

Syntax service-

Remove_service service list that will be removed from the service group

Time Catalog Arguments ARGUMENT NAME OPTION REMARKS

add_item Time items that will be added time catalog

Syntax service- TYPE:DAY[:TIME] while Type is {DAILY,WEEKLY,MONTHLY,ANUALLY}, DAY is the day number in week/month/year, Time format: hh:mm-hh:mm

Remove_item Time items that will be removed from the time catatlog

For example to add a time catalog (called time_name), daily at 10-100am, use the following command

catalogsCLI -add -time -name time_name -add_item DAILY:10:00-11:00,WEEKLY:2:10:00-11:00

Policy CLI Policy CLI commands are used to create or remove rules from the policy table. For the

CLI is used to add pre-defined catalogs or alarms to these rules. For the purposes of

The Policy CLI Syntax on Windows is:



policyCLI <action> <option> <value> [<value>] [<option> <value>

The Policy CLI Syntax on Linux is: ./policyCLI.sh -<action> <option> -<value> [<value>] [<option> <value>

Actions

o help

o addTube

o addFilter

o addAlarm

o listTube

o listPolicy

o deleteTube

o deleteFilter

o deleteAlarm

o updateTube

Options


tubeDeviceName Device Name Only active devices

tubeType Tube Type line, pipe, VC

tubeName Tube Name

tubeOffset Tube Offset (location) First filter is offset 0

tubeLineName Tube Line Name

tubePipeName Tube Pipe Name

tubeId Tube ID

tubeVcName Tube VC Name

tubePolicyId Policy ID Currently all options work with



ARGUMENT NAME OPTION REMARKS active

filterId Filter ID

filterDirection Direction 0-Bi, 1-Int. to Ext.,2- Ext to Int

filterService Service ID

filterServiceGroup Service Group ID

filterExternalHost External Host ID

filterExternalHostGroup External Host Group ID

filterInternalHost Internal Host ID

filterInternalHostGroup Internal Host Group ID

filterTime Time Catalog ID

filterTos Filter Tos ID

filterVlan Vlan ID

actionQos Qos ID

actionDos Dos ID

actionTos Action Tos ID

actionAccess Action Access

actionId Action ID

Alarmed alarm ID

alarmActionId

alarmAlertId

alarmParams Alarm Params



Add Tube policyCLI addTube

th in the list) to NetEnforcer 73, you would use the following command:

policyCLI -addTube -tubeDeviceName 73 -tubeType line -tubeOffset 11 -tubeName newLine

Required Arguments:

o -tubeDeviceName Device Name

o -tubeType Tube Type (line, pipe, VC)

o -tubeName Tube Name (unique in its level)

o -tubeOffset Tube Offset (starting at 0)

o -tubeLineName required for pipe and VC only

o -tubePipeName required for VC only

Optional Arguments (if not specified, defaults apply):

o All filter options except filterId

o All action options except actionId

o All alarm options except alarmed

Add Filter policyCLI - addFilter

Required Arguments:

o -tubeDeviceName

o -tubeType

o - tubeLineName

o - tubePipeName - Required for pipe and VC

o - tubeVcName Required for VC only

Optional Arguments:

o All filter options except filterId

Add Alarm policyCLI -addAlarm

Required Arguments:

o -tubeDeviceName

o -tubeType



o - tubeLineName



o - alarmActionId

o - alarmAlertId

Optional Arguments:

o alarmParams

List Tube policyCLI -listTube

Required Arguments:

o -tubeDeviceName

o -tubeType

o - tubeLineName



List Policy policyCLI -listPolicy

Required Arguments:

o -deviceId

Delete Tube/Filter/Alarm PolicyCLI -deleteTube/-deleteFilter/-deleteAlarm

For example, to delete a VC called VV1 from the fallback pipe in the fallback line of NE 73, you would use the following command:

policyCLI -deleteTube -tubeType vc -tubeDeviceName 73 -tubeLineName Fallback -tubePipeName Fallback -tubeVcName vv1

Required Arguments:

o -tubeDeviceName

o -tubeType

o - tubeLineName





o -filterId - For delete Filter only

o -alarmId - For delete Alarm only

Update Tube policyCLI updateTube

catalog, enter the following

-updateTube -tubeDeviceName 73 -tubeType vc -tubeLineName newLine -tubePipeName newPipe -tubeVcName newVc -

Required Arguments:

o -tubeDeviceName

o - tubeType

o - tubeLineName



o -filterId If filter fields were modified

o -alarmId if alarm fields were modified

Optional Arguments:

o tubeName

o All filter options

o All alarm options

All action options

Web Updates CLI The Web Updates CLI Syntax in Windows is:

The Web Updates CLI Syntax in Linux is:

./wuCLI.sh -<option> [<value>] [-

Device ID wuCLI -deviceId



ID number of the device to be updated/rolled back

Update Server wuCLI -updateServer

Updates the Service catalog of the NetXplorer Server

Update Device wuCLI -updateDevice

Updates the Service Catalog of the selected device

Update Number wuCLI -updateNumber

Selects the Protocol Pack to be used in the update.

For example, to update NE2 to protocol pack 2, use the following

wuCLI -updateDevice -deviceId 2 -updateNumber 2

Help wuCLI -help

Provides usage and help information.

Rollback Server wuCLI -rollbackServer

Rolls back the last update to the Services Catalog of the NetXplorer Server

Rollback Device wuCLI -rollbackDevice

Rolls back the last update to the Services Catalog of the selected device

For example to rollback NE2 to the last update, use the following command:

wuCLI -rollbackDevice -deviceId 2

Monitoring CLI The NetXplorer GUI may only display up to 50 items in a monitoring graph. Using monitoring CLI, reports may be generated as CSV files that include hundreds or thousands of items.



By using the Export to CLI function in the NetXplorer GUI, you can create a template for the monitoring CLI command and then simply change the parameters later.

NOTE The computer used to send CLI commands to the NetXplorer or to NetEnforcer or Service Gateway devices must have Java installed and be included in the allowedHosts.properties.

To enable the monitoring CLI in Windows:

1. Unzip the file \<V E RSI O N NU M B E R>\RnD\monitor C L I .zip on the NetXplorer Software CD to a folder on the computer from which you wish to access the statistics.

