Preview only show first 10 pages with watermark. For full document please download

Et0010a_cli_userguide

Rating
Date

November 2018
Size

2.9MB
Views

3,111
Categories

Computers & electronics Software

Transcript

ET0010A ET0100A ET1000A ETEP Command-Line Interface (CLI) User Guide EncrypTight acts as a transparent overlay that BLACK BOX integrates easily into any existing network architecture, providing encryption rules and keys to EncrypTight Enforcement Points. ® EncrypTight consists of a suite of tools that performs various tasks of appliance and policy management, including Policy Manager (PM), Key Management System (KMS), and EncrypTight Enforcement Points (ETEPs). Customer Support Information Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 Web site: www.blackbox.com • E-mail: [email protected] Contents Preface ......................................................................................................................................... 9 About This Document............................................................................................................................. 9 Contacting Black Box Technical Support ............................................................................................. 10 Chapter 1: Getting Started ....................................................................................................... 11 ETEP Introduction ................................................................................................................................ 11 Managing the ETEP ............................................................................................................................. 12 Default User Names and Passwords............................................................................................. 13 Prerequisites.................................................................................................................................. 13 Logging in to the Command Line Interface .......................................................................................... 13 Logging in through a Serial Link .................................................................................................... 14 CLI Usage Tips .............................................................................................................................. 14 Next Steps............................................................................................................................................ 15 Chapter 2: User Administration............................................................................................... 17 Overview .............................................................................................................................................. 17 Password Enforcement Options...........................................................................................................17 Setting the Password Enforcement Policy..................................................................................... 18 Cautions for Strong Password Enforcement ................................................................................. 19 Upgrading Software ................................................................................................................ 20 Removing ETEPs From Service ............................................................................................. 20 Adding Users........................................................................................................................................ 20 Understanding User Roles ............................................................................................................ 21 User Name Conventions ............................................................................................................... 22 Creating a New User: Default Password Enforcement Policy ....................................................... 22 Creating a New User: Strong Password Enforcement Policy ........................................................ 23 Modifying Users............................................................................................................................. 24 Deleting Users ............................................................................................................................... 25 Viewing a List of Users .................................................................................................................. 26 Assigning Passwords ........................................................................................................................... 26 Assigning Passwords to Users ...................................................................................................... 27 Changing Your Own Password .....................................................................................................28 Enabling and Disabling Accounts......................................................................................................... 29 Restoring an Account .................................................................................................................... 29 Disabling an Account..................................................................................................................... 29 Login Failures ................................................................................................................................ 30 Using the Login Banner........................................................................................................................ 30 Audit Logging ....................................................................................................................................... 32 Using Common Access Cards for User Authorization ......................................................................... 32 Chapter 3: Configuring the ETEP ............................................................................................ 35 Configuration Overview........................................................................................................................ 35 Basic Configuration .............................................................................................................................. 36 ETEP CLI User Guide 3 Contents Configuring the Management Port................................................................................................. 36 Setting the Date and Time ............................................................................................................. 40 Entering the Throughput License .................................................................................................. 40 Changing the Auto-negotiation Settings on the Local and Remote Ports ..................................... 41 Setting Loss of Signal Pass Through ............................................................................................43 Changing the CLI Inactivity Time-out ............................................................................................ 44 Configuration Examples ................................................................................................................ 44 Layer 2 Configuration........................................................................................................................... 45 Assigning a VLAN Tag .................................................................................................................. 45 Verifying Transparent Mode .......................................................................................................... 46 Layer 3 Configuration........................................................................................................................... 47 Interoperating with the Network..................................................................................................... 47 Reassembling Fragmented Packets ....................................................................................... 48 DF Bit Handling ....................................................................................................................... 49 IPv6 Traffic Handling............................................................................................................... 50 Using DHCP Relay on a Remote Network.............................................................................. 50 Configuring Transparent Mode for Layer 3 Policies ...................................................................... 52 Assigning Remote and Local Port IP Addresses .................................................................... 52 Configuring Transparent Mode ............................................................................................... 53 Shutting Down the ETEP ..................................................................................................................... 54 Chapter 4: Creating Policies .................................................................................................... 57 Creating Layer 2 Point-to-Point Policies ..............................................................................................57 Defining a Layer 2 Point-to-Point Policy ........................................................................................ 58 Configuring the Policy Mode.......................................................................................................... 59 Layer 2 Policy Example ................................................................................................................. 60 Verifying the Policy ........................................................................................................................ 62 How the ETEP Encrypts and Authenticates Layer 2 Traffic .......................................................... 63 Creating Local Site Policies ................................................................................................................. 64 Policy Configuration....................................................................................................................... 65 Assigning Policy Names.......................................................................................................... 66 Configuring a Local Site Bypass or Discard Policy .................................................................67 Configuring a Local Site Encryption Policy ............................................................................. 69 Policy Deployment......................................................................................................................... 72 Viewing the Local Site Policy Set............................................................................................ 72 Making a Backup Copy of the Local Site Policy Set ............................................................... 73 Deploying Local Site Policies ..................................................................................................73 Managing Local Site Policies......................................................................................................... 74 Modifying a Local Site Policy ..................................................................................................74 Deleting a Local Site Policy..................................................................................................... 74 Clearing the Local Site Policy Set ........................................................................................... 74 Restoring the Local Site Policy Set ......................................................................................... 75 Policy Examples ............................................................................................................................ 75 Bypass Policy for Routing Protocols ....................................................................................... 76 Encryption Policy for Layer 2 Ethertype .................................................................................. 77 Securing Management Port Traffic with IPsec ..................................................................................... 77 Task Overview............................................................................................................................... 78 IPsec Client Task Summary.................................................................................................... 78 ETEP Task Summary..............................................................................................................78 Configuring Global Settings for IKE Negotiations .......................................................................... 79 Changing the IKE Parameters ................................................................................................ 79 Viewing the Current IKE Parameter Settings .......................................................................... 81 4 ETEP CLI User Guide Contents Policy Configuration....................................................................................................................... 82 Assigning Policy Names.......................................................................................................... 83 Configuring an IKE Encryption Policy ..................................................................................... 84 Configuring a Manual Key Encryption Policy .......................................................................... 86 Configuring a Bypass or Discard Policy on the Management Port ......................................... 89 Deploying Policies ......................................................................................................................... 90 Viewing the Policy Set............................................................................................................. 91 Backing Up the Policy Set....................................................................................................... 91 Deploying Management Policies............................................................................................. 92 Managing Policies ......................................................................................................................... 92 Modifying a Policy ................................................................................................................... 92 Deleting a Policy ..................................................................................................................... 93 Clearing the Policy Set............................................................................................................ 93 Restoring the Policy Set.......................................................................................................... 94 Policy Examples ............................................................................................................................ 94 IKE Policy Example................................................................................................................. 95 Manual Key Policy Example.................................................................................................... 96 Bypass Policy Example...........................................................................................................96 Discard Policy Example .......................................................................................................... 96 Deploying Policies................................................................................................................... 96 Chapter 5: Maintenance ........................................................................................................... 99 Installing ETEP Software Updates ....................................................................................................... 99 File System Backup and Restore......................................................................................................... 99 Restoring the Factory Configuration ..................................................................................................100 Changing the Port Status ...................................................................................................................101 Chapter 6: Troubleshooting................................................................................................... 103 Symptoms and Solutions ...................................................................................................................103 Management Troubleshooting .....................................................................................................104 User Configuration Troubleshooting ............................................................................................105 Traffic Troubleshooting................................................................................................................106 Policy Troubleshooting ................................................................................................................107 Error State ...................................................................................................................................109 Diagnostic Commands .......................................................................................................................109 Show Commands ........................................................................................................................110 Network Tools..............................................................................................................................111 Checking for Time Synchronization Problems.............................................................................112 Determining the Cause of Dropped Packets ...............................................................................112 Additional Diagnostic Tools................................................................................................................114 Port Status...................................................................................................................................115 Discarded Packets.......................................................................................................................115 Encryption Statistics ....................................................................................................................116 MAC Statistics .............................................................................................................................116 Policy and Security Association Databases ................................................................................117 Viewing the SPD Entries .......................................................................................................117 Viewing the SAD Entries .......................................................................................................118 Chapter 7: FIPS 140-2 Level 2 Operation.............................................................................. 121 FIPS Mode Requirements ...........................................................................................................121 Entering FIPS Mode ....................................................................................................................122 ETEP CLI User Guide 5 Contents FIPS Mode Failures and Zeroization ...........................................................................................123 Other Operating Boundaries........................................................................................................123 Exiting FIPS Mode.......................................................................................................................123 Chapter 8: Command Reference ........................................................................................... 125 CLI Overview......................................................................................................................................125 Format Conventions ....................................................................................................................125 Tips on Command Usage ............................................................................................................126 Commands.........................................................................................................................................127 autoneg........................................................................................................................................128 backup-policy-set.........................................................................................................................130 banner-config...............................................................................................................................131 clear-certificates ..........................................................................................................................131 clear-known-hosts .......................................................................................................................132 clear-policies................................................................................................................................133 clear-policy-set ............................................................................................................................133 cli-inactivity-timer .........................................................................................................................134 configure ......................................................................................................................................135 date..............................................................................................................................................135 debug-shell ..................................................................................................................................136 deploy-policy-set..........................................................................................................................137 dfbit-ignore...................................................................................................................................138 dhcprelay .....................................................................................................................................139 disable-trusted-hosts ...................................................................................................................140 exit ...............................................................................................................................................141 filesystem-download ....................................................................................................................141 filesystem-reset ...........................................................................................................................143 fips-mode-enable .........................................................................................................................144 help..............................................................................................................................................145 ike-params-set.............................................................................................................................145 ike-sa-dh-group ...........................................................................................................................146 ike-sa-lifetime ..............................................................................................................................146 ike-sa-presharedkey ....................................................................................................................147 ip..................................................................................................................................................148 ip6................................................................................................................................................150 ipsec-config .................................................................................................................................151 ipsec-sa-lifetime...........................................................................................................................152 ipsec-sa-pfs .................................................................................................................................152 ipv6Traffic ....................................................................................................................................153 layer2-p2p....................................................................................................................................154 license .........................................................................................................................................155 local-interface ..............................................................................................................................156 local-site-policies .........................................................................................................................157 logon-banner-enable ...................................................................................................................157 management-interface.................................................................................................................158 network-tools ...............................................................................................................................158 password .....................................................................................................................................159 password-enforcement ................................................................................................................160 password-modify .........................................................................................................................161 ping..............................................................................................................................................161 ping6............................................................................................................................................163 policies.........................................................................................................................................165 policy-action.................................................................................................................................165 6 ETEP CLI User Guide Contents policy-add ....................................................................................................................................166 policy-config.................................................................................................................................167 policy-delete ................................................................................................................................168 policy-ike-ipsec ............................................................................................................................169 policy-ike-peer .............................................................................................................................170 policy-keying................................................................................................................................171 policy-layer2-selector...................................................................................................................172 policy-manual-key (local-site policies) .........................................................................................173 policy-manual-key (management IPsec policies) ........................................................................174 policy-mode .................................................................................................................................176 policy-packet-count......................................................................................................................177 policy-priority ...............................................................................................................................178 policy-selector..............................................................................................................................179 port-enable ..................................................................................................................................181 reassembly ..................................................................................................................................181 reboot ..........................................................................................................................................182 remote-interface ..........................................................................................................................183 remote-user-cert-auth-mode........................................................................................................183 restart-ike.....................................................................................................................................184 restore-filesystem ........................................................................................................................185 restore-policy-set .........................................................................................................................186 show ............................................................................................................................................187 show-ike-params .........................................................................................................................189 show-policy-set ............................................................................................................................189 shutdown .....................................................................................................................................190 snmpv3-engine-id-seed ...............................................................................................................191 ssh-enable ...................................................................................................................................192 strict-client-authentication ............................................................................................................193 top................................................................................................................................................194 traceroute ....................................................................................................................................194 transparent-mode-enable ............................................................................................................196 tx-enable ......................................................................................................................................197 update-filesystem ........................................................................................................................198 user-add ......................................................................................................................................199 user-config...................................................................................................................................201 user-delete...................................................................................................................................201 user-enable..................................................................................................................................202 user-modify..................................................................................................................................203 vlan-tag........................................................................................................................................205 Index......................................................................................................................................... 207 ETEP CLI User Guide 7 Contents 8 ETEP CLI User Guide Preface About This Document Purpose The ETEP CLI User Guide describes how to use the command line interface to configure and manage Black Box™ ETEP EncrypTight Enforcement Points, define and deploy point-to-point IKE policies, and perform troubleshooting tasks. Intended audience This document is intended for use by network technicians and security administrators who are familiar with setting up and maintaining network equipment. Assumptions This document assumes that its readers have an understanding of the following: ● Basic principles of TCP/IP networking, including IP addressing, switching and routing. ● Personal computer (PC) operation and common PC terminology ● Terminal emulation software and FTP operations. Conventions used in this document Bold Indicates one of the following: ● a menu title ● the name of a command ● the name of a parameter Italics Indicates a new term Monospaced Indicates machine text, such as terminal output or a file name Monospaced bold Indicates a command to be issued by the user ETEP CLI User Guide 9 Preface Contacting Black Box Technical Support Contact our FREE technical support, 24 hours a day, 7 days a week: 10 Phone 724-746-5500 Fax 724-746-0746 e-mail [email protected] Web site www.blackbox.com ETEP CLI User Guide 1 Getting Started This section includes the following topics: ● ETEP Introduction ● Managing the ETEP ● Logging in to the Command Line Interface ● Next Steps ETEP Introduction The EncrypTight Enforcement Point (ETEP) Variable Speed Encryptors (VSEs) are high performance, purpose-built encryption appliances that provide encrypted throughput at wire-speed. The ETEP’s highspeed processing capabilities protect data in transit between sites while it travels over untrusted networks. With straightforward setup and configuration, the ETEP has the flexibility to provide Ethernet frame encryption for Layer 2 networks, IP packet encryption for Layer 3 networks, and Layer 4 data payload encryption for MPLS networks. The ETEP’s variable speed capability lets you enable just the bandwidth you need, using a software license. As your bandwidth needs increase, simply update your license. No need to replace your hardware. The ETEPs offer full-duplex, line rate encryption from 3 Mbps to 1 Gbps using the AES-256 encryption algorithm. Figure 1 ETEP CLI User Guide Point-to-point encryption over a Layer 2 Ethernet network 11 Getting Started The ETEP interfaces with network equipment through two data ports, the local port and the remote port. Unencrypted traffic that originates from a trusted, local network is received on the local port, where the ETEP applies security processing to it. The encrypted traffic is then sent from the remote port to an untrusted network such as the Internet. At the opposite endpoint the process is reversed. Encrypted traffic is received on the ETEP remote port and decrypted. Then the decrypted traffic is sent from the local port to the destination. The ETEP is managed in-line or out-of-band through a dedicated Ethernet management interface. Managing the ETEP The ETEP can be managed in two ways, depending on the size and complexity of your deployment. Several options are available for securing management traffic based on the management option that you choose. ● Command Line Interface (CLI) CLI commands are available to perform initial setup of the ETEP, along with diagnostic and troubleshooting commands. In point-to-point deployments, you can configure the ETEPs for operation and create policies using the CLI commands. ● EncrypTight Policy and Key Manager™ EncrypTight separates the functions of policy management, key generation and distribution, and policy enforcement. As a result, multiple ETEPs can use common keys. This works for complex mesh, hub and spoke, and multicast networks, as well as in straightforward point-to-point topologies. EncrypTight includes the following components: ● ETEMS for appliance configuration and management ● ETPM for policy definition and deployment ● ETKMS for key generation and distribution This manual describes how to configure, manage, and troubleshoot the ETEP using the command line interface. If you are using EncrypTight to manage your ETEPs, see the documentation for that product to learn how to configure appliances and deploy policies. CLI sessions can be secured in three ways: ● Attach a PC directly to the serial port ● Use any SSH client for a secure remote connection through the Ethernet management port. If you wish to limit remote access to the ETEP after it has been put into service, you can disable SSH (see “ssh-enable” on page 192). ● Use IPsec to secure the management port traffic Most management port communications are secured using SSH and TLS. If you wish, you can create IPsec policies on the management port to provide security for traffic that is not protected by SSH and TLS, such as FTP traffic, SNMP traffic, and the NTP protocol. To learn how to create IPsec policies on the management interface, see “Securing Management Port Traffic with IPsec” on page 77. 12 ETEP CLI User Guide Logging in to the Command Line Interface Default User Names and Passwords The ETEP has two roles: Administrator and Ops. ● The Administrator manages users, configures the appliance, and creates and deploys policies. ● The Ops user has access to a limited set of commands for initial appliance configuration, status reporting and diagnostics. When first installing the ETEP, use the default Administrator password to log in, as shown in Table 1. It is strongly recommended that the Administrator change the default passwords before putting the ETEP into operation in the network. Table 1 Default user names and passwords on the ETEP Role Default user name Default password Administrator admin admin Ops ops ops Related topics: ● “Overview” on page 17 ● “Assigning Passwords” on page 26 Prerequisites Make sure that the following installation tasks are complete before configuring the ETEP: ● Install the required user-supplied software on the management workstation, as described in the Installation Guide ● Make sure that the firewalls in your system are configured to allow for the protocols required for your deployment, as listed in the Installation Guide. ● Attach the network cables and power cord ● Power up the appliance and verify that the unit is operational For more information about installing your ETEP, refer to the ETEP Installation Guide. Logging in to the Command Line Interface To manage the ETEP using the CLI, you can attach a PC directly to the serial port or use any SSH client for a secure remote connection through the Ethernet management port. Initial setup is performed through the serial port. ETEP CLI User Guide 13 Getting Started Logging in through a Serial Link Initial setup is performed through a serial link to the RS-232 port. To log in to the CLI via a serial link: 1 Connect the RS-232 serial port directly to a PC or workstation, as described in Chapter 2. 2 Open a terminal session through a VT-100 terminal emulation program such as HyperTerminal. Enter the connection name, the appropriate serial port (usually COM1 or COM2), and the following serial port parameters: Baud Speed 38,400 Parity None Data Bits 8 Stop Bits 1 Flow Control None 3 In the terminal session window, press ENTER. The login prompt displays. Linux 2.6.16.17 on mips pep login: 4 At the login prompt, type the user name and press ENTER. User names and passwords are casesensitive. See “Default User Names and Passwords” on page 13 for a list of default account settings. 5 At the password prompt, type your password and press ENTER. 6 When you are successfully logged in, the command line prompt displays as shown below (password text is not displayed). pep login: admin Password: Last login: Tue Jan 29 19:18:59 2008 on ttyS0 Welcome admin it is Tue Jan 29 19:37:12 UTC 2008 admin> CLI Usage Tips The commands that are described in this manual are presented using the following format conventions. 14 ● Arguments are shown in monospaced type, and must be entered exactly as they appear in the text. ● Brackets [ ] indicate that the enclosed parameter is optional. ● Braces { } indicate that the enclosed arguments or parameters are required. ● Arguments separated by the vertical bar | indicate that any one of the arguments may be used. For example, a | b means enter a or b, but not both. ● Parameters that a user needs to enter are enclosed in angle brackets < >. For example, indicates that the user needs to enter an IP address, such as 192.168.1.1. ● Commands, arguments and parameters are not case-sensitive. For example, show, SHOW, and Show are all accepted as the same command. ETEP CLI User Guide Next Steps ● When entering a command with several optional parameters, you must enter all of the optional parameters up to and including the parameter of interest. Subsequent optional parameters will be left at their default settings. Auto-completion can save time when entering commands, and online help is available to display syntax options. ● The TAB and ENTER keys perform auto-completion for the current command line. ● Context sensitive help is available by typing a question mark (?). This provides either a list of possible command completions with summaries, or the full syntax of the current command. The CLI has several hierarchy levels. The exit command leaves the current CLI mode and returns to the previous hierarchy level. The top command returns to command mode from any level. ● Command mode is the login hierarchy level. Copy commands, show commands, and most maintenance commands are accessed at this level. ● Configuration mode is where commands are entered to configure the appliance. Enter configuration mode by typing configure. From this level you can access several additional configuration modes for interface settings, policies, and user administration. For more information about CLI usage and commands, see Chapter 8, “Command Reference” on page 125. Next Steps To prepare the ETEP for operation in the network, you will need to perform the tasks outlined in Table 2. Table 2 Preparing the ETEP for operation Step See Chapter... 1 Perform user administration tasks “User Administration” on page 17 - Add users and assign passwords 2 Configure the ETEP “Configuring the ETEP” on page 35 - Interface settings - System settings - Network interoperability settings 3 Define security policies “Creating Policies” on page 57 If you plan to operate the ETEP in FIPS mode, we recommend enabling FIPS mode as your first configuration task. Entering FIPS mode resets many configuration items, such as passwords, policies, and certificates. To avoid having to reconfigure the ETEP, enable FIPS mode and then perform the rest of the appliance and policy configuration tasks. See “FIPS 140-2 Level 2 Operation” on page 121 for more information. ETEP CLI User Guide 15 Getting Started 16 ETEP CLI User Guide 2 User Administration This section contains the following topics: ● Overview ● Password Enforcement Options ● Adding Users ● Assigning Passwords ● Enabling and Disabling Accounts ● Using the Login Banner ● Audit Logging ● Using Common Access Cards for User Authorization Overview The Administrator controls and monitors access to the ETEP. The following tasks should be performed prior to putting the ETEP into operation in the network: ● Select the password enforcement policy ● Add users, including assigning a user name and role to each user ● Change the default passwords In addition, the Administrator can enable a login banner, and restore a disabled account. Password Enforcement Options In addition to assigning a name and role to a user, the Administrator can configure the password enforcement policy, which determines the following: ● Strength of password rules and conventions ● Password expiration period, expiration warning notification, and grace period ● Maximum number of concurrent user logins allowed ● Login failure limits ETEP CLI User Guide 17 User Administration The default password controls are less stringent than the strong password controls, and use standard values for password expiration and maximum number of user logins. The default password controls are enforced on the ETEP unless you explicitly enable strong enforcement. Strong password controls enforce more stringent password conventions, limit the reuse of passwords, and allow the Administrator to configure the following items: ● Password expiration: the maximum number of days before the password expires. ● Password minimum: the minimum number of days that users must wait before changing their own password. ● Password warning: the number of days prior to password expiration that a warning is given to a user. ● Expiration grace period: the number of days after the password expires that a user can log in using the expired password. ● Maximum login sessions: the maximum number of concurrent sessions allowed per user on the ETEP. The values used for the password expiration settings depend on the ETEP’s password enforcement policy, as shown in Table 3. Table 3 Password enforcement values Parameter Default password enforcement Strong password enforcement Password expiration 99999 days Default is 60. Range is 1-60. Password reset minimum 0 days Default is 1. Range is 1-7. Password warning 7 days Default is 10. Range is 1-30. Password grace period 0 days Default is 10. Range is 1-30. Maximum login sessions Unlimited Default is 2. Range is 1-5. Related topics: ● “Setting the Password Enforcement Policy” on page 18 ● “Creating a New User: Default Password Enforcement Policy” on page 22 ● “Creating a New User: Strong Password Enforcement Policy” on page 23 ● “Assigning Passwords to Users” on page 27 Setting the Password Enforcement Policy The default password controls are enforced on the ETEP unless you explicitly enable strong enforcement. Strong password controls enforce more stringent password rules and conventions than the default password controls. The strong controls affect the following items: 18 ● Password conventions ● Password history exclusion, which limits the reuse of passwords ● Password expirations, warnings, and grace periods ● Maximum number of login sessions allowed per user ● Login failure limits ETEP CLI User Guide Password Enforcement Options The strong password controls are enforced on any password that is entered after strong password enforcement is enabled. Existing user accounts can continue to use their old passwords, and the accounts retain their default password expiration settings until the user is modified in strong password mode. Enabling strong password enforcement restarts the SSH daemon, closing any open SSH connections. It can take up to 30 seconds to establish an SSH connection after enabling strong passwords. When the ETEP is switched from strong to default password controls, users’ password expiration settings are reset to the default values listed in Table 3. To change the password controls: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Set the password controls by configuring the password-enforcement command. Attributes are described in Table 4. password-enforcement {default | strong} Table 4 password-enforcement command description Attribute Description default Enforces the default password controls. strong Enforces the strong password controls. Example This example enables strong password controls. user-config> password-enforcement strong Related topic: ● “Password Enforcement Options” on page 17 ● “Cautions for Strong Password Enforcement” on page 19 ● “Default Password Conventions” on page 27 ● “Strong Password Conventions” on page 27 Cautions for Strong Password Enforcement The password expiration feature puts you at risk for a lockout under certain circumstances. Review the guidelines below to avoid unintended lockouts. CAUTION If the Administrators’ passwords expire, all Administrator functionality is lost, including the ability to assign a new password. The only means of resetting the password is to reformat the ETEP, which reverts all configurations to their default shipping settings. Reformatting the ETEP requires factory service. ETEP CLI User Guide 19 User Administration Upgrading Software To avoid having strong passwords expire during an upgrade process, we recommend minimizing the time period between a software upgrade operation and reboot. If you plan to wait a day or more between an upgrade and reboot, disable strong passwords prior to performing the upgrade. After the upgrade and reboot are complete, re-enable strong passwords. Note the following: ● Passwords changes that are made between a software upgrade and subsequent reboot do not persist through the reboot. The password expiration timer does not know if a password is changed during that window, placing you at risk of a lockout. ● If all administrator account passwords expire, the unit must be returned to the factory. Removing ETEPs From Service To avoid having strong passwords expire during a planned service outage or equipment redeployment, disable strong passwords prior to removing the ETEP from service. If the password expiration and grace period is exceeded for all administrator accounts while the ETEP is out of service, all users will be locked out and the ETEP must be returned to the factory. Adding Users At a minimum, adding a user involves creating a user name and associating a role with the name. Additional parameters can be defined to provide enhanced security. Basic user definition entails: ● Creating a unique user name ● Associating a role with the user name: admin or ops Enhanced security features: ● If strong password enforcement is enabled, the Administrator specifies the password expiration, expiration warning, minimum interval between password changes, and the maximum number of login sessions. ● If you are using a Common Access Card (CAC) to provide user authorization in addition to certificate-based authentication in an EncrypTight deployment, associate a common name with the ETEP user. See the EncrypTight User Guide to learn how to enable this feature across the components of your EncrypTight system. NOTE User accounts become active only after the Administrator assigns a password to the new user. See “Assigning Passwords to Users” on page 27 to learn how. Related topics: 20 ● “Password Enforcement Options” on page 17 ● “Creating a New User: Default Password Enforcement Policy” on page 22 ETEP CLI User Guide Adding Users ● “Creating a New User: Strong Password Enforcement Policy” on page 23 ● “Assigning Passwords to Users” on page 27 ● “Enabling and Disabling Accounts” on page 29 Understanding User Roles The user role determines how a user can access the appliance and what tasks the user can perform once logged in. Users are assigned a role, user name, and password that allows them to access the functionality of the appliance that is available to that role. The ETEP can track appliance events based on user name, such as user account activity and policy deployments. The ETEP has two roles: Administrator and Ops. The Administrator manages users, configures the appliance, and creates and deploys policies. The Ops user has access to a limited set of commands for initial appliance configuration, status reporting and diagnostics. Default user names are shown in Table 5. Table 5 Default user names on the ETEP Role Default user name Administrator admin Ops ops The Administrator can manage the ETEP using the CLI or the EncrypTight software. The Ops user is able to log in only to the CLI and has access to a limited set of commands. Table 6 provides a summary of the tasks and privileges available to each role. Table 6 User role privileges Function Administrator Ops CLI access Yes Yes EncrypTight access Yes No Initial setup (management port configuration and date) Yes Yes User management Yes No Appliance configuration Yes No Policy management Yes No View audit logs Yes No Show commands Yes Yes You must maintain at least one Administrator user account on the ETEP in order to manage the appliance. You can add as many user accounts to the ETEP as you need. The ETEP does not impose a cap on the number of user accounts that can be added. Related topics: ● “Adding Users” on page 20 ● “Assigning Passwords” on page 26 ● “Viewing a List of Users” on page 26 ETEP CLI User Guide 21 User Administration User Name Conventions User name conventions are as follows: ● User names can range from 1-32 characters. ● Valid characters are alpha and numeric characters (a-z, 0-9), _ (underscore), and - (dash). ● User names must start with an alpha character or an underscore. The first character cannot be a numeric digit or a dash. ● Only lower case alpha characters are accepted. ● User names cannot contain a space. Creating a New User: Default Password Enforcement Policy To add a new user when default password enforcement is enabled is straightforward. All you have to do is add a user name and assign a role to the user. If you are using a Common Access Card (CAC) to provide user authorization in addition to certificatebased authentication in an EncrypTight deployment, associate a common name with the ETEP user. These names must match the common names used on the identity certificates included on the CACs. See the EncrypTight User Guide to learn how to enable this feature across the components of your EncrypTight system. To add a new user when default password enforcement is enabled: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Configure the user-add command. Attributes are described in Table 7. user-add { } [common-name] Table 7 user-add command description: default password enforcement Attribute Description name Specify the user name, conforming to the conventions listed in “Adding Users” on page 20. role {admin | ops} Associate a user role with the user name. common-name The common name from the Common Access Card’s identity certificate. When not using this feature, no entry is required for this attribute. Examples The following example adds a user named “dallas” as an Administrator. user-config> user-add dallas admin 22 ETEP CLI User Guide Adding Users The following example adds a user named “dallas” as an Administrator, and includes a common name. user-config> user-add dallas admin [email protected] Related topics: ● “Understanding User Roles” on page 21 ● “Password Enforcement Options” on page 17 ● “Adding Users” on page 20 ● “Assigning Passwords to Users” on page 27 Creating a New User: Strong Password Enforcement Policy To add a new user when strong password enforcement is enabled requires that you configure password expiration and login session values in addition to adding a user name and assigning a role. You can accept the default values for the additional parameters, but each must be acknowledged. If you are using a Common Access Card (CAC) to provide user authorization in addition to certificatebased authentication in an EncrypTight deployment, associate a common name with the ETEP user. These names must match the common names used on the identity certificates included on the CACs. See the EncrypTight User Guide to learn how to enable this feature across the components of your EncrypTight system. To add a new user when strong password enforcement is enabled: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Configure the user-add command. Attributes are described in Table 8. user-add { } [common-name] {