2. In the newly created folder, open monitor C L I .bat with a text editor and change the value of the parameter SE R V E R_UR L to the IP address or domain name of the NetXplorer server.

3. Open a DOS window, run monitor Cli.bat and enter a command requesting monitoring CLI command. The command is sent to the NetXplorer server. Any monitoring data returned by the NetXplorer server is stored in a .csv file.

The Monitoring CLI Syntax in Windows is:

To enable the monitoring CLI in Linux:

1. Unzip the file \<V E RSI O N NU M B E R>\RnD\monitor C L I .zip on the NetXplorer Server.

2. The newly created folder contains monitor C L I .sh.

3. From the NetXplorer client machine, telnet to the folder on the server to which you extracted the file and enter CLI commands.

The Monitoring CLI Syntax in Linux is: ./monitorCLI.sh -<option> [<value>] [-

Export to CLI It is possible to create a monitoring CLI command by first creating the report definition in the NetXplorer GUI and then generated a code string which may be edited and entered into the CLI.

To export a graph definition to CLI:

1. Create a graph definition using the NetXplorer user interface



2. Right click on the graph and select Export to C L I from the drop down menu.

3. The report definition is saved as a .txt file in whatever directory you choose.

4. You may edit the file to alter the report definition. For example if the graph shows the 10 most active Pipes, you can edit the .text file so that the CLI command will generate a graph showing the 100 most active Pipes simply by changing the value.

5. The file may now be used as input for the monitoring CLI To run the file, open a Command Prompt and run the monitoringCLI.

6. Use the inputFile parameter to specify the path to the .txt file and use the outputFile parameter to specify the location and name of the output (.CSV) file (as shown below).

NOTE This method is supported on servers running NX8.1.1 and later.



Monitoring Arguments ARGUMENT NAME OPTION REMARKS

-dayDefinitionArray DayDefinitionList Day Definition List in UTC used by Typical (50):

[Day(1-sun,2-mon,7-sat,0-all),startHour0,endHour0,startHour1,endHour1, ,startHourn,endHourn]

[Day,startHour0,endHour0,startHour1,endHour1,startHourn,endHourn]

-allSubjectsInScope Regular req All Subjects in scope.

-inputFile <file> Input request file

-help Provides usage and help information.

-longTermRequest Long Term Reporting.

-mostActive Most Active Request.

-relativeTimeUnit <relativeTimeId> Relative Time (default 1) :

[RelativeTimeUnit[Seconds=7], RelativeTimeUnit[Minutes=6], RelativeTimeUnit[Hours=1], RelativeTimeUnit[Days=2], RelativeTimeUnit[Weeks=3], RelativeTimeUnit[Months=4], RelativeTimeUnit[Years=5]]

-typicalType <TypicalTypeId> Request Typical Type :

[TypicalType [Day=1],

TypicalType[Week=2]]




-subject <subjectId> Request Subject (default 0) :

[SubjectType[Enterprise=0], SubjectType[NetEnforcer=1], SubjectType[Line=2], SubjectType[Pipe=3], SubjectType[Virtual Channel=4], SubjectType[Host=5], SubjectType[Internal Host=6], SubjectType[External Host=7], SubjectType[Protocol=8], SubjectType[Conversation=9], SubjectType[Subscriber=10]]

-time fromDate/Time toDate/Time

Request Date & Time {dd/MM/yyyy,HH:mm:ss}.

-relativeTimeCount relativeTimeCount Relative Time count (default 0) : 1..50.

-allAsOne Regular req All as one.

-sortingCriteria <statisticId> Most Active req Sort Based On (default 1) :

[StatisticType[TotalBandwidth=1], StatisticType[BandwidthIn=2], StatisticType[BandwidthOut=3], StatisticType[LiveConnections=4], StatisticType[DroppedConnections=6], StatisticType[NewConnections=5], StatisticType[PacketsIn=7], StatisticType[PacketsOut=8], StatisticType[HostCount=9], StatisticType[BurstIn1=20], StatisticType[BurstIn2=21], StatisticType[BurstIn3=22], StatisticType[BurstIn4=23], StatisticType[BurstIn5=24], StatisticType[BurstOut1=25], StatisticType[BurstOut2=26], StatisticType[BurstOut3=27], StatisticType[BurstOut4=28], StatisticType[BurstOut5=29]]




-subjectCapacity <capacity> Most Active req Subject capacity (default 5) : 1..50.

-distributor <distributorId> Most Active req Stack result by element:

[DistributorType[NetEnforcer=1], DistributorType[Line=2], DistributorType[Pipe=3], DistributorType[Virtual Channel=4], DistributorType[Host=5], DistributorType[Protocol=6], DistributorType[Subscriber=7]]

-outputFile <file> Output file result

-hostFilerArray <hostFilterList> Host Filter List(50): [hostIp or hostName] ... [hostIp or hostName]

-subjectArray <subjectDefinerList> Regular req Subject Definer List Inluded in Graph(50) :

[NE,Line,Pipe,Vc] [NE,Line,Pipe,Vc] or [hostIp or hostName] [hostIp or hostName] or [serviceId] [serviceId] or [hostIpIn,hostIpOut] [hostIpIn,hostIpOut]




-scopeLimiterType <ScopeLimiterId> Request Scope Limiter (Most active default 0) :

[ScopeLimiterType[Enterprise=0], ScopeLimiterType[NetEnforcer=1], ScopeLimiterType[Line=2], ScopeLimiterType[Pipe=3], ScopeLimiterType[Virtual Channel=4]]

-scopeLimiterArray

<ScopeLimiterList>

Scope Limiter List(50): [NE,Line,Pipe,Vc] ... [NE,Line,Pipe,Vc]

-isAllOthers Most Active req All Others

-splitter <splitterId> Most Active req Display Separately for each element:

[SplitterType[Host=1], SplitterType[Protocol=2], SplitterType[Subscriber=7], SplitterType[NetEnforcer=3], SplitterType[Line=4], SplitterType[Pipe=5], SplitterType[Virtual Channel=6]]

-resolution <resolutionId> Request Resolution (default 1) :

[AggregationResType[Level 0=1], AggregationResType[Level 1=2], AggregationResType[Hour=3], AggregationResType[Day=4], AggregationResType[Month=5]]

-serviceFilerArray <serviceFilterList> Service Filter List(50): [serviceId] [serviceId]




-adjustTime Adjust Time

Links Format [NE,Line,Pipe,Vc] / [NE,Line,Pipe,Vc,Template] /

[NE,Line,Pipe,Vc,InstanceType,instanceValue]:

1) [NE,Line,Pipe,Vc] simple VC = 1,2,3,4 ; simple Line = 1,2,0,0

2) [NE,Line,Pipe,Vc,Template] VC Template = 1,2,3,4,T ; Pipe Template = 1,2,3,0,T

3) [NE,Line,Pipe,Vc,InstanceType,instanceValue] VC Instance = 1,2,3,4,2,9999 ; Pipe Instance = 1,2,3,0,1,9999 [InstanceType[Pipe=1], InstanceType[Virtual Channel=2]]

Examples 5 Most Active NEs on Level0 resolution :

monitorCLI -mostActive -subject 1 -resolution 1 -time 22/11/2005,11:20:00

5 Most Active Hosts on Days resolution scope limited to NE #32 & #37 :

monitorCLI -mostActive -subject 5 -longTermRequest -resolution 4 time 20/11/2005,00:00:00 23/11/2005,23:59:59 -scopeLimiterType 1

-scopeLimiterArray 32,0,0,0 37,0,0,0

10 Most Active VCs on Level0 resolution scope limited to NE #32 stack result by Protocol

monitorCLI -subjectCapacity 10 -mostActive -subject 4 -resolution 1 -time 22/11/2005,11:20:00 22/11/2005,11:25:00 -scopeLimiterArray 32,0,0,0 -distributor 6

Statistics on NE #37, last 5Min on Level0 resolution :

monitorCLI -subject 1 -resolution 1 -time 22/11/2005,11:20:00 22/11/2005,11:25:00 -subjectArray 37,0,0,0

Pipes Distribution on Network, last 5Min on Level0 resolution :

monitorCLI -subject 3 -resolution 1 -time 22/11/2005,11:20:00 22/11/2005,11:25:00 -scopeLimiterType 0 -scopeLimiterArray 0,0,0,0

Statistics on VC Instance #37,1,1,1,2,42 last 5Min on Level0 resolution :

monitorCLI -subject 4 -resolution 1 -time 22/11/2005,11:20:00 -relativeTimeUnit 2 -subjectArray 37,1,1,1,2,42



Use regular monitor request file & create monitor result file (csv format) :

monitorCLI -inputFile c:\monitor_cli\monitor42060.req -outputFile c:\monitor_cli\monitor42060.csv

Use most active monitor request file & create monitor result file (csv format) :

monitorCLI -inputFile c:\monitor_cli\monitor42061.req -outputFile c:\monitor_cli\monitor42061.csv


Chapter 7: Troubleshooting

Troubleshooting Basics

First Steps There are some basic checks to begin with when troubleshooting almost any type of problem:

1. Validate that the NetXplorer server and relevant NetEnforcers or Service Gateways are actually up and running.

2. NetXplorer components (GUI, Server and NetEnforcers/Service Gateways) communicate with each other using the protocols and ports listed on p 2-17. Validate that the communication is not blocked by using the following command (on either the NetXplorer or NetEnforcer/Service Gateway): netstat an

3. Each one of the NetXplorer components has configured time settings. It is crucial that the component times are synchronized.

Processes

NetXplorer There are certain processes that should be running on the NetXplorer Server. These processes can be identified using several different tools when using Windows:

1. Use Windows Services (Start > Control Panel > Administrative Tools > Services) to check that NetXplorer Server is running

2. Use Windows Task Manager (C T R L+A L T+D E L and click Task Manager) to check that the following processes are running:

poller.exe, converter.exe and loader.exe

ltc_poller.exe and ltc_loader.exe

ltreducer (only appears periodically)

manifest_manager.exe (only appears periodically)

KeeperService.exe

Dbsrv9.exe (3 instances)

ntpd.exe



When on a Linux based server, use the command ps ef or ls to list running processes.

NetEnforcer or Service Gateway There are several processes that should always be running on the NetEnforcer or Service Gateway. These processes can be identified using the following command: swgadmin

Each time a process is restarted, its value increases. If one of the values is significantly higher than the others, it indicates that a process has been restarted. Restart may have been initiated automatically or manually.

Log Files Several key log files are stored on the NetXplorer Server. For the sake of convenience we can divide these into three main categories.

Database Logs Database log files are stored in C:\Allot\log (or /opt/allot/log on a Linux server). These files log the performance of the NetX three main databases cfg, stc and ltc as well as the data collection processes.

F igure 7-1: Database Logs

The allot_cfg log can be consulted for problems related to general configuration (e.g: saving policy, password). The allot_ltc log can be consulted for problems with long-term reporting, and the allot_stc log for problems with real-time monitoring.

In addition, the logs which record the data collection processes are also useful, specifically the Poller, Convertor and Loader logs. The keeper .log records the status of the keeper process which makes sure that all other processes are up.



F igure 7-2: K ey Database Logs

Application Server Logs The application server log files are stored in C:\Allot\netxplorer\jboss-4.0.5\server\allot\log (or /opt/allot/netxplorer/jboss-4.0.5/server/allot/log on a Linux server). These files are responsible for logging all of the java-based activity which takes place on the application server.

F igure 7-3: Application Server Logs

The events log records every event in the NetXplorer server. It can help you for example to view alarms that have been cleared from the GUI.

The N MS.log records every activity carried out by the application server such as records of alarms, GUI errors, web update checks, scheduled reports, and NetEnforcer or Service Gateways which have been added or imported. As soon as this log reaches 5Mb, a new one is created, and a log history is maintained up to a total of 20 NMS logs. The latest log is called simply NMS.log.



F igure 7-4: N MS.log Example

The N MS-Monitor .log records everything related to graphs and reports and the User Operations.log records of what has been done in the GUI by each user. This log can reach a total of 10Mb and the NetXplorer will store 20 such historic logs in the folder before over-writing the oldest one.

Installation Log The install_log can be found in C:\Allot\conf (or /opt/allot/conf if you are working on a Linux server). This simple log details the history of NX installations on the server. You can see here for example if the current installation was an upgrade from a previous version or a clean installation. This may be useful for detecting specific problems that are related to upgraded NetXplorers only.