} Table 8 user-add command description: strong password enforcement Attribute Description name Specify the user name, conforming to the conventions listed in “Adding Users” on page 20. role {admin | ops} Associate a user role with the user name. common-name The common name from the Common Access Card’s identity certificate. When not using this feature, no entry is required for this attribute. password expiration The password expiration period, specified in days. The valid range is 1 – 60. password minimum The number of days that a user must wait before changing the password. The password minimum must be less than the password expiration. The valid range is 1-7. ETEP CLI User Guide 23 User Administration Table 8 user-add command description: strong password enforcement Attribute Description password warning The number of days prior to password expiration that a warning is given to the user. The valid range is 1-30. password grace period The number of days after the password expires that a user can log in using the expired password. The valid range is 1-30. maximum login sessions The maximum number of concurrent sessions allowed per user. The valid range is 1-5. Example The following example creates a user named “tech1” as an Ops user with a password expiration of 30 days, minimum set to 3 days, and warning of 5 days. Password grace period and login sessions are left at their default values. A common name is not defined. user-config> user-add tech1 ops Maximum days before password expires [60]: 30 Minimum days between password reset [1]: 3 Password expiration warning days [10]: 5 Expiration grace period days [10]: Maximum login sessions [2]: Related topics: ● “Understanding User Roles” on page 21 ● “Password Enforcement Options” on page 17 ● “Adding Users” on page 20 ● “Assigning Passwords to Users” on page 27 Modifying Users The user-modify command lets the Administrator change a user’s role and common name. When strong password enforcement is enabled, the Administrator can also modify the settings for password expiration and maximum login sessions. If the last time the a user’s password was changed exceeds the password expiration days, the ETEP will require the password to be reset before allowing you to modify other user settings. To modify a user: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Configure the user-modify command. Attributes are described in Table 8. user-add { } [common-name] [