F igure 7-5: Install Log



Snapshots

Windows This will prepare a zip-file that contains log and configuration files from all NetXplorer components (Application Server, Collector, Databases) and the last backup of the CFG (configuration allot_cfg) database.

F igure 7-6: Snapshot F ile

To create a snapshot in Windows:

1. Open MSDOS command window (cmd.exe). Run from command-line - % A L L O T_H O M E %\bin\ create_snapshot_logs.bat.

2. A message will appear in the command window indicating that the snapshot was taken successfully and its location.

Zip-file - snapshot_<yyyy_mm_dd_hh_mi> .tar.gz will be located in %ALLOT_HOME%\tmp directory.

Message Example

Snapshot zip-file - D:\Allot\tmp\snapshot_2005_10_26_19_09.tar.gz is ready

To create a snapshot in Linux:

1. Open directory /opt/allot/bin/

2. Run the following command: ./create_snapshot_logs.sh



3. A message will appear in the command window indicating that the snapshot was taken successfully and its location.

Message example -

Snapshot zip-file - /opt/allot/tmp/snapshot_2008_05_28_14_15.tar.gz is ready

How to restore CFG (allot_cfg) database from the Snapshot-File

1. Install the appropriate NetXplorer version from <snapshot>\conf\install_log.txt file.

2. From the <snapshot>\conf\dynamic.ini file discover the CFG path.

3. After installation, reboot the computer and stop the NetXplorer service.

4. Restore allot_cfg database using db_maint.exe from %ALLOT_HOME%\bin directory using the following command line operation:

db_maint -a restore -n cfg -t incremental -s <snapshot>\backup_cfg -g 1 -i <max incr number(1-22)> -d % A L L O T_H O M E %\data\db\cfg

5. <max incr number> - max number(1-22) in directory name from <snapshot>\backup_cfg\1\incremental (example: 10)

6. Start the NetXplorer service

The NetXplorer server is now ready to work with snapshot allot_cfg database

Login Errors Login errors can occur for several reasons:

Incorrect Java Version An error messages stating that netxplorer.jnlp is an unrecognized file extension typically indicates that the correct version of JRE has not been installed. Where JRE

application.

If the root cause of the issue is with Java, you can often solve it by clearing the Java Cache on the machine that cannot access the NetXplorer, and then reinstalling JRE.

Go to control panel and choose Java.



On the General tab, under Temporary Internet F iles, click on delete and then O K . This action will clear the java cache files. It will also remove the NetXplorer shortcut from the desktop.

Open browser with NX server IP address (http://<NXServer-IP>) and choose the the application.

If the previous method does not solve the problem, run Java WebStart - javaws.exe from the Java 1.5 environment.

This will typically be located at a location similar to: C:\Program F iles\Java\jre1.5.0_06\bin.

Delete anything shown on this screen (this will clear the cache).

Lack of Connectivity A common cause of GUI initialization problems is a lack of communication between the GUI and the NetXplorer, that is there is something on the network which may be blocking the traffic (HTTP port 80).

Below is a table of the TCP ports required for communication between the client and server.

Validate that there is nothing blocking communication on these ports and that all the required NetXplorer services are running.

PORT # DESCRIPTION

T CP:80 H T TP

T CP:1098 R M I (Java J2E E protocol)

T CP:4444 R M I (Java J2E E protocol)

T CP:1099 JNP (Java J2E E protocol)

T CP:8093 Alarms

Antivirus Conflict Antivirus or backup utilities could be interfering with the database, locking the file and not permitting changes to it. Antivirus and backup utilities can also cause many other types of problems for any operation involving a database modification.



It is highly recommended N O T to run antivirus or backup programs on folders where the databases reside. The database folder is usually located in: C:\Allot\data\dc\<DatabaseName>

Policy Saving Errors Typically, inability to save a policy can result from a communication problem between the GUI and the server, a communication problem between the NetEnforcer or Service Gateway and the server or a synchronization problem between the NetEnforcer or Service Gateway and the NetXplorer server.

To troubleshoot this problem, you must first understand how the provisioning data is updated in the system.

The process consists of 3 stages.

First of all, the NetXplorer server sends an XML command to the NetEnforcer or Service Gateway

The NetEnforcer or Service Gateway then performs the required changes and updates the counters.

Finally, the NetEnforcer or Service Gateway sends a trap back to the server.

If the server has successfully sent the XML, the request should be received by the DataSrv on the NetEnforcer or Service Gateway. The DataSrv should acknowledge receipt, apply the change and confirm.

We can therefore check if the second stage has been passed, by examining the DataSrv log file to see if the request has been received by looking at the following log file: $SW G L/nedbg.DataSrv.log

Having confirmed this, we should look at allotProvision.xml. This is the actual policy configuration file on the NetEnforcer or Service Gateway. By analyzing this file, we can verify that the changes have actually been written.

If there is a synchronization problem between the NetXplorer and the NetEnforcer or Service Gateway, perhaps caused by a temporary loss of communication between the two, a tool that can help solve the problem is to perform a full policy export.

Using the Restore Policy and Catalog feature it is possible to restore the saved image of the Policy Table and catalogs which is stored for each NetEnforcer or Service Gateway and updated periodically. This feature should be used if a NetEnforcer or Service Gateway becomes corrupted or its policies and catalogs become damaged, requiring a roll back to a previous, working configuration.

To restore policies and catalogs:

1. Select Restore Policy and Catalogs from the Tools menu.

The Restore Policy and Catalogs dialog is displayed.



F igure 7-7: Restore Policy and Catalogs Dialog

2. The NetEnforcer Devices list will populate with all NetEnforcers or Service Gateways on the network. Each relevant NetEnforcer or Service Gateway is listed by name, with the time it received the new policies and any system messages.

3. Click the Restore checkbox to include that NetEnforcer or Service Gateway in the restoration or select a NetEnforcer or Service Gateway and use the Check and Uncheck buttons.

4. Select a NetEnforcer or Service Gateway and click Up or Down to change its location in the distribution order.

5. Select a NetEnforcer or Service Gateway and click Remove to delete the NetEnforcer or Service Gateway from the list or Clear Messages to delete any system messages.

6. Select the Abort on F irst E r ror checkbox to instruct NetXplorer to cancel the entire Policy Distribution operation on the first error.

7. Click Restore to restore the saved Policy table and catalogs to each device. The NetEnforcers or Service Gateways selected will be restored in order, starting at the top of the list.

8. Click Abort at any time to stop the process or Print to print the Results list.

NOTE Aborting the restoration will not roll back the Policy Tables or Catalogs of any NetEnforcers or Service Gateways already overwritten.

9. Click Close to close the Restore Policy and Catalogs dialog box.

Data Display Errors When there is no data in a graph for a certain period of time, this typically indicates a problem with data collection.



Data T ransmission Check whether the NetEnforcer or Service Gateway is sending statistics buckets to the NetXplorer server.

Data Reception It could be that buckets are being sent, but because of communication problems, they are not reaching their destination.

Data Loss It could be that buckets are sent to the server and received, but are subsequently dropped.

A common reason for this is a lack of synchronization. If the time of the bucket is dramatically different from that of the NetXplorer server time, then buckets will be discarded.

Stress e data than

the NetXplorer server can handle, the server will only handle buckets that have already been received and will discard any new buckets.

Data Transmission As the first step of our troubleshooting we do not need to leave the NX GUI. Using the GUI, we examine the event and alarms logs.

In most cases there will be an alert that shows us where the problem lies.

F igure 7-8: Events Log

indicates that the data collector cannot access the NetEnforcer or Service Gateway for short term data collection. In this case, you should check network connectivity, possible firewall and ACL (access control list) rules.



the NetEnforcer or Service Gateway and on the NetXplorer Data Collector is not synchronized. Make sure you synchronize the time for the NetEnforcer or Service Gatewaymodule for further information)

Data Reception It could be that buckets are not being sent from the NetEnforcer or Service Gateway in the first place.

This can be checked by consulting the manifest of a specific NetEnforcer or Service Gateway.

The Manifest is the list of buckets that the NetEnforcer or Service Gateway has created and that are waiting to be sent to the NetXplorer. This can be accessed using any web browser.

F igure 7-9: Bucket Manifest

To see the 30 seconds buckets waiting to be sent, enter: http://<N E_IP>/bucket/30/manifest

To see the 300 seconds buckets waiting to be sent, enter: http://<N E_IP>/bucket/300/manifest

Refresh the browser window a few times to check that the NetEnforcer or Service Gateway is continuously creating buckets.

Data Loss To confirm that the data, once received, is not being dropped, check the log files that are created by the data collection processes and are located on the NetXplorer server. Here we can check if the NetXplorer and/or distributed collector has received the collected data. The poller process is responsible for polling the buckets from the manifest file on the NetEnforcer or Service Gateway. This process is logged in the poller log.



F igure 7-10: Data Logs

The convertor process then converts the buckets from binary into ASCII form this is logged in the convertor log.

Finally, the loader process, logged in the loader log is responsible for loading the converted buckets into the short term database.

The Ltc_poller polls the 1hour buckets from the short term collector and the Ltc_loader loads them into the long term collector.

You can look in the log files and see if there are any error indications.

Stress What should you do if the events suggest a situation where buckets are being dropped due to excess stress? Firstly, check the Collection Configuration to validate that the NetEnforcer or Service Gateway is actually configured to collect the data you expect to see.

One thing you can do to reduce stress is to disable real-time data collection. This will lower the number of buckets dramatically.

Disabling Real-Time Collection stops the import of 30 sec buckets from the NetEnforcer or Service Gateway to the NetXplorer. Therefore you will not be able to see real-time monitoring graphs at 30 sec resolution. You will still be able to see real-time monitoring graphs at other resolutions though, and long term reporting which relies on the 300 sec buckets is not affected at all.

Disabling Long-Term Collection stops the import of 1 hr buckets from the short term database on the NX to its Long Term database. By disabling this option, you will not be able to view long-term reports at all.



Short Term Collection refers to the 300 seconds, or 5 minutes, buckets. What happened when you disable Short Term collecting depends on whether Long Term collecting is enabled or not. If Long Term Collection is also disabled, the only graphs that you will be able to see are real-time graphs at 30 sec resolution. If Long Term collection is enabled, short term data (300 sec buckets) will be imported to the NX regardless of the state selected in the short term collection dialog. This is because Long term data is aggregated from the 300 sec buckets.

Add Device Errors In some situations, the attempt to add a device to the NetXplorer may fail. What might be the reasons for this failure?

The more obvious reasons could be down to an incorrect IP address or an incompatible software version.

There may be communication problems between NetXplorer and the NetEnforcer or Service Gateway. These might arise due to problems with a firewall or with a router access list for example. Alternatively, this problem can arise when management traffic and user traffic are not fully separated.

By consulting with the NX server log (NMS.log), you can see at exactly which stage, There are eleven stages to adding a device.

You can see which stage has succeeded and which has failed by looking at the .

There are eleven stages to adding a NetEnforcer or Service Protector. To start tracking

In stages one and two of the add device process, NetXplorer prepares its database tables for update. Normally you should not encounter problems at these stages.

In stage three, the NetXplorer validates that the device has a software version that matches that version on the NetXplorer Server. If there are error messages here you might need to upgrade the device software version.

At stage four, the NetXplorer reads the NetEnforcer or Service Gatewayconfiguration file: rc.conf. The file is sent via SNMP on port 161. Issues can occur when there is a communication problem, or if the SNMP agent is not running on the NetEnforcer or Service Gateway. If there is a problem at this stage, check the following:

Run netstat -an on the NetEnforcer or Service Gateway or Server and check whether a connection on port 161 is established

Run swgadmin and validate that allSNMPagent is running

Check that nothing is blocking SNMP traffic along the way



Check that the database is up and available

At stage five the catalogs are sent from the NetXplorer to the NetEnforcer or Service Gateway. There are a few things that can go wrong at this stage:

Communication issues communication is carried out on HTTP port 80. An error can occur if communication is blocked or if the NetEnforcer or Service Gateway is not listening for requests on port 80. To validate that NetEnforcer or Service Gateway is running the HTTP daemon, run ps awx and look for HTTPD

Incorrect password this happens when the password for the admin user

you have forgotten the password you can change the password by logging into the NetEnforcer or Service Gateway menu>change password option.