] Type the user name and then change the role, common name, and/or password expiration for that user. To remove a common name from a user account, enter none in the common name field. 24 ETEP CLI User Guide Adding Users Examples This example changes the tech1 user’s role from Ops to Admin. Default password enforcement is in effect on the ETEP. user-config> user-modify tech1 admin In the next example the ETEP is configured for strong password enforcement. The Administrator changes the tech1 Ops user warning days to 3. The password maximum is 60, and the password minimum is 3. user-config> user-modify tech1 ops Maximum days before password expires [60]: Minimum days between password reset [1]: 3 Password expiration warning days [10]: 3 Expiration grace period days [10]: Maximum login sessions [2]: The following example removes a common name from an Ops user named tech1. admin> configure config> user-config user-config> user-modify tech1 ops none Related topics: ● “Adding Users” on page 20 ● “user-modify” on page 203 Deleting Users Use the following procedure to remove a user from the ETEP. To delete a user: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Delete the user by typing the user-delete command and user name. user-delete Example This example deletes the user “tech1.” user-config> user-delete tech1 Related topic: ● “user-delete” on page 201 ETEP CLI User Guide 25 User Administration Viewing a List of Users Two show commands provide information about ETEP users. From command mode, the show running-config command lists the users currently logged in to the ETEP. In user-config mode, the show command provides a summary of ETEP users. It displays the password enforcement policy that is in force on the ETEP, along with user configurations. Passwords are not displayed. Accounts that have been disabled are indicated with an asterisk next to the user name. In Figure 2, the tech1 account is flagged as disabled. The asterisk indicates one of the following: ● A new account that does not yet have a password assigned ● An existing account that the Administrator manually disabled. Accounts that are disabled because of a login failure are not flagged in the show command output. Example user-config> show Figure 2 user-config show command output Assigning Passwords The Administrator has the ability to assign passwords to users, as part of establishing a user account or as a maintenance task. All users can modify their own passwords. If you are using a Common Access Card (CAC) to provide user authorization in addition to certificatebased authentication in an EncrypTight deployment, password use is optional. Users without assigned passwords can access the ETEP through the EncrypTight software. Passwords are still required for CLI access. 26 ● “Assigning Passwords to Users” on page 27 ● “Changing Your Own Password” on page 28 ETEP CLI User Guide Assigning Passwords Assigning Passwords to Users Default user names and passwords are shown in Table 9. It is strongly recommended that the Administrator change the default passwords before putting the ETEP into operation in the network. Table 9 Default user names and passwords on the ETEPs Role Default user name Default password Administrator admin admin Ops ops ops The ETEP enforces two sets of password controls: default and strong. The password conventions for each password policy are listed below. Default Password Conventions ● Passwords must be a minimum of 8 characters. ● Passwords are case-sensitive. ● Standard alphanumeric characters are allowed, as are printable keyboard characters and symbols. If you plan to use EncrypTight to manage the ETEPs, do not use the following characters: <>&“$‘()|;?/\ ● Passwords must contain at least 2 characters from a mix of upper case letters, lower case letters, numbers and non-alphanumeric symbols. For example, an acceptable password might contain an upper case letter and a number, or a lower case letter and a symbol, or an upper case letter and a lower case letter. ● Dictionary words are not allowed. ● Do not use non-printable ASCII characters. ● The ETEP allows an unlimited number of failed login attempts without locking the user out of the appliance. Strong Password Conventions ● Passwords must be at least 15 characters long. ● Standard alphanumeric characters are allowed, as are printable keyboard characters and symbols. If you plan to use EncrypTight to manage the ETEPs, do not use the following characters: <>&“$‘()|;?/\ ● Passwords must contain a mix of upper case letters, lower case letters, numbers and special characters, including at least two of each of the four types of characters. ● Dictionary words are not allowed. ● When a password is changed, the new password must differ from the previous password by at least four characters. ● The password must not contain, repeat, or reverse the associated user ID. ● The password must not contain three of the same characters used consecutively. ● A user's password must not be identical to any other user's password. ● A new password must be different from the previous 10 passwords used ● When strong password enforcement is enabled, the ETEP allows three consecutive failed login attempts in a 15 minute period prior to locking an account. After the third failure the account is locked for 15 minutes. ETEP CLI User Guide 27 User Administration You must explicitly enable strong password enforcement for the ETEP to enforce these conventions. CAUTION We recommend that you store your passwords in a safe place. If you are unable to log in to the ETEP with a valid Administrator user name and password, the ETEP must be returned to the factory to be reset. To assign a new password to a user: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Type the password-modify command and user name, and press ENTER. password-modify {user-name} 3 When prompted, enter the new password and then re-enter it to confirm. Example This example changes the password of the Ops user. Password text is not displayed on the terminal. admin> configure config> user-config user-config> password-modify ops Password: Retype new password: Related topics: ● “Password Enforcement Options” on page 17 ● “Setting the Password Enforcement Policy” on page 18 Changing Your Own Password Ops and Admin users can modify their own passwords to maintain account security and when reminded that the current password is going to expire. Use the password command to reset your password, complying with the password policy enabled by the Administrator (default or strong password controls). To change your password: 1 Log in to your Ops or Admin account using your existing password. 2 At the command prompt, type the password command and press ENTER. 3 When prompted, enter the new password and then re-enter it to confirm. Example In this example, an Ops user changes the password for his account. Password text is not displayed on the terminal. ops> password Password: Retype new password: 28 ETEP CLI User Guide Enabling and Disabling Accounts Related topics: ● “Default Password Conventions” on page 27 ● “Strong Password Conventions” on page 27 Enabling and Disabling Accounts The Administrator can manually enable and disable user accounts. If a user is locked out of an account due to a login failure or password expiration, the Administrator can unlock the account for that user. Conversely, the Administrator has the ability to disable a user account as needed. Restoring an Account Only the Administrator can restore an account that has been locked due to a login failure or expired password. In order to enable a new user account, the Administrator must first add a new user and then assign a password to the account. To restore a locked account: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Type user-enable true, where username specifies the user account to restore. Example The following example restores the tech1 user account. admin> configure config> user-config user-config> user-enable tech1 true Related topics: ● “Assigning Passwords to Users” on page 27 ● “user-enable” on page 202 Disabling an Account The Administrator can disable a user account to prevent that user from logging in to the ETEP. The account remains disabled until the Administrator manually restores the account. In the user-config show command output, accounts disabled by the Administrator are indicated with an asterisk next to the user name. ETEP CLI User Guide 29 User Administration To disable an account: 1 Enter user configuration mode. admin> configure config> user-config user-config> 2 Type user-enable false, where username specifies the user account to disable. Example The following example disables the tech1 user account. admin> configure config> user-config user-config> user-enable tech1 false Related topic: ● “user-enable” on page 202 Login Failures When configured for default password enforcement, the ETEP allows an unlimited number of failed login attempts without locking the user out of the appliance. When strong password enforcement is enabled, the ETEP allows three consecutive failed login attempts in a 15 minute period prior to locking an account. After the third failure the account is locked for 15 minutes. The Administrator can restore a disabled account with the user-enable command. To determine whether an account has been disabled due to login failures, issue the show audit-log command and review the log file for a series of login failures. An account that has been locked due to login failures is not flagged in the user-config show command. Related topic: ● “user-enable” on page 202 Using the Login Banner The login banner is disabled by default. When enabled, the login banner appears after a successful login to the CLI and the EncrypTight application. A user must acknowledge the terms of usage to successfully log in. The banner text cannot be modified or replaced. A show command is available from banner-config mode that displays the login banner that is saved in the ETEP filesystem, regardless of whether the banner is enabled. To display the banner enter the following command: banner-config> show The login banner contains the U.S. Department of Defense banner text, shown below. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. 30 ETEP CLI User Guide Using the Login Banner By using this IS (which includes any device attached to this IS), you consent to the following conditions: — The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. — At any time, the USG may inspect and seize data stored on this IS. — Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. — This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. — Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and workproduct are private and confidential. See User Agreement for details. Do you accept the above terms of usage? (enter 'yes' to confirm) To configure the execution banner: 1 Enter banner configuration mode. admin> configure config> banner-config banner-config> 2 Configure the logon-banner-enable command. logon-banner-enable {true | false} Examples This example enables the login banner. admin> configure config> banner-config banner-config> logon-banner-enable true Related topics: ● “banner-config” on page 131 ● “logon-banner-enable” on page 157 ETEP CLI User Guide 31 User Administration Audit Logging Audit logs report attempts to gain access to the ETEP and to configure it. The audit log is configured and viewed by the Administrator user. Audit log characteristics are as follows: ● Audit log events are always sent to the log file. ● Each audit record includes a date and timestamp, the user that triggered the event, and the type of event. The audit record also includes the IP address of a remote device accessing the ETEP. ● The most recent audit events can be viewed from the CLI using the show audit-log command. From ETEMS, you can export the complete audit log file from the ETEP or configure the ETEP to send audit events to a syslog server. ● If the ETEP syslog daemon fails and is unable to record events to a designated syslog server, the ETEP issues a platform warning trap. SNMP traps and trap hosts are configured using ETEMS. The audit log includes all events that affect critical service parameters. The types of events that are reported in the audit log are listed in Table 10. Table 10 Audit Events Event Type Reported Events System startup and shutdown Successful and unsuccessful startup and shutdown events. Includes soft reboots and power cycles. Failure State Entered failure state Log in and Log out Successful and failed log in attempts, log out activity, account disabled User changes Added, modified, or disabled user profile, including user name, role, password enforcement policy, password expiration parameters. Appliance Configuration Changed, saved or deleted appliance configuration. Data Traffic Policy Changed, saved, or deployed data traffic policy Management IPSec Policy Changed, saved, or deployed management policy Software Version Updated software, formatted file system Certificates Added or removed certificates. Using Common Access Cards for User Authorization The EncrypTight system supports the use of smart cards such as the DoD Common Access Card (CAC). Using a CAC provides user authorization in addition to certificate-based authentication. When you use a CAC, EncrypTight components use the certificates installed on the card to determine if a user is authorized to perform a specific action. In order to access the system, every user must have an authorized CAC. A smart card reader is connected to the management workstation. To access the workstation, you must insert a CAC into the reader. The EncrypTight software reads the identity certificate on the CAC, as well as any trusted root or intermediate certificates. When the EncrypTight software communicates with other EncrypTight components, the common name field from the identity certificate is included in the 32 ETEP CLI User Guide Using Common Access Cards for User Authorization communications. If the common name used in the communications is on the access list, the operation is allowed. Each component in the EncrypTight system must maintain a list of authorized users (EncrypTight software, ETKMS, and ETEP). Communications that do not use an authorized common name and a valid certificate are rejected. Passwords for ETEP users are optional when using common names. Users without assigned passwords can manage the ETEP through the EncrypTight software. For CLI access, passwords are required. Setting up the ETEP to use a CAC involves several tasks: 1 Install certificates on the ETEPs. This task is performed using the EncrypTight software. 2 Enable strict authentication on the ETEPs. 3 Enable remote user certificate authentication on the ETEPs. 4 Add common names to the existing user accounts on the ETEPs, or add new user accounts with common names. 5 On the ETEP, add a user account with a common name for each ETKMS. Additional steps are required to prepare the EncrypTight workstation and ETKMS to use strict authentication with CACs. Be sure to complete all of the required steps in order, as described in the “Using Enhanced Security Features” chapter of the EncrypTight User Guide. Related topics: ● “Adding Users” on page 20 ● “Assigning Passwords” on page 26 ● “remote-user-cert-auth-mode” on page 183 ETEP CLI User Guide 33 User Administration 34 ETEP CLI User Guide 3 Configuring the ETEP This section includes the following topics: ● Configuration Overview ● Basic Configuration ● Layer 2 Configuration ● Layer 3 Configuration ● Shutting Down the ETEP Configuration Overview The information in this chapter describes how to configure the ETEP using CLI commands. The procedures described in this chapter assume that you are logged in as the Administrator user, although some of the basic configuration commands are also available to the Ops user. This section is organized into three sections: ● “Basic Configuration” on page 36 Describes commands that are common to Layer 2 and Layer 3 operation, such as management port configuration, date and time, auto-negotiation, session inactivity timer, and loss of signal pass through. ● “Layer 2 Configuration” on page 45 Describes commands that apply only when the ETEP is deployed in a Layer 2 environment. ● “Layer 3 Configuration” on page 47 Describes commands that apply when the ETEP is deployed in a Layer 3 environment. Some setting may be needed for network interoperability, and others are used only when the ETEP is deploying virtual IP or remote IP distributed key policies. At the beginning of each section you will find a list of command and their default values to help you determine which commands need to be modified to work in your network environment. ETEP CLI User Guide 35 Configuring the ETEP Basic Configuration This section describes the common set of commands that are used to configure the ETEP regardless of whether it is operating in Layer 2 or Layer 3 mode. Table 11 provides a list of the commands, a brief description, and the default values. Initial ETEP setup consists of configuring the management port and setting the date and time. These steps were performed as part of the ETEP installation, as described in the Installation Guide. The instructions are repeated here in case you need to modify one or more of these items. The initial setup procedure may be sufficient for operation in your network. If not, you may want to adjust one or more of the settings listed in Table 11. Table 11 Basic configuration commands Command Description Default value man-if> ip (IPv4 address) Sets the management IP address, mask and gateway. 192.168.1.3 man-if> ip6 (IPv6 address) date User type: Admin or Ops Sets the date and time Current date, UTC 0 User type: Admin or Ops license Sets the throughput license on ETEPs that are managed exclusively through the CLI none auto-neg Sets auto-negotiation and flow control on the management, local, and remote interfaces. negotiated User type: Admin or Ops cli-inactivity-timer Sets an inactivity timer for the CLI session. 15 minutes User type: Admin tx-enable Sets the behavior of the local and remote transmitters when loss of signal is detected. transmitter follows the receiver User type: Admin Configuring the Management Port The ETEP can be managed in-line or out-of-band through a dedicated Ethernet management interface. Management port configuration consists of the following items: ● Setting the IP address and default gateway ● Reviewing the auto-negotiation settings These settings can be configured by the Admin and Ops users. About the management port IP address, mask and gateway The management port must have an assigned IP address in order to be managed remotely and communicate with other devices. An IPv4 IP address is mandatory, even when the ETEP is operating in an IPv6 network. When the ETEP is operating in an IPv6 network, configure the ETEP for dual-homed operation by assigning an IPv4 and an IPv6 address to the management port. 36 ETEP CLI User Guide Basic Configuration The Ethernet management port IP address identifies the ETEP to the management workstation. The subnet mask is the portion of the IP address that identifies the network or subnetwork for routing purposes. When the ETEP management port and the management workstation are on different subnets, the ETEP uses a default gateway to route packets to the other devices. The default gateway identifies the local router port that is on the same subnet as the ETEP Ethernet management port. The appliance sends all packets to the specified router for forwarding to the management station or other EncrypTight components (key generation server, time server). When the management port and workstation are on the same subnet a default gateway is not needed to route packets between the devices. Figure 3 shows an example of a default gateway when the management station and ETEP are on different subnets. The management station’s IP address is 192.168.1.10, and the ETEP’s management port IP address is 192.168.10.10. To send packets between the two devices, the local port on Router #1 is specified as the default gateway (192.168.10.1). The gateway address must match the subnet of the management port. Figure 3 Management Port Default Gateway About auto-negotiation The default setting for the ETEP enables auto-negotiation, which negotiates the link speed, duplex setting, and flow control. Use the autoneg command if the device that the ETEP connects to from a particular port does not support auto-negotiation or flow control. It is important to configure the ETEP and the other device the same way. Both devices should either autonegotiate or be set manually to the same speed and duplex mode. Having one device set manually and the other auto-negotiate can cause problems that make the link perform slowly. When manually setting the ETEP link speed, configure the speed and duplex mode to match that of the other device. On the management port, the ETEPs support the speeds shown in Table 12. Table 12 Link speeds on the management port Link speed 10 Mbps Half-duplex 10 Mbps Full-duplex 100 Mbps Half-duplex 100 Mbps Full-duplex ETEP CLI User Guide Auto-negotiate Auto-negotiate Fixed Speed ET0010A ET0100A / ET1000A All ETEPs 3 3 3 3 3 3 3 3 3 3 3 3 37 Configuring the ETEP Table 12 Link speeds on the management port Link speed 1000 Mbps Full-duplex 1000 Mbps Half-duplex Auto-negotiate Auto-negotiate Fixed Speed ET0010A ET0100A / ET1000A All ETEPs 3 3 To configure the management port: 1 At the command prompt, type configure to enter configuration mode. 2 At the config> prompt, type management-interface. 