During stage 6, the default policy is exported to the NetEnforcer or Service Gateway by HTTP over port 80. The process could fail at this stage if there is a timeout issue. This can be verified by looking at the nms.log. If this is the case, you will need to contact Allot support for a fix.

At stage 7, the server performs several updates, one of which is updating NTP. Issues can occur when the NetEnforcer or Service Gateway is set up in a way that management traffic flows through the NetEnforcer or Service Gateway. This happens when the management port is connected to the same part of the network as the external connection is. In such cases, an NTP update can occur before the NetEnforcer or Service Gateway update is complete. This interrupts the update process. A possible solution can be to switch the NetEnforcer into bypass mode until the addition process is complete. In any case, it is recommended to connect the management port to the internal section of the network.

During the final stages 8-11, the NetXplorer updates its databases. A problem at this stage could result from the unavailability of one of the databases. In this case, try to stop and restart the NetXplorer service. This may kick-start the unavailable database. If this does not work, you may have to recreate the database that is unavailable.

The process of importing a device has 12 steps and the relevant messages can be found by



NX-HAP Troubleshooting

Monitoring the Cluster Status cl_status is a linux command that retrieves information about the status of the NetXplorer High Availability Cluster. For a full list of the cl_status commands, simply enter cl_status.

We can check the node status by entering cl_status nodestatus <node name>.

NX-1.allot.com:~$ cl_status nodestatus NX-1.allot.com

cl_status: 2008/09/09_09:45:26 debug: optind: 1 argv[optindex+1]: NX-1.allot.com

active

NX-1.allot.com:~$ cl_status nodestatus NX-2.allot.com

cl_status: 2008/09/09_09:45:43 debug: optind: 1 argv[optindex+1]: NX-2.allot.com

active

In the example above, the nodes are named NX-1.allot.com and NX-2.allot.com. The cl_status nodestatus command is run for each node in turn. both nodes) indicates that the NX High Availability Cluster is alive.

The heartbeat program is at the core of the High Availability platform. It is responsible for detecting the different nodes, communicating between them and managing the cluster.

cl_status hbstatus tells us if heartbeat is running on the local system. The command cl_status hblinkstatus <node name><link name> displays the status of a heartbeat link. This indicates up if we are able to hear from that node across that link.

NX-1.allot.com:~$ cl_status hbstatus

Heartbeat is running on this machine.

NX-1.allot.com:~$ cl_status hblinkstatus NX-2.allot.com eth2

up



NOTE If the <node-name> is the current node, the status is not meaningful, since with few exceptions we don't receive messages from ourselves on any links. Make sure that you use this command to check the status of the peer node in the cluster.

NX-1.allot.com:~$ cl_status hblinkstatus NX-1.allot.com eth2

dead

Viewing Available Resources The crm_mon command can be used to analyze which node in the cluster is using system resources. This tells the system administrator which node is currently active.

==============

Last updated: Mon Jun 1 19:24:44 2009

Current DC: NX-1.allot.com (l3425fesfth)

2 Nodes configured.

1 Resources configured.

Node: NX-1.allot.com (l3425fesfth): online

Node: NX-2.allot.com (fewf834271h): online

Resource Group: nx_ha

vip (ocf::heartbeat:IPaddr2): started NX-1.allot.com

db (ocf::heartbeat:Filesystem): started NX-1.allot.com

nx (lsb:netxplorer): started NX-1.allot.com

The output of this command shows us that there are two nodes in the cluster and that both are on-line. The Resource Group, nx-ha consists of 3 sub-resources:

VIP: which is the virtual IP address of the cluster

db: which is the database

nx: which is the NetXplorer service

Adjacent to each of these sub-resources you will see on which node it is running. In this case, we see clearly that NX-1.allot.com is the active node in the cluster.

In case problems are detected, the administrator may run crm rf. This gives an extended view of the cluster resources and includes fail messages for each of the nodes.



Stopping Heartbeat Service To stop the heartbeat service on the currently active node, opening an SSH session to this node and enter the command: service heartbeat stop

This will stop the cluster suite running on the currently active node and the second node will take control of the resources.


Chapter 8: Appendices

Upgrading NetXplorer Server NetXplorer Server and Mediation Device Version 9.2.0 build 03 and above use a newer version (10 SA10) of Sybase Anywhere database. The upgrade process from previous NetXplorer and Mediation Device versions to 9.2.0 build 03 and above includes an automatic conversion process of CFG, LTC and SMF databases from ASA version 9 to SA version 10. The STC database will be recreated as a new database in SA version 10.

It is recommended that software versions previous to NX9.2.1 upgrade in two steps as described below:

First upgrade to NX9.2.1

Then upgrade from NX9.2.1 to the most recent version.

For more information, contact Allot Technical Support at [email protected].

The database conversion process can be time consuming depending on the amount of collected data. Due to the large size of the LTC database, this process can take up to 6 hours. To reduce the LTC database conversion time, the standard upgrade procedure runs a process that reduces the resolution of collected data older than one month. Data older than one month collected in resolution of hours and days will be reduced to a resolution of months. For this reason, an additional manual conversion process also exists, to avoid losing long term data. Both procedures are outlined below.

NOTE You should close all open GUI sessions before beginning any of the upgrade procedures

Standard Upgrade Procedure NOTE The standard upgrade procedure outlined below, reduces the resolution of

collected data older than one month. If you wish to maintain the resolution of this data, refer to the manual upgrade procedure.

On a Linux NetXplorer Server: After completing the download of the Linux files verify the files are complete and intact by checking the MD5 checksum.

To confirm the checksum:

1. Run the following command: md5sum <filename>.tgz Example: [root@REDHATNX NX811b10]# md5sum nx8.1.1_b10.11.tgz




The output should appear as follows: 10b350dd88470ead4e4c12b6796aae68 nx8.1.1_b10.11.tgz

2. Confirm the correct checksum number in the md5 file by running the command: cat <filename>.tgz.md5 Example: [root@REDHATNX NX811b10]# cat nx8.1.1_b10.11.tgz.md5 The output should appear as follows: 10b350dd88470ead4e4c12b6796aae68 nx8.1.1_b10.11.tgz

3. If the two numbers match then the file is intact and complete and you may continue. If they do NOT match, download the software again.

To unzip the file: 1. After downloading the file, extract the files by using the following

tar command: tar -xzvf <filename>.tgz Example: [root@REDHATNX NX811b10]# tar -xzvf nx8.1.1_b10.11.tgz ./ ./accounting-manager-8.1.1-10.i386.rpm ./netxplorer-8.1.1-10.i386.rpm ./WSCli.tgz ./monitorCLI.tgz ./jdk-6u2-linux-i586.rpm ./netpolicy-provisioner-8.1.1-10.i386.rpm [root@REDHATNX NX811b10]#

To perform the upgrade:

1. Close any open NetXplorer GUI sessions

2. Stop the NetXplorer service by entering: service netxplorer stop

3. When upgrading the NetXplorer software you must use the U option to upgrade the software. Therefore, the proper command to use when upgrading is as follows: rpm -Uvh <filename>.rpm

Example: rpm U netxplorer-9.2.1-7.i386.rpm



NOTE You may discover the filename by using the following command: cd / find|grep -i netxplorer-

4. Upgrade the JDK to the most recent version (if required) with no dependencies by entering the following command: rpm -U <JD K filename> nodeps


On a Windows NetXplorer Server 1. Close any open NetXplorer GUI sessions

2. Double click on the setup.exe file provided in the Allot installation CD or downloaded from the Allot FTP site.

NOTE Do not attempt to run the setup file from a net long address, such as \\file_server\.

3. Follow the onscreen instructions in the Setup Wizard to upgrade the NetXplorer Server.


Manual Upgrade Procedure To avoid losing long term data, the following procedure should be performed prior to upgrading NetXplorer:

1. Stop the NetXplorer service.

On Windows Open the services console, and locate the NetXplorer Server service. Right click it and select stop.

On Linux Open CLI and type /opt/allot/bin/nx_stop.sh.

2. Copy the entire ltc folder located in <allot root>\data\db\ (Windows) or /opt/sybase/data/db/ (Linux) and paste it outside the Allot folder.

NOTE: Make sure that enough free disk space is left on the same hard drive (approximately 90% of LTC database size) for the conversion process to take place.

3. Upgrade NetXplorer and/or Mediation Device version. Once the installation completes you may be asked to restart your server.

4. Once the server boots up, stop the NetXplorer service.



5. Delete the contents of the <allot root>\data\db\ltc folder.

6. Copy the contents of the ltc folder previously backed up and paste them back in <allot root>\data\db\ltc.

7. Launch the LTC database conversion process by executing the following script:

On Windows - <allot root>\bin\db_upgrade_ltc_2sa10.bat

On Linux - /opt/allot/bin/db_upgrade_ltc_2sa.sh

8. The process is logged in two log files located in

On Windows - <allot root>\log\

On Linux - /opt/allot/log

1) dbunload_log_ltc.txt 2) dbunload_log_time_cfg.txt.

9. Start the NetXplorer Server service:

On Windows Open the services console, and locate the NetXplorer Server service. Right click it and select start.

On Linux Open CLI and type /opt/allot/bin/nx_start.sh.


Example of Log File Content Below is a successful conversion process log for reference:

dbunload_log_time_cfg.txt

*************************************************************

Start Convert DB to version SA10 - 6/18/2009 2:11:14 PM

Unload LTC data to C:\Allot\tmp\ltc_datadirectory

Finish Unload LTC data - 6/18/2009 2:11:34 PM

Create new LTC database - 6/18/2009 2:15:49 PM

Default PARAM table truncated - 6/18/2009 2:15:58 PM

Load data into new LTC database - 6/18/2009 2:16:49 PM

*************************************************************

dbunload_log_ltc.txt

SQL Anywhere Unload Utility Version 10.0.1.3807

Connecting and initializing



Unloading "nms"."CONVER_STAT_" into C:\Allot\tmp\ltc_data/438.dat (relative to server)

Unloading "nms"."DEVICE" into C:\Allot\tmp\ltc_data/439.dat (relative to server)

Unloading "nms"."EVENT" into C:\Allot\tmp\ltc_data/440.dat (relative to server)

Unloading "nms"."EVENT_VALUE" into C:\Allot\tmp\ltc_data/442.dat (relative to server)

Unloading "nms"."LINE_BURST_" into C:\Allot\tmp\ltc_data/443.dat (relative to server)

Unloading "nms"."PARAM" into C:\Allot\tmp\ltc_data/444.dat (relative to server)

Unloading "nms"."VC_STAT_HRS_1_3" into C:\Allot\tmp\ltc_data/453.dat (relative to server)

...

...

...

Unloading "nms"."SERVICE_STAT_DAY_3_11" into C:\Allot\tmp\ltc_data/1664.dat (relative to server)

Unloading "nms"."SERVICE_STAT_DAY_3_12" into C:\Allot\tmp\ltc_data/1665.dat (relative to server)

Unloading "nms"."SERVICE_STAT_MON_1" into C:\Allot\tmp\ltc_data/1666.dat (relative to server)



Unloading "nms"."SMS_QUOTA_" into C:\Allot\tmp\ltc_data/1669.dat (relative to server)



Upgrading NX-HAP Follow the procedure below to upgrade the NX High Availability Platform.

NOTE NX-HAP includes 3 different databases: NX-HAP1 local database, NX-HAP2 local database and the external storage database. The upgrade procedure updates only the external storage database. The two local databases do not need to be updated.

NOTE All of the operations outlined below must be performed by a root user.

1. Check the NetXplorer version. This is done by using the command: rpm qa | grep netxplorer

2. Make sure that nx1 is the active node and nx2 is passive. This is done by using the command crm_mon (see Viewing Available Resources for more details). If needed, initiate a switchover to ensure that nx1 is the active node. This is done by entering the command service heartbeat stop on the currently active node.

3. Stop the HA monitoring on both NX nodes. This is done by using command: service heartbeat stop

4. On nx1 node, mount the common disk storage. This is done by using the command: mount /dev/dm-1 /opt/sybase/data

5. Upgrade the NX1 node as you would upgrade a regular NetXplorer Server. The upgrade steps (for a Linux Server) are outlined below:

a. Check that netxplorer server is stopped by entering: service netxplorer status.

b. In case netxplorer service is running stop the service by entering: service netxplorer stop

c. Download the software image file for the upgrade into a specific directory (for example /root/NX_software/NX10.1.1b5-Linux.tar.gz)

d. Extract the NetXplorer new software image file with the command: tar -7xvf N X<version>.tar .gz

e. Enter the following: rpm -U <JD K filename>.rpm --nodeps f. Now enter the following: rpm -U <filename>.rpm g. Under no ci rcumstances should you stop the upgrade process!