3 Assigning an IPv4 address to the management port is mandatory. To set the management port IPv4 address, mask, and gateway, type ip [gateway] ip address Management port IP address, entered in dotted decimal notation. subnet mask IP subnet mask, entered in dotted decimal notation. gateway Specifies how to route traffic between the ETEP management port and the management station. When the management port is on a different subnet than the management station, specify the IP address of the router’s local port on the same subnet as the ETEP management port (see Figure 3). If the devices are on the same subnet, you do not need to enter a default gateway. After entering the new IP address, it takes 10-20 seconds for the ETEP to set the address on the management port. During that time you cannot enter any CLI commands. When the operation is complete, the man-if> prompt is displayed. 4 Optional. If the ETEP is operating in an IPv6 network you can also assign an IPv6 address to the management port. To do so, type ip6 {/} [gateway] ip address IPv6 address of the ETEP management port. This is a 128-bit address consisting of eight hexadecimal groups that are separated by colons. Each group is a 4-digit hexadecimal number. The hexadecimal letters in IPv6 addresses are not case sensitive. prefix-length A decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address. The decimal value is preceded by a forward slash (/). gateway IPv6 address of the router port that is on the same local network as the ETEP management port. For more information about IPv6 address representations, see “ip6” on page 150. 5 Auto-negotiation is enabled by default. If you want to disable auto-negotiation and manually set the link speed and flow control, configure the autoneg command. Attributes are described in Table 16. autoneg {enable} | {disable [] []} 6 Type exit to return to the config prompt, or type top to return to the command prompt. 38 ETEP CLI User Guide Basic Configuration Table 13 Management port autoneg command description Attribute Description enable Enables auto-negotiation on the management port. This is the default setting. disable Disables auto-negotiation on the management port. Use this setting to manually configure link speed and flow control. speed [100m-full | 10m-full | 100m-half |10m-half] When auto-negotiation is disabled, the speed attribute specifies the link speed and duplex setting. The speed defaults to 100m-full. flow control [on | off] When auto-negotiation is disabled, this attribute configures the flow control setting to be on or off. The flow control setting defaults to on. Example The following example sets the management port IPv4 address, subnet mask, and gateway for the ETEP as shown in Figure 3. Auto-negotiation is left at its default setting of enabled. admin> configure config> management-interface man-if> ip 192.168.10.10 255.255.255.0 192.168.10.1 man-if> exit The next example sets the management IPv4 address and subnet mask, and omits the default gateway. The default gateway can be omitted when the management station and the ETEP management port and are wired directly to each other on the same subnet. Auto-negotiation is disabled. The link speed is set to 100 Mbps full-duplex and flow control is turned on. admin> configure config> management-interface man-if> ip 192.168.10.10 255.255.255.255 man-if> autoneg disable 100m-full on man-if> exit The following example sets an IPv6 address, prefix length, and default gateway on the management port. admin> configure config> management-interface man-if> ip6 2001:DB8::211:11FF:FE58:743/64 2001:DB8::20F:F7FF:FE84:BFC2 man-if> exit config> Related topics: ● “Changing the Auto-negotiation Settings on the Local and Remote Ports” on page 41 ● “autoneg” on page 128 ● “ip” on page 148 ● “ip6” on page 150 ETEP CLI User Guide 39 Configuring the ETEP Setting the Date and Time Setting the date and time on the ETEP helps ensure that the appliance’s time can be synchronized properly with other ETEPs or components in the EncrypTight system. The time zone on the ETEP is set to UTC 0 (Coordinated Universal Time), and is not user configurable. Enter the date and time relative to UTC 0, also referred to as Greenwich Mean Time (GMT). To calculate the local time relative to UTC, add or subtract the offset hours from UTC for the local time zone (UTC ± n). The following examples give the local time at various locations at 12:00 UTC when daylight saving time is not in effect: ● New York City, United States: UTC-5; 07:00 ● New Delhi, India: UTC+5:30; 17:30 To set the date and time: 1 At the command prompt, type configure to enter configuration mode. 2 At the config> prompt, type date year 2008-2037 month 01-12 day 01-31 hour 00-23 minutes 00-59 seconds 00-59 3 Type exit to return to the command prompt. Example admin> configure config> date 2008 10 11 15 30 00 config> exit Entering the Throughput License The method for entering licenses on the ETEP depends on your management software: 40 ● For ETEPs that are managed exclusively through the command line, follow the procedure in this section. ● For EncrypTight deployments, throughput licenses must be managed with the EncrypTight software. Licenses entered from the CLI are not recognized as valid in an EncrypTight deployment. See the EncrypTight User Guide for more information. ETEP CLI User Guide Basic Configuration Each ETEP is capable of transmitting traffic at a range of speeds that varies by model. When you install the license you purchased, ETEPs transmit traffic at the speed specified by the license. Table 14 lists the available speeds for each ETEP model. Table 14 ETEP Throughput Speeds Model Available Throughput ET0010A 3, 6, 10, 25, 50 Mbps ET0100A 100, 155, 250 Mbps ET1000A 500, 650 Mbps, 1 Gbps You need to install a license on each ETEP that you use. Licenses are linked to the serial number of the ETEP on which they are installed. You cannot install a license intended for one ETEP on a different ETEP. If you upgrade from a command line-only installation to a full EncrypTight deployment, you can no longer use the command line-only license and must acquire an EncrypTight license. To add a license from the command line: 1 At the command prompt, type configure to enter configuration mode. 2 At the config> prompt, type license , where string is the license provided by Customer Support. Enter the license exactly as provided. The license is case sensitive. The license will look something like this: 1:0:0508C482:10:258482fab2 To view the throughput speed: 1 At the command prompt, type show throughput-speed. The throughput speed is also displayed in the output of the show running-config command. Examples The following example adds a 25 Mbps license to the ET0010A. admin> configure config> license 1:0:0508C482:25:258482fab2 The next example displays the ET0010A throughput speed. admin> show throughput-speed Data Plane Throughput Speed: 25 MBits Changing the Auto-negotiation Settings on the Local and Remote Ports Auto-negotiation and flow control are configured on a per port basis. Management, local, and remote port auto-negotiation settings are configured independently of each other. The default setting for the ETEP enables auto-negotiation, which negotiates the link speed, duplex setting, and flow control. Use the autoneg command if the device that the ETEP connects to from a particular port does not support autonegotiation or flow control. It is essential that the ETEP port and the connecting device’s port are configured the same way. Both devices should either auto-negotiate or be set manually to the same speed and duplex mode. Having one ETEP CLI User Guide 41 Configuring the ETEP device set manually and the other auto-negotiate can cause problems that make the link perform slowly. When manually setting the ETEP link speed, configure the speed and duplex mode to match that of the other device. On the local and remote ports, the ETEPs support the speeds shown in Table 15. Table 15 Link speeds on the local and remote ports Link speed 10 Mbps Half-duplex 10 Mbps Full-duplex 100 Mbps Half-duplex 100 Mbps Full-duplex 1000 Mbps Full-duplex Auto-negotiate Fixed Speed Fixed Speed All ETEPs ET0010A / ET0100A ET1000A 3 3 3 3 3 3 3 3 3 3 NOTE If you are using copper SFP transceivers, auto-negotiation must be enabled on the ET1000A and on the device that the ET1000A is connecting to. The recommended copper SFP transceivers negotiate only to 1 Gbps, even though they advertise other speeds. See the ETEP Release Notes for a list of recommended transceivers. To configure the auto-negotiation settings: 1 Enter remote or local configuration mode. admin> configure config> {local-interface | remote-interface} 2 Configure the autoneg command. Attributes are described in Table 16. autoneg {enable} | {disable [] []} Table 16 Auto-negotiation command description Attribute Description enable Turns auto-negotiation on. When auto-negotiation is enabled, the other attributes are not used. This is the default setting. disable Disables auto-negotiation. Use this setting to manually configure link speed and flow control. speed [default | 1000m | 100m-full | 10m-full | 100m-half | 10m-half] When auto-negotiation is disabled, the speed attribute specifies the link speed and duplex setting. On the local and remote ports, the speed of the default setting is hardware dependent: ET0010A = 10m-full, ET0100A = 100m-full, and ET1000A = 1000m. flow-control 42 [on | off] When auto-negotiation is disabled, this attribute configures the flow control setting. The flow control setting defaults to on. ETEP CLI User Guide Basic Configuration Examples The following example disables auto-negotiation on the remote interface. The speed is set to 100 Mbps full-duplex, and flow control is set to on. admin> configure config> remote-interface rem-if> autoneg disable 100m-full on The next example restores auto-negotiation on the local interface. admin> configure config> local-interface loc-if> autoneg enable Related topic: ● “autoneg” on page 128 Setting Loss of Signal Pass Through The ETEP can be configured to propagate a loss of signal event detected at one of its data ports to the device connected to its other data port. The ETEP performs this function by monitoring for loss of signal at the port’s receiver. For example, when the loss of signal is detected on the ETEP’s remote port, the local port transmitter is disabled, generating a loss of signal event in connecting device’s port. When the loss of signal event clears on the remote port, the local port transmitter is enabled, clearing the event in the connecting device’s port. Similarly, when a loss of signal is detected on the local port, the remote port transmitter is disabled. Alternatively, the ETEP port transmitter can be configured to always remain enabled, regardless of the other port’s link state. In this state the ETEP can reliably recover from a link loss. But because the transmitter is always on, the appliance may inadvertently mask cable or device failures in the network. The transmitter behavior configuration should be the same on both the local and remote ports. To change the transmitter behavior: 1 Enter remote or local configuration mode. admin> configure config> {local-interface | remote-interface} 2 Configure the tx-enable command. Attributes are described in Table 17. tx-enable {always | follow-rx} Table 17 tx-enable command description Attribute Description always The transmitter is always on regardless of whether a signal is detected. follow-rx The transmitter follows the behavior of the receiver. If loss of signal is detected on the remote port, then the transmitter on the local port is disabled. Similarly, if loss of signal is detected on the local port, the ETEP disables the transmitter on the remote port. When the lost signal is restored, the correlating transmitter is enabled. This is the default setting. ETEP CLI User Guide 43 Configuring the ETEP Example The following example sets the remote port transmitter to follow the receiver. admin> configure config> remote-interface rem-if> tx-enable follow-rx Related topic: ● “tx-enable” on page 197 Changing the CLI Inactivity Time-out The CLI session is terminated if no activity is detected on the CLI in a specified amount of time. When the CLI inactivity time-out is set to zero the session does not expire. The inactivity timer is set to 10 minutes by default. The timer applies to a CLI session initiated through the serial port or through SSH. Setting the inactivity timer does not affect the current CLI session. The change is effective on all subsequent CLI sessions. To change the CLI inactivity timer: 1 At the command prompt enter the cli-inactivity-timer command, where is the number of minutes ranging from 0–1440 minutes (24 hours). admin> cli-inactivity-timer Related topic: ● “cli-inactivity-timer” on page 134 Configuration Examples The following example illustrates the commands used for initial setup of the ETEP to configure the following parameters: management IP address, subnet mask, and default gateway, auto-negotiation, date and time. The autoneg command needs to be configured only if you want to disable auto-negotiation and configure the link speed and flow control manually. pep login: admin Password: ***** admin> configure config> management-interface man-if> ip 192.168.10.10 255.255.255.0 192.168.10.1 man-if> autoneg disable 100m-full on man-if> exit config> date 2008 10 15 12 30 00 config> exit admin> The next example sets the tx-enable command to follow the receiver on the remote and local ports, and changes the CLI inactivity timer to zero so that it does not expire. 44 ETEP CLI User Guide Layer 2 Configuration admin> configure config> remote-interface rem-if> tx-enable follow-rx rem-if> exit config> local-interface loc-if> tx-enable follow-rx loc-if> exit config> cli-inactivity-timer 0 config> exit Layer 2 Configuration Check the following settings when the ETEP is operating in a Layer 2 deployment: ● Configure the IKE VLAN tag if you are deploying Layer 2 point-to-point policies in a network that requires a specific VLAN tag for all Ethernet traffic. This feature is disabled by default. ● Verify that transparent mode is enabled for Layer 2 policies (enabled by default) Layer 2 configuration commands are available to the Admin user. Assigning a VLAN Tag When the ETEP is configured for operation with Layer 2 point-to-point policies, the two ETEPs must be able to communicate with each other to exchange key information. In some Layer 2 networks, all frames must have a VLAN tag to traverse the network. The ETEP can be configured to add a VLAN tag to the Ethernet frames used for ETEP-to-ETEP communications. This setting has no effect when the ETEP is configured for use in EncrypTight distributed key policies. To assign a VLAN tag: 1 Enter remote configuration mode. admin> configure config> remote-interface 2 Configure the vlan-tag command. Attributes are described in Table 18. vlan-tag {enable [] []} | {disable} Table 18 vlan-tag command description Attribute Description enable Enables the VLAN tag function. disable Disables the VLAN tag function.This is the default. tag-priority Sets the VLAN tag priority. Valid values range from 0–7. The default value is 0. tag-id Sets the VLAN ID. Valid values range from 0–4094. The default value is 1. ETEP CLI User Guide 45 Configuring the ETEP Example The following example enables the VLAN tag feature on the ETEP’s remote interface. The priority is set to 1 and the VLAN ID is set to 4. admin> configure config> remote-interface rem-if> vlan-tag 1 4 Related topic: ● “vlan-tag” on page 205 Verifying Transparent Mode Transparent mode is the ETEP’s default mode of operation. When operating in transparent mode the ETEP’s remote and local ports are not viewable from a network standpoint. The local and remote ports do not have user assigned IP addresses. The ETEP should be in transparent mode when being used in Layer 2 IKE policies. In non-transparent mode, the local and remote ports have user-assigned IP addresses. Non-transparency settings apply when the ETEP is configured for Layer 3 operation and being used in a distributed key policy that uses a virtual IP address or remote IP address. Before defining a Layer 2 or Layer 3 point-to-point policy, verify that transparent mode is configured properly on the ETEP: Table 19 Transparent mode configuration Mode of operation Transparent mode setting Layer 2 point-to-point IKE policy Transparent mode enabled Layer 3 point-to-point IKE policy Transparent mode disabled To verify the transparent mode setting on the ETEP, issue the show running-config command and look for the output shown in Figure 4. To learn how to change the transparent mode setting, see “Configuring Transparent Mode” on page 53. 46 ETEP CLI User Guide Layer 3 Configuration Figure 4 show running-config output Layer 3 Configuration This section includes the following topics: ● “Interoperating with the Network” on page 47 You may need to configure other network settings in order for the ETEP to interoperate in the network. These settings include reassembly of fragmented packets, DF bit handling, and DHCP relay functionality. ● “Configuring Transparent Mode for Layer 3 Policies” on page 52 Transparent mode is the ETEP’s default mode of operation and is appropriate for most Layer 3 distributed key policies. To use the ETEP in a Layer 3 virtual IP policy you must disabled transparent mode operation and assign IP addresses to the local and remote ports. Layer 3 configuration commands are available to the Admin user. Interoperating with the Network This section includes the following topics: ● “Reassembling Fragmented Packets” on page 48 ● “DF Bit Handling” on page 49 ● “IPv6 Traffic Handling” on page 50 ● “Using DHCP Relay on a Remote Network” on page 50 ETEP CLI User Guide 47 Configuring the ETEP Table 20 provides a description of each command along with its default setting. Table 20 Commands that control network interoperability Command Description Default Setting reassembly Specifies who performs the reassembly of fragmented packets: the destination host or gateway. The gateway setting is needed for ETEP to ETEP connections. gateway dfbit-ignore Specifies whether to accept or ignore the DF bit setting in the IP packet header. on ipv6Traffic Specifies what to do with IPv6 packets that are received on the local or remote ports: discard them or pass them in the clear. clear dhcprelay Allows DHCP clients on the local port subnet to access a DHCP server that is on a different subnet. disabled Reassembling Fragmented Packets The reassembly command applies to packets entering the ETEP’s local port that are subject to fragmentation. This command specifies whether packets are fragmented before or after they are encrypted and who performs the reassembly of the fragmented packet: the destination host or gateway. The reassembly mode command applies only when the ETEP’s policy mode is set to Layer 3. When the policy mode is set to Layer 2, packets that are subject to fragmentation are encrypted prior to fragmentation. Layer 2 jumbo packets that exceed the PMTU are discarded. When the reassembly command is set to gateway, the ETEP sets the dfbit-ignore command to on. When the reassembly command is set to host, the ETEP sets the dfbit-ignore command to off by default but allows the setting to be changed. To configure reassembly on the ETEP: 1 Enter local configuration mode. admin> configure config> local interface 2 Configure the reassembly command. Attributes are described in Table 22. reassembly {host | gateway} Table 21 48 reassembly command description Attribute Description host This setting is required for the ETEPs to interoperate successfully with some security gateways. Packets are fragmented before they are encrypted, and the encryption header is added to the packet fragments. The destination host performs the reassembly. gateway This setting is recommended for ETEP-ETEP encryption. Packets are encrypted first and then fragmented based on the new packet size, which includes the encryption header. This behavior is consistent with RFC 2401. The gateway (ETEP) performs the reassembly.This is the default setting. ETEP CLI User Guide Layer 3 Configuration Example The following example sets the reassembly mode to gateway. admin> configure config> local-interface loc-if> reassembly gateway Related topics: ● “DF Bit Handling” on page 49 ● “reassembly” on page 181 DF Bit Handling When the ETEP is configured for use in Layer 3 IP encryption policies, its default behavior is to ignore the “do not fragment” (DF) bit in the IP header, and fragment outbound packets that exceed the MTU of the system. This setting should be used under the following conditions: ● Reassembly mode is set to gateway ● ICMP is blocked at the firewall ● PMTU path discovery isn’t working A symptom of a PMTU problem is when the network operates normally when traffic passes in the clear but loses packets when encryption is turned on. You can override the default behavior by disabling the DF Bit handling on the local port. The ETEP will then discard packets in which the DF bit is set and the packet length, including the encryption header, exceed the PMTU. To configure the DF bit handling on the ETEP: 1 Enter local configuration mode. admin> configure config> local interface 2 Configure the dfbit-ignore command. Attributes are described in Table 22. dfbit-ignore {on | off} Table 22 dfbit-ignore command description Attribute Description on The ETEP ignores the DF bit in the IP header and fragments outbound packets greater than the MTU of the system. When the reassembly command is set to gateway, the ETEP sets the dfbit-ignore command to on. This is the default setting. off The ETEP acts in accordance with the DF bit setting in the IP header. Example The following example restores the default setting for the dfbit-ignore command. admin> configure config> local-interface loc-if> dfbit-ignore on ETEP CLI User Guide 49 Configuring the ETEP Related topic: ● “Reassembling Fragmented Packets” on page 48 ● “dfbit-ignore” on page 138 IPv6 Traffic Handling Layer 3 encryption policies support only IPv4 traffic. The ipv6Traffic command determines how the ETEP handles any IPv6 packets that it receives on its local and remote ports. The ETEP can either pass the IPv6 packets in the clear or discard them. This setting applies only when the ETEP is configured for Layer 3 operation. To configure IPv6 traffic handling on the data ports: 1 Enter policies mode. admin> configure config> policies 2 Configure the ipv6Traffic command. Attributes are described in Table 22. ipv6Traffic {clear | discard} Table 23 ipv6Traffic command description Attribute Description clear IPv6 packets are passed in the clear. This is the default setting. discard IPv6 packets are discarded. Example This example configures the ETEP to discard IPv6 traffic. admin> configure config> policies policies> ipv6Traffic discard Related topic: ● “ipv6Traffic” on page 153 Using DHCP Relay on a Remote Network The dhcprelay command needs to be enabled only on ETEPs that have DHCP clients on the local port that require access to a DHCP server that is on a different subnet from the local clients (see Figure 5). This feature is not needed when DHCP servers or relay agents are on the same local network with the DHCP clients, nor is it needed on the ETEP at the remote site where the DHCP server is located. The DHCP relay feature is applicable in Layer 3 IP networks. 50 ETEP CLI User Guide Layer 3 Configuration Figure 5 DHCP Relay allows local clients to access a DHCP server on a remote subnet Local and remote port IP addresses are required for proper DHCP Relay Agent behavior. In order to use local and remote port IP addresses, the ETEP must be operating in non-transparent mode. Complete the following steps to use the DHCP relay feature: 1 Assign local and remote port IP addresses to the ETEP, using the ip command. 2 Disable transparent mode operation, using the transparent-mode-enable command. 3 Configure the DHCP relay feature on the ETEP. To configure the DHCP relay feature on the ETEP: 1 Enter local configuration mode. admin> configure config> local interface 2 Configure the dhcprelay command. Attributes are described in Table 24. dhcprelay {enable | disable} Table 24 dhcprelay command description Attribute Description enable Enables the DHCP relay feature on the ETEP. ipAddress Sets a unicast IP host address for use by the ETEP. This is the IP address of the DHCP server. disable Disables the DHCP relay feature. This is the default setting. Example The following example assigns local and remote port IP addresses to the ETEP, disables transparent mode, and then enables the dhcprelay command, specifying 10.168.67.55 as the DHCP server address. admin> configure config> remote-interface rem-if> ip 192.168.1.145 255.255.192.0 192.168.1.1 rem-if> exit config> local-interface config> ip 192.168.1.125 255.255.192.0 loc-if> exit config> transparent-mode-enable false ETEP CLI User Guide 51 Configuring the ETEP config> local-interface loc-if> dhcprelay enable 10.168.67.55 Related topics: ● “Assigning Remote and Local Port IP Addresses” on page 52 ● “Configuring Transparent Mode” on page 53 ● “dhcprelay” on page 139 Configuring Transparent Mode for Layer 3 Policies Transparent mode is the ETEP’s default mode of operation on the local and remote ports. It is required for Layer 2 policies and is appropriate for most Layer 3 distributed key policies. In transparent mode, the ETEP is not viewable from a network standpoint. The local and remote ports do not utilize user-assigned IP addresses. If you want to conceal the original source IP address when sending encrypted traffic, configure the ETEP to operate in non-transparent mode. Non-transparent mode is also used when sending traffic over the internet. Since private IP addresses cannot be routed over the internet, any traffic between private networks transmitted over the internet must use public IP addresses. See the EncrypTight User Guide for more information about addressing options and creating policies using virtual IP addresses. To configure the ETEP for non-transparent mode, do the following: ● Assign IP addresses to the local and remote ports (on page 52) ● Disable transparent mode, thereby allowing the ETEP to use the data port IP addresses in a Layer 3 policy (on page 53) Assigning Remote and Local Port IP Addresses The ip command sets an IPv4 IP address, subnet mask, and default gateway for the interface being configured. The remote port connects the ETEP to an untrusted network, which is typically a WAN, campus LAN, or MAN. The local port IP address identifies the ETEP to the device on the local side of the network, such as a server or a switch. On the local and remote interfaces, the ip command is used when the transparent-mode-enable command is disabled. When operating in non-transparent mode, first configure the ip command on the local and remote interfaces, and then set the transparent-mode-enable command to false. If you change the remote IP address on an ETEP that is already deployed in a policy, you must redeploy your policies after the new configuration is pushed to the appliance. To configure the local and remote ports: 1 Enter remote or local configuration mode. admin> configure config> {local-interface | remote-interface} 2 Configure the ip command. Attributes are described in Table 25. ip { } [gateway] 52 ETEP CLI User Guide Layer 3 Configuration Table 25 ip command description Attribute Description ip address IPv4 IP address in dotted decimal notation. subnet mask The subnet mask must be entered in dotted decimal notation. gateway The default gateway IP address is used when the ETEP is in a routed network. If the ETEPs are in the same subnet with no routers between them, you may leave the default gateway field blank. The ETEP determines if the packet destination is on the same subnet as the port, and if so, uses ARP to resolve the destination MAC address. If the packet destination IP address is on a different subnet, the ETEP sends the packet to the designated default gateway. Example This example sets the remote and local port IP addresses. A default gateway is specified on the remote interface for traffic traversing a routed network. The local interface traffic is on the same subnet as the local port, therefore no gateway is needed. admin> configuration config> remote-interface rem-if> ip 192.0.2.150 255.255.192.0 192.0.2.1 rem-if> exit config> local-interface loc-if> ip 192.0.2.125 255.255.192.0 loc-if> exit config> Related topics: ● “Configuring Transparent Mode” on page 53 ● “ip” on page 148 Configuring Transparent Mode The transparent-mode-enable command configures whether the ETEP is viewable from a network standpoint. When operating in transparent mode, the local and remote ports do not utilize user-assigned IP addresses. Transparent mode is the ETEP’s default mode of operation. It is appropriate for most Layer 3 distributed key policies. In transparent mode, the ETEP is not viewable from a network standpoint. In Layer 3 IP networks the local and remote ports cannot be contacted through an IP address, and they do not respond to ARPs. In non-transparent mode, the original source IP address in the outbound packet header is replaced with either an IP address for the remote port. The ETEP port MAC address is used as the packet’s source MAC address. You must assign IP addresses to the local and remote ports when configuring the ETEP for this mode of operation. Non-transparency settings apply when the ETEP is configured for Layer 3 operation and being used in a distributed key policy that uses a virtual IP address or remote IP address. See the EncrypTight User Guide for more information about addressing options and creating policies using virtual IP and remote IP addresses. ETEP CLI User Guide 53 Configuring the ETEP To configure transparent mode: 1 Before you can disable transparent mode, you must assign IP addresses to the local and remote ports. If you haven’t already done so, see “Assigning Remote and Local Port IP Addresses” on page 52 to learn how. 2 Enter configuration mode. admin> configure config> {local interface | remote interface} 3 Configure the transparent-mode-enable command. Attributes are described in Table 24. transparent-mode-enable {true | false} Table 26 transparent-mode-enable command description Attribute Description true Enables transparent mode on the ETEP. This is the default setting. It is used for Layer 2 point-to-point policies and most EncrypTight distributed key policies. false Disables transparent mode on the ETEP. This setting is required for distributed key policies that use virtual IP or remote IP addresses. Example The following example disables transparent mode on the ETEP. admin> configure config> transparent-mode-enable false Related topics: ● “Assigning Remote and Local Port IP Addresses” on page 52 ● “transparent-mode-enable” on page 196 Shutting Down the ETEP It is important that a proper system shutdown is performed prior to powering off the appliance. The shutdown command halts all running tasks on the ETEP and prepares it for being powered off. Failure to perform a shutdown may lead to file system corruption and potential appliance failure. The ETEP remains in a shutdown state until the power is cycled. The shutdown state is indicated with an operational code on the status/diagnostic display as shown in Table 27. Table 27 54 Shutdown operational codes Appliance model Operational code ET0010A 2, 3, 4 ET0100A, ET1000A –– ETEP CLI User Guide Shutting Down the ETEP To shut down the ETEP from the CLI: 1 Log in as Administrator (user name admin) or Ops (user name ops). 2 At the command prompt, type shutdown. After the system shutdown is complete, the following message is displayed on the terminal. Power cycle required to reboot appliance 3 Unplug the power cable from the back of the unit or from the power outlet. Example In the following example the user logs in as admin and shuts down the ETEP. pep login: admin Password: Last login: Tue Apr 8 15:12:21 2008 on ttyS0 Welcome admin it is Tue Apr 8 15:17:57 UTC 2008 admin> shutdown Related topic: ● “shutdown” on page 190 ETEP CLI User Guide 55 Configuring the ETEP 56 ETEP CLI User Guide 4 Creating Policies This section includes the following topics: ● Creating Layer 2 Point-to-Point Policies ● Creating Local Site Policies ● Securing Management Port Traffic with IPsec This chapter explains how to create standalone policies on the data path and on the management port using the CLI commands. Standalone policies are typically point-to-point policies. They are configured, managed, and keyed independently from the EncrypTight distributed key policies. Policy configuration commands are available to the Admin user. NOTE We recommend setting the time on the ETEPs before setting up your policies. Changing the clocks after the policy is established may cause traffic to be dropped. Creating Layer 2 Point-to-Point Policies It takes only a few minutes to configure the ETEP for Layer 2 point-to-point operation. After completing the initial setup as described in Chapter 3, perform the following tasks for each appliance: 1 Configure a Layer 2 point-to-point policy. 2 Define the policy mode, which configures the ETEP for Layer 2 and sets its keying method. To learn about the keying method and algorithms that the ETEP uses to secure traffic in Layer 2 point-topoint policies, see “How the ETEP Encrypts and Authenticates Layer 2 Traffic” on page 63. Related topics: ● “Defining a Layer 2 Point-to-Point Policy” on page 58 ● “Configuring the Policy Mode” on page 59 ● “Layer 2 Policy Example” on page 60 ● “Verifying the Policy” on page 62 ETEP CLI User Guide 57 Creating Policies Defining a Layer 2 Point-to-Point Policy The layer2-p2p command allows an Administrator user to define a Layer 2 point-to-point policy on the ETEP. This command is available from policies mode. To configure a Layer 2 point-to-point policy on the ETEP: 1 Log in to the CLI as the Administrator user. 2 At the admin> prompt, type configure and press ENTER. 3 At the config> prompt, type policies and press ENTER. 4 At the policies> prompt, enter the layer2-p2p command. See Table 28 for a description of the attributes. layer2-p2p {} [] [] [] [] The policy does not take effect until the ETEP has been configured to operate in Layer 2 point-topoint mode using the policy-mode CLI command (see “Configuring the Policy Mode” on page 59). 5 Configure a policy on the companion ETEP to use the identical preshared key and group ID. The companion ETEP must be assigned the opposite role of its peer (primary or secondary). Table 28 layer2-p2p command description Attribute Description Traffic-handling {encrypt | clear | discard} The ETEP has three options for processing packets: • Encrypt all packets • Discard all packets • Pass all packets in the clear Under normal operation, the ETEP is configured to encrypt all traffic that is exchanged between two peer appliances. This is the ETEP’s default mode. Other methods of traffic handling are used for debugging and troubleshooting. Role [primary | secondary] When the traffic-handling attribute is set to encrypt, one of the ETEPs must be assigned the primary role and the other the secondary role. The appliance role is used in the process of establishing a security association (SA) between ETEP peers. The ETEPs will not function properly if both appliances are configured with the same role. The role is not used when the traffic-handling attribute is set to discard or clear. Auth-method preshared-key The ETEP uses the preshared key string to authenticate its peer’s identity before beginning to negotiate the SAs. 58 ETEP CLI User Guide Creating Layer 2 Point-to-Point Policies Table 28 layer2-p2p command description Attribute Description Preshared-key We recommend that you change the key from its default value of 01234567 prior to deploying the ETEP.The identical key value must be entered in both appliances. Note the following conventions when creating a preshared key: Group-id • The key is a case-sensitive alphanumeric string from 8-255 characters in length. • Valid characters are upper and lower alpha characters, numbers 0-9 • All special characters are allowed except the following: ? “ { } [ ] ( ) = \ < > & and # • To include a space, enclose it in double quotes. Valid group ID values range from 0-9. The default value is 0. A pair of ETEPs must be configured with the same group ID in order to communicate properly with each other. If you are using only one pair of ETEPs in the same subnet you can use the default group ID. If more than one pair of ETEPs is used within the same Layer 2 network, the group ID isolates the traffic from one pair of ETEPs from any other pair. Each appliance can belong to only one group. Example The following example configures the ETEP to encrypt all traffic, assigns the secondary role to the ETEP, defines a preshared key, and sets the group ID to 0. admin> configure config> policies policies> layer2-p2p encrypt secondary preshared-key MyS3cr31tK3y 0 The next example configures the ETEP to pass all traffic in the clear. admin> configure config> policies policies> layer2-p2p clear Configuring the Policy Mode The policy-mode command allows an Administrator user to configure the encryption policy settings for the ETEP. This includes the following: ● Configure the ETEP for use in Layer 2 or Layer 3 policies ● Enable or disable EncrypTight policy management ● Enable or disable passing TLS traffic in the clear, which allows TLS-based management traffic to pass unencrypted. When ETEPs are shipped from the factory, their default policy mode is Layer 3, EncrypTight policy management is enabled, and TLS traffic passes in the clear. Several of these settings need to be modified for Layer 2 point-to-point operation. ETEP CLI User Guide 59 Creating Policies CAUTION When you change the policy-mode of an in-service ETEP , all encrypt and drop policies currently installed on the ETEP are removed. Traffic is sent in the clear until you create and deploy new policies. To configure the policy mode on the ETEP: 1 Log in to the CLI as the Administrator user. 2 At the admin> prompt, type configure and press ENTER. 3 At the config> prompt, type policies and press ENTER. 4 At the policies> prompt, enter the following command. See Table 29 for a description of the attributes. policy-mode {

} [tls-clear] Table 29 policy-mode command description attribute description policy {layer2 | layer3} The policy setting determines whether the ETEP can be used in Layer 2 Ethernet or Layer 3 IP policies. ETEPs that are configured for Layer 2 cannot be used in Layer 3 policies and vice versa. enable-CE {true | false} The EncrypTight setting defines whether or not EncrypTight is used for policy management. If you are creating a Layer 2 point-to-point policy, set the EncrypTight attribute to false. For distributed key polices, set the EncrypTight attribute to true. tls-clear [true | false] Passing TLS-based management traffic in the clear (true) is required for EncrypTight distributed key policies, and when the ETEP is managed in-line. This is an optional attribute that defaults to true when enable-CE is true. When the ETEP is operating in Layer 2 point-to-point operation, the tls-clear setting is false. Examples This example configures the ETEP for Layer 2 point-to-point operation. Since the ETEP will be used in a Layer 2 point-to-point policy, EncrypTight is disabled (false) and TLS-clear is false. admin> configure config> policies policies> policy-mode layer2 false false Layer 2 Policy Example The example in Figure 6 shows a pair of ETEPs deployed in a Layer 2 point-to-point configuration. The Administrator logs in and configures the management port, and then sets the date and time. After entering policy configuration mode, the next two commands configure the Layer 2 policy and the policy mode, specifying the ETEP to encrypt traffic at Layer 2, and use IKE negotiation to generate keys (disable EncrypTight). 60 ETEP CLI User Guide Creating Layer 2 Point-to-Point Policies The remote ETEP is set to the primary role as shown in Figure 7, and the local site ETEP is assigned the secondary role as shown in Figure 8. Both ETEPs are configured with the same preshared key value and group ID. Figure 6 Layer 2 point-to-point configuration example Figure 7 Remote site ETEP configuration ETEP CLI User Guide 61 Creating Policies Figure 8 Local site ETEP Verifying the Policy To check the current policy configuration mode on the ETEP, issue the show encrypt-policy command from command mode or the show command from policies mode. Both show commands display the policy mode and policy if applicable, and indicate whether EncrypTight is enabled. The ETEP is shipped from the factory with the default settings shown below. admin> show encrypt-policy Encryption policy Layer 3 EncrypTight policy management enabled: TLS is traffic in clear: enabled true A Layer 2 point-to-point policy is shown in the next example. policies> show Encryption policy Layer 2 EncrypTight policy management enabled: Disposition of packet: EthEncrypt Role: primary Authentication method: pre-shared key Pre-shared key: my3har3d33cr3t Group id: 0 false When the ETEPs are installed and configured properly for a Layer 2 point-to-point policy, they immediately attempt to establish a pair of security associations (SAs). The SAs are used to secure the Ethernet traffic that is exchanged between the two ETEPs. 62 ETEP CLI User Guide Creating Layer 2 Point-to-Point Policies How the ETEP Encrypts and Authenticates Layer 2 Traffic When operating as a Layer 2 encryptor in a negotiated policy, the ETEP’s encapsulation mode (CE-ESP) authenticates the encrypted frame’s Ethernet payload. The ETEP uses the AES algorithm with 256-bit keys to encrypt the Ethernet payload. The HMAC-SHA-1 authentication algorithm provides the data origin authentication and data integrity. Figure 9 Layer 2 encrypted frame format To encrypt traffic, ETEPs must establish security associations (SAs). A security association defines the processing to be done on a specific packet. It associates security services and a key with the traffic to be protected and the remote peer with whom secured traffic is being exchanged. The SA is a unidirectional secure tunnel through which data passes between the two appliances. Each secure connection has two SAs, one for each direction. SAs are identified by a value called an SPI. In point-to-point Layer 2 configurations the SAs are automatically negotiated using IKE. Timeout values force the IKE protocol to renegotiate the IKE Phase 1 and Phase 2 keys periodically. The ETEP can uses a preshared key for authentication in IKE negotiations. When encrypting traffic the ETEP uses the values shown in Table 30 and Table 31. These values are hard-coded and cannot be modified by the user. Table 30 IKE Phase 1 Parameters Parameter Value Cipher algorithm AES-256 Hash algorithm HMAC-SHA-1 Diffie-Hellman group 5 Lifetime 24 hours Negotiation mode Main mode Table 31 IKE Phase 2 Parameters Parameter Value Cipher algorithm AES-256 Hash algorithm HMAC-SHA-1 PFS Diffie-Hellman group 5 Lifetime One hour Negotiation mode Main mode ETEP CLI User Guide 63 Creating Policies Creating Local Site Policies Local site policies allow you to create locally configured policies from the command line, without requiring an EncrypTight ETKMS for key distribution. Using the local-site CLI commands you can create manual key encryption policies, bypass policies, and discard policies at either Layer 2 or Layer 3. Mesh policies can be created by defining policies that share the identical keys and SPIs on multiple ETEPs. The primary use for local site policies is to facilitate in-line management in Layer 2 encrypted networks. These policies supplement existing EncrypTight policies, adding the flexibility to encrypt or pass in the clear specific Layer 3 routing protocols, or Layer 2 Ethertypes and VLAN IDs. Figure 10 shows a network configuration that is managed in-line and protected using EncrypTight. The local site ETEP (1) is on the same subnet as the EncrypTight management devices (2 and 3). The management devices communicate with the remote site ETEPs (4) over the same link that is being protected by the ETEPs. Figure 10 In-line management of ETEPs The local-site policy feature gives you the ability to define a set of policies for the in-line management protocols that need to be passed through the ETEP, such as EIGRP, OSPF, RIPv2, or BGP. These policies are high priority policies that are not affected when EncrypTight distributed key policies are deployed on the ETEP. This feature is similar to the ETEP configuration option that allows TLS traffic to pass through the ETEPs in the clear, but it provides the additional flexibility of allowing you to specify several protocols and ports, and to restrict the policy to specific IP addresses. The policy action can be defined as bypass, protect, or discard. Protect policies allow the in-line management traffic to be encrypted with user-defined manual keys. 64 ETEP CLI User Guide Creating Local Site Policies You can use the local-site CLI commands to create a variety of policies: ● Pass Layer 3 routing protocols in the clear when encrypting traffic at Layer 2 ● Encrypt in-line management traffic that is typically passed in the clear when deploying EncrypTight policies, such as TLS and ARP packets ● Create manual key encryption policies for Layer 2 or Layer 3 traffic ● Create discard policies based on Layer 2 selectors (Ethertype or VLAN ID) or Layer 3 selectors Local site policies cannot be created or deployed when the ETEP is configured for Layer 2 stand-alone operation, as described in “Creating Layer 2 Point-to-Point Policies” on page 57. Related topics: ● “Policy Configuration” on page 65 ● “Configuring a Local Site Bypass or Discard Policy” on page 67 ● “Configuring a Local Site Encryption Policy” on page 69 ● “policy-mode” on page 176 Policy Configuration For any policy, you need to decide the following: ● Policy name: uniquely identifies the policy on the ETEP. ● Policy action: bypass, discard, or protect ● Bypass policy In a bypass policy, packets pass through the ETEP without encryption being applied. You might use a bypass policy to pass unencrypted protocol-specific messaging packets such as ICMP or TLS, router-to-router messages, or packets from certain types of applications. Protect policy In a protect policy, the ETEP encrypts the traffic that matches the policy selectors using a user-defined manual key. Discard policy A discard policy instructs the ETEP to throw away specified packets. You might use a discard policy to throw away packets from a particular source. Policy selectors Policy selectors are essentially traffic filters. The ETEP has Layer 2 filters and Layer 3 filters. Layer 2 selectors let you filter traffic based on Ethertype or VLAN ID. At Layer 3, policies can be configured with fairly coarse traffic filters, allowing access to an entire subnet or to all destinations (0.0.0.0/0). Or, you can create more granular policies using selectors based on IP subnets, partial subnets, individual destinations, protocol types, or source and destination ports. Unlike distributed key policies, local-site policies associate a single selector with a given policy and manual key combination. ● Policy priority The policy priority specifies the order in which policies are processed on the ETEP. For each incoming packet the ETEP searches through the list of policies, starting with the policy that has the highest priority, until it finds a match. When it finds a match, the ETEP processes the packet according to the settings in the policy. ETEP CLI User Guide 65 Creating Policies On the ETEP, policies are prioritized in three broad categories: policies based on appliance configurations, local-site policies, and distributed key policies. Appliance configuration settings have the highest priority. Passing TLS traffic in the clear is an example of a policy based on an appliance configuration setting. Local-site policies have the next highest priority range, and take precedence over EncrypTight distributed key policies. When you add a new policy, the ETEP automatically assigns it a priority. To avoid duplicate policy priorities, the ETEP decrements the priority by one from the highest priority it finds. For example, if you have two policies with priorities of 65500 and 65499, the ETEP will assign priority 65498 to a new policy. If you have two policies with non-consecutive priorities, such as 65400 and 65200, a new policy will be assigned 65399. In many cases you will want to override the default priority assignments to ensure that traffic is processed in the order in which you intend. ● Policy keying (protect policies only) Encryption policies are manually keyed. These keys are static and refreshed only when the policy is updated. Related topics: ● “Assigning Policy Names” on page 66 ● “Configuring a Local Site Bypass or Discard Policy” on page 67 ● “Configuring a Local Site Encryption Policy” on page 69 ● “Policy Deployment” on page 72 Assigning Policy Names Before you can perform any policy configuration, you must add a policy “container” and give it a name. The name is referenced in all subsequent policy configuration actions. Policy names must conform to the following conventions: ● Policy names can range from 1-32 characters. ● Valid characters are upper and lower case alpha characters (a-z), numeric characters (0-9), _ (underscore), and - (dash). ● Policy names must start with an alpha character or an underscore. The first character cannot be a numeric digit or a dash. ● Policy names cannot contain a space. ● Names are case-sensitive. To add a policy: 1 Enter local-site policy configuration mode. admin> configure config> policies policies> local-site-policies local-site-policy> 2 Add a policy and assign it a name. policy-add 3 Repeat step 2 for each policy that you want to add to the ETEP. 66 ETEP CLI User Guide Creating Local Site Policies Example The following example adds two policies. The first policy is named BypassPolicy, and the second one is named EncryptPolicy. admin> configure config> policies policies> local-site-policies ipsec-config> policy-add BypassPolicy ipsec-config> policy-add EncryptPolicy Configuring a Local Site Bypass or Discard Policy In a bypass policy, packets pass through the ETEP without being encrypted. Bypass policies are typically used to send Layer 3 protocol-specific messaging packets or router-specific messages through the network in the clear. This is particularly useful in Layer 2 networks that are managed in-line and are protected with Layer 2 EncrypTight distributed key policies. A discard policy instructs the ETEP to throw away targeted packets. Typically, a discard policy is assigned a low priority. Avoid creating a local site default discard policy that discards any packets that don’t match the local site policy selectors. Due to the higher priority of local site policies, a default discard policy would cause the ETEP to throw away all packets before executing any EncrypTight distributed key policies. To define a bypass or discard policy: 1 Enter local-site policy configuration mode. admin> configure config> policies policies> local-site-policies local-site-policy> 2 Enter policy-config mode. As part of the command you will need to enter the name of a policy that has been added (see “Assigning Policy Names” on page 66). local-site-policy> policy-config 3 Set the policy-action command to indicate that this is a bypass or discard policy. policy-action {bypass | discard} 4 Configure the policy selectors, which determine the traffic that the policy acts on. You can configure a policy with either a Layer 2 selector or a Layer 3 selector, but not both. Layer 2 selectors are valid only when the ETEP is configured for Layer 2 operation. Layer 3 selectors can be used when the ETEP is in Layer 2 or Layer 3 mode. See Table 35 for a description of the command parameters. policy-layer2-selector { } policy-selector {

} [

] 5 Assign a unique priority to the policy. Policies are enforced in descending order with the highest priority policy processed first. Each policy must have a unique priority. Valid values are 65001-65500. policy-priority After configuring your policies, the next steps are to review the pending changes, backup the policy file, and then deploy the policies. See “Policy Deployment” on page 72 to learn how. ETEP CLI User Guide 67 Creating Policies Table 35 Policy selector commands Command Description policy-layer2selector This command configures Layer 2 selectors. It is valid only when the ETEP is configured for Layer 2 operation. Ethertype The Ethertype field can be entered as a hexadecimal or decimal value. Hexadecimal values must be preceded by 0x. VLAN ID { | any} Enter a VLAN ID in the range of 1–4094, or enter “any” to accept any VLAN ID. policy-selector

6 Configure the SAs. Each policy requires an inbound and outbound SA. You can configure the inbound and outbound SAs individually, or use the “any” attribute to create both SAs from a single command. See Table 37 for a description of the command parameters. policy-manual-key { } 7 Assign a unique priority to the policy. Policies are enforced in descending order with the highest priority policy processed first. Each policy must have a unique priority. Valid values are 65001-65500. policy-priority After configuring your policies, the next steps are to review the pending changes, backup the policy file, and then deploy the policies. See “Policy Deployment” on page 72 to learn how. Table 37 Manual key policy commands Command Description policy-layer2selector This command configures Layer 2 selectors. It is valid only when the ETEP is configured for Layer 2 operation. Ethertype The Ethertype can be entered as a hexadecimal or decimal value. Hexadecimal values must be preceded by 0x. Enter “any” to accept any Ethertype. VLAN ID { | any} Enter a VLAN ID in the range of 1–4094, or enter “any” to accept any VLAN ID. 70 ETEP CLI User Guide Creating Local Site Policies Table 37 Manual key policy commands Command Description policy-selector