Do N O T reboot the server once the upgrade is completed. Do not reboot, even though you will receive the output message: [root@nx1 nx_soft]# rpm -U netxplorer-10.1.1-5.i386.rpm Running upgrade process. This may take a few minutes...



Followed by: [root@nx1 nx_soft]# rpm -U netxplorer-10.1.1-5.i386.rpm Running upgrade process. This may take a few minutes... Installation finished.Please reboot your device.

6. Now upgrade the NX-1 node as in step 4 above. The local databases will be updated here too, simply to ensure consistency of the upgrade process.

7. Enter the following command: chown hacluster :haclient /var/lib/heartbeat/crm/*

8. On both NX nodes edit the /etc/init.d/netxplorer file. Use vi editor. This file should be changed in follow manner

a. In function start() change command sleep 60 to sleep 40 b. In function restart()change command sleep 60 to sleep 40

9. Reboot both NX nodes.

10. After rebooting check the status of each NX node. Use command crm_mon. This will reveal which node is active and will detail

the status of the common storage status



Upgrading Distributed Monitoring Collector Follow the procedure below to upgrade a distributed monitoring collector. Assuming for example that the target software version is stored at: /root/MD1011:

1. Change directory to: /root/M D1011 2. Change md-inst to executable by entering: chmod +x md-inst.sh 3. Perform the upgrade by entering: ./md-inst.sh 4. The monitoring collector will reboot automatically after.



Events NetXplorer includes a pre-defined list of events that are recorded in the Events Log and can be used to monitor the occurrence of system events in the Network. You can view the events for specific devices in the Events Log or you can configure specific events to generate alarms that are displayed in the Alarms Log,

All event types available in the NetXplorer are listed in the EVENT_DEF_CORE table in the CFG database. Each event is displayed in the table below with its Event ID. In the

Configurablewhether such an event triggers an alarm, an action (a pre-prepared script) or the sending of a trap to a pre-defined trap receiver. This is done from the Event Types Configuration

Automatic T rap Sentautomatically be sent to a pre-defined trap server whenever this event occurs.

ID Event T raps/Alarms/Actions

1 Rising TCA ('Threshold Crossing Alarm') Automatic Trap Sent

2 Falling TCA ('Threshold Crossing Alarm') No

3 Device Configuration Configurable

4 Line Policy Change Configurable

5 Pipe Policy Change Configurable

6 Virtual Channel Policy Change Configurable

7 Catalog Entry Change Configurable

8 Suspected DoS Attack Started Automatic Trap Sent

9 Suspected DoS Attack Stopped No

10 External Data Source Down Automatic Trap Sent

11 External Data Source Up No

12 Software Problem No

13 NetEnforcer Access Violation No

14 Link Down Configurable

15 Link Up No

16 Cold Start Configurable

17 Warm Start No



18 Authentication Failure No

19 NetEnforcer IP Address Change Configurable

20 Connection Routing Configuration No

21 Device Status Down Configurable

22 Device Status Up No

23 Application info Automatic Trap Sent

24 Protocol update installation No

25 Board status changed No

100 Server Unreachable Configurable

101 Server Reachable No

102 Device Unreachable Configurable

103 Device Reachable No

104 User Forced Clear Alarm No

107 Device Hardware Change Configurable

108 User Force Cleared All Alarms No

109 User Logged In No

110 User Logged Out No

111 Catalogs Synchronization Problem No

112 Catalog Rejected by NetEnforcer No

113 Automatic Alarm Purge No

114 Policy and Catalogs Export No

115 NetEnforcer Configuration Import No

116 Server Management Ownership Taken from Device Automatic Trap Sent

117 Server Management Ownership of Device Taken Automatic Trap Sent

118 Missing Events Were not Found on Device Trap Table During Synchronization No

119 Device Add No



120 License expiration warning Automatic Trap Sent

121 License is expired Automatic Trap Sent

122 Server license registered Automatic Trap Sent

123 Clear license expiration warning No

124 Device policy replaced with rescue policy Automatic Trap Sent

125 Policy data is not synchronized on device No

126 AS does not support device software version Automatic Trap Sent

127 Device was deleted from system No

128 Server was deleted from system No

129 Catalog action failed Automatic Trap Sent

130 Configuration Database Incremental Backup failed No

131 Configuration Database Full Backup failed No

132 Country classification file updated Automatic Trap Sent

133 New protocol updates are available Automatic Trap Sent

134 Install new protocol updates to AS Automatic Trap Sent

135 Install new protocol updates to device Automatic Trap Sent

136 Scheduler forced clear alarms No

137 Device license expiration warning Automatic Trap Sent

138 Device license is expired Automatic Trap Sent

139 Clear device license expiration warning No

140 Rollback AS protocol updates Automatic Trap Sent

141 Rollback device protocol updates Automatic Trap Sent

200 Collector Reported Device Unreachable Configurable

201 Collector Reported Device Reachable No

202 Invalid Bucket Time in Collector Automatic Trap Sent

203 Valid Bucket Time in Collector No

204 Invalid Bucket in Collector No



205 Real Time Bucket Overload in Collector No

206 Short-term Bucket Overload in Collector No

207 Bucket Validated in Collector No



210 Real Time + Short-term Bucket Overload in Collector No

211 Bucket Overload in Collector Finished No

212 Collector Reported Disk Space Problem Automatic Trap Sent

213 Collector Reported Disk Space Problem Fixed No

214 Short Term Collector Reported Database Full Backup failed No

300 Long Term Collector Reported Short Term Collector Unreachable Configurable

301 Long Term Collector Reported Short Term Collector Reachable No



304 Long Term Collector Reported Disk Space Problem Automatic Trap Sent

305 Long Term Collector Reported Disk Space Problem Fixed No

306 Long Term Collector Reported Database Full Backup failed No

401 Quota violation No

402 Quota recovery No

403 Domain not found No

404 SMP provision error trap Configurable

405 SMP multi fail trap Configurable

406 SMP High Availability Trap Configurable

407 SMP System Trap Configurable



Documents

NetXplorer Install_Admin Guide R5