This command configures Layer 3 selectors. The defaults are: 0.0.0.0/0 (remote ip), 0.0.0.0/0 (local ip), any (protocol), any (remote port), any (local port). remote-ip IPv4 address and prefix or subnet mask of the endpoint on the far side of the untrusted network. The ETEP accepts a CIDR prefix or dot-decimal subnet mask. The default is set to 0.0.0.0/0, which means “process all packets” coming from any address. local-ip IPv4 address and prefix or subnet mask of the local endpoint. The ETEP accepts a CIDR prefix or dot-decimal subnet mask. The default is set to 0.0.0.0/ 0, “process all packets.” Protocol A decimal value that identifies the IP layer protocol. “Any” accepts all protocols. Range is 1-254. Remote and local ports A decimal value that identifies the transport layer protocol port number for the remote or local endpoint. “Any” means “accept all.” Range is 1-65535 policy-manual-key direction {in | out | any} Specifies the direction of the SA. The any attribute creates two bidirectional SAs from a single command. spi - Each SA must have a unique SPI. The SPI is a decimal value between 256 and 4096. encryptionAlgorithm {3des-cbc |aes256-cbc} When the ETEP is configured for Layer 2 operation you must use aes256-cbc. authenticationAlgorithm {md5-96-hmac | sha1-96-hmac} When the ETEP is configured for Layer 2 operation you must use sha1-96-hmac. encryptionKey Hexadecimal number with the appropriate length according to the selected algorithm. Key lengths are listed in Table 38. When in FIPS mode, you have to enter the encryption and authentication keys twice. authenticationKey Hexadecimal number with the appropriate length according to the selected algorithm. Key lengths are listed in Table 38. When in FIPS mode, you have to enter the encryption and authentication keys twice. Table 38 Key lengths Encryption algorithm Encryption key length (characters) Authentication algorithm Authentication key length (characters) 3des-cbc 48 md5-96-hmac 32 aes256-cbc 64 sha1-96-hmac 40 Related topics: ● “Policy Deployment” on page 72 ● “policy-mode” on page 176 ETEP CLI User Guide 71 Creating Policies Example The following example defines a Layer 2 manual key policy to encrypt traffic with VLAN ID 10. The policy-manual-key command uses the “any” attribute to create bidirectional SAs. The encryption and authentication keys are shown in the example below for demonstration purposes. When you enter keys in the ETEP, they are hidden after you press ENTER. admin> configure config> policies policies> local-site-policies local-site-policy> policy-add EncryptPolicy local-site-policy> policy-config EncryptPolicy policy-config> policy-action protect policy-config> policy-layer2-selector any 10 policy-config> policy-manual-key any 1002 aes256-cbc sha1-96-hmac Please enter 64 character hexadecimal number for encryption key: 1234567890123456789012345678901212345678901234567890123456789012 Please enter 40 character hexadecimal number for authentication key: 1234567890123456789012345678901234567890 policy-config> policy-priority 65400 Policy Deployment We recommend the taking the following steps when deploying local-site policies: ● Review the active policies and pending changes. ● Make a backup copy of the active policies running on the ETEP. ● Deploy the new policy set to the ETEP. Viewing the Local Site Policy Set The show-policy-set command lists the deployed and pending local-site policies. Status indicators are listed in Table 49. Table 39 show-policy-set status indicators Status Indicator Description * Deployed -- Pending + Edit session open for deployed policy For manual key policies, the parameters are associated with an inbound or outbound SA.The keys are wrapped to obscure the values entered by the user. 72 ETEP CLI User Guide Creating Local Site Policies To view the policies: 1 From the local-site-policy> prompt, type show-policy-set. Figure 12 The show-policy-set commands lists the active and pending policies Making a Backup Copy of the Local Site Policy Set Before making any changes to the local-site policies, it is a good practice to make a backup copy of the active policies. In the event you want to return to the last known good set of policies after making made some changes, you can easily restore from the backup file. This backup procedure applies only to local-site policies. The backup file persists through a power cycle. To create a backup copy of the active policies: 1 From the local-site-policy> prompt, type backup-policy-set and press ENTER. Related topics: ● “Viewing the Local Site Policy Set” on page 72 ● “Restoring the Local Site Policy Set” on page 75 Deploying Local Site Policies The deploy-policy-set command makes the pending local-site policies active on the ETEP. Prior to deploying policies, we recommend that you review the pending policies to make sure they are configured correctly. Pay particular attention to policy priorities and selectors. Use the show-policy-set command to view the active and pending policies If you find that the deployed policies are not executing as expected, you can restore the backup policies to revert to the previously executing set of policies. Deployed policies persist through a power cycle. To deploy management port policies to the ETEP: 1 From the local-site-policy> prompt, type deploy-policy-set and press ENTER. Related topics: ● “Viewing the Local Site Policy Set” on page 72 ETEP CLI User Guide 73 Creating Policies Managing Local Site Policies This section describes how to manage the local-site policies on the ETEP. Tasks include: ● “Modifying a Local Site Policy” on page 74 ● “Deleting a Local Site Policy” on page 74 ● “Restoring the Local Site Policy Set” on page 75 Modifying a Local Site Policy You can modify a policy by entering policy-config mode using the name of the policy that you want to change, and issuing the relevant commands with new settings. It’s a good idea to make a backup copy of the active policies prior to making any changes. It’s also good practice to issue the show-policy-set command to review the pending changes prior to deployment. Related topics: ● “Viewing the Local Site Policy Set” on page 72 ● “Making a Backup Copy of the Local Site Policy Set” on page 73 ● “Deploying Management Policies” on page 92 Deleting a Local Site Policy To delete a local-site policy, first issue the policy-delete command using the policy name that you want to remove, and then deploy the policy set. The targeted policy continues to run on the ETEP until the policy set is deployed. You may want to create a backup copy of the active policies prior to making any changes to the policy set. To delete a policy: 1 From the local-site-policy> prompt, enter the policy-delete command for the policy that you wish to delete. policy-delete 2 Deploy the policy set for the changes to take effect on the ETEP. deploy-policy-set Related topics: ● “Viewing the Local Site Policy Set” on page 72 ● “Deploying Management Policies” on page 92 Clearing the Local Site Policy Set The clear-policy-set command clears the specified local-site policy files, returning them to the factory state. Clearing the current policies removes all active policies that are running on the ETEP, pending policies, and the backup copy of the policy set. 74 ETEP CLI User Guide Creating Local Site Policies The edit and backup options remove only the pending policies or backup policy set, respectively. These options do not affect the active, deployed policies. To clear the policy set: 1 From the local-site-policy> prompt, enter the clear-policy-set command (see Table 50). clear-policy-set {edit | backup | current} 2 At the confirmation prompt, type yes to continue, or press any key to cancel. Table 40 clear-policy-set description Attribute Description edit Clears the edit session. Pending policy changes are removed. backup Clears the backup copy of the policy set. current Clears the active policies that are running on the ETEP, pending policies, and the backup policy set. This is the default setting. Related Topics: ● “clear-policies” on page 133 Example The following example removes all deployed, pending, and backup local-site policies from the ETEP. admin> configure config> policies policies> local-site-policies local-site-policy> clear-policy-set edit Restoring the Local Site Policy Set The restore-policy-set command deploys the backup copy of the policy set. The backup copy of the policy set is retained after a restore operation. A subsequent backup overwrites the previous backup copy of the policy set. To restore the backup file: 1 From the local-site-policy> prompt, type restore-policy-set and press ENTER. Related topic: ● “Making a Backup Copy of the Local Site Policy Set” on page 73 Policy Examples The examples in this section are based on Figure 13. The examples show the policies configured on ETEP 1. For each example, a complementary policy would need to be added on each of the peers. ● The first example creates a bypass policy for a Layer 3 routing protocol. ● The second example encrypts traffic based on a Layer 2 Ethertype. ETEP CLI User Guide 75 Creating Policies Figure 13 Layer 2 network with in-line management Bypass Policy for Routing Protocols This example creates a bypass policy on ETEP 1. ETEP 1 is deployed in a Layer 2 network. The network is protected with a Layer 2 mesh policy that encrypts all traffic. The Layer 2 mesh policy was created and managed using EncrypTight. The policy is named BypassOSPF. It is designed to pass a Layer 3 routing protocol in the clear (OSPF). The protocol number for OSPF is 89. The BypassOSPF policy uses wild-carded addresses, meaning that it applies to traffic from any source and to any destination. The first command in the example makes a backup copy of the existing policy set. After defining the policy, the commands used to view the pending policy and deploy the new policy are shown. local-site-policy> backup-policy-set local-site-policy> policy-add BypassOSPF local-site-policy> policy-config BypassOSPF policy-config> policy-action bypass policy-config> policy-selector 0.0.0.0/0 0.0.0.0/0 89 any any policy-config> policy-priority 65500 policy-config> exit local-site-policy> show-policy-set local-site-policy> deploy-policy-set 76 ETEP CLI User Guide Securing Management Port Traffic with IPsec Encryption Policy for Layer 2 Ethertype This example creates an encryption policy on ETEP 1, which is configured for Layer 2 operation. The policy uses Layer 2 selectors to encrypt Ethertype 0x0806 (ARP). The policy-manual-key command uses the “any” attribute to create a bidirectional SA. The keys are shown in the example below for demonstration purposes. When entering keys on the ETEP, the keys are hidden on the terminal after you press ENTER. The first command in the example makes a backup copy of the existing policy set. After defining the policy, the commands used to view the pending policy and deploy the new policy are shown. local-site-policy> backup-policy-set local-site-policy> policy-add EncryptARP local-site-policy> policy-config EncryptARP policy-config> policy-action protect policy-config> policy-layer2-selector 0x0806 any policy-config> policy-manual-key any 1002 aes256-cbc sha1-96-hmac Please enter 64 character hexadecimal number for encryption key: 1234567890123456789012345678901212345678901234567890123456789012 Please enter 40 character hexadecimal number for authentication key: 1234567890123456789012345678901234567890 policy-config> policy-priority 65400 policy-config> exit local-site-policy> show-policy-set local-site-policy> deploy-policy-set Securing Management Port Traffic with IPsec Most management port communications are secured using SSH and TLS. If you wish, you can create IPsec policies on the management port to provide security for traffic that is not protected by SSH and TLS, such as FTP traffic, SNMP traffic, and the NTP protocol. To minimize the impact on management traffic, we recommend creating IPsec policies to protect specific IP addresses and ports. These specific filters protect targeted traffic, such as NTP messages between the management port and a time server, without affecting other management traffic. The ETEP Installation Guide lists the protocols and ports that are used by the ETEPs and the EncrypTight system. Make sure that your IPsec policies allow for the protocols that are required for your deployment. The IPsec implementation on the ETEP management port is summarized below: ● The ETEP supports IKE negotiated policies and manual key policies, although not simultaneously. You must use the same keying method for all management port policies. ● The IKE authentication method is preshared keys. ● The IPsec mode is transport mode ● This IPsec implementation processes IPv4 and IPv6 traffic. ● Dead peer detection (DPD) is supported. It is not user-configurable. ETEP CLI User Guide 77 Creating Policies ● When the ETEP is configured for Layer 2 point-to-point operation, the management port IKE server is shut down, which prevents IKE SAs from being negotiated on the management port. Use manual key policies to encrypt management port traffic when operating in this mode. Task Overview Securing a communication channel between the ETEP and another device requires you to perform configuration tasks on the ETEP and on the other device. The procedures in this chapter describe how to configure the management port policies on the ETEP. To learn how to use IPsec client software to create companion polices and initiate connections to the ETEP, see the documentation for your IPsec client. IPsec Client Task Summary To secure management port communications through an IPsec tunnel you must have an IPsec client installed on the management workstation or server that is providing the desired service. You can have more than one device acting as a peer to the management port, for example a management station, NTP server, or EncrypTight ETKMS. After you have installed an IPsec client on the devices that will be communicating with the ETEP, you will need to: ● Configure IPsec policies on the ETEP management port (see “ETEP Task Summary” on page 78) ● Configure the IPsec client. See your IPsec client documentation to learn how to configure a companion policy that will work with the ETEP settings. ● From the IPsec client, initiate a secure connection to the ETEP. ETEP Task Summary Creating and deploying IPsec policies on the ETEP management port consists of the following high-level tasks. 1 “Configuring Global Settings for IKE Negotiations” on page 79 IKE parameters define IKE SA (Phase 1) and IPsec SA (Phase 2) negotiation settings used in IKE encryption policies. These are global settings that are applied to all IKE encryption policies that are configured on the management port. Review the default settings and change them if you wish. These settings apply only to IKE encryption policies. They are not used in discard, bypass, or manual key policies. 2 “Policy Configuration” on page 82 Policies define which traffic to act on, the action to perform on the selected traffic (pass in the clear, encrypt, or discard), and the endpoints of the IPSec tunnel. The ETEP supports IKE and manual key encryption policies on the management port. 3 “Deploying Policies” on page 90 Pending policies become active on the ETEP only after you deploy them. 78 ETEP CLI User Guide Securing Management Port Traffic with IPsec Configuring Global Settings for IKE Negotiations All IKE encryption policies on the ETEP management port use the same set of IKE parameters. The default IKE parameter settings are shown in Table 41 and Table 42. To enhance security, you may want to change the preshared key from its default value. Table 41 IKE SA negotiation parameters (Phase 1) Parameter Default Preshared key value 01234567 SA lifetime in seconds 86,400 Diffie-Hellman groups 2 Table 42 IPsec SA negotiation parameters (Phase 2) Parameter Default SA lifetime in seconds 28,800 Perfect forward secrecy (PFS) groups 2 The following IKE SA and IPsec SA settings are either hardcoded or configured on a per-policy basis: ● Authentication method is always preshared key. Certificates are not supported in this release of ETEP software. ● Negotiation mode is Main mode. ● Encryption and authentication algorithms are not configurable for IKE Phase 1. The ETEP uses the Phase 2 algorithms in Phase 1 negotiations. Phase 2 algorithms are configured on a per-policy basis. See “Configuring an IKE Encryption Policy” on page 84 for more information about selecting Phase 2 algorithms. Related topics: ● “Changing the IKE Parameters” on page 79 ● “Viewing the Current IKE Parameter Settings” on page 81 ● “Configuring an IKE Encryption Policy” on page 84 Changing the IKE Parameters Before modifying the IKE parameters, you may want to view the current settings using the show-ikeparams command. After making any changes to the IKE parameters, there are two ways to apply the changes to the ETEP: ● Restart the IKE server, which changes the IKE parameters without deploying policies. You may choose to do this when changing the pre-shared keys used in IKE negotiations. ● Deploy policies, which restarts the IKE server and updates the policy databases (SAD and SPD). Restarting the IKE server tears down existing IKE connections and updates the keys. Traffic is dropped until the new Phase 1 SAs are established. ETEP CLI User Guide 79 Creating Policies To change the IKE parameters: 1 Enter ike-params-set configuration mode. admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ike-params-set> 2 Configure the IKE SA commands, if desired. See Table 43 for a description of the command options. ike-sa-presharedkey ike-sa-lifetime ike-sa-dh-group 3 Configure the IPsec SA commands, if desired. See Table 44 for a description of the command options. ipsec-sa-lifetime ipsec-sa-pfs 4 Restart the IKE server to apply the changes to the ETEP. restart-ike Table 43 IKE SA commands (Phase 1) Attribute Description ike-sapresharedkey We recommend that you change the key from its default value prior to deploying the ETEP.The identical key value must be entered in the ETEP and its peer. Note the following conventions when creating a preshared key: • The key is a case-sensitive alphanumeric string from 1-255 characters in length. A minimum of 8 characters is recommended. • Upper and lower alpha characters, and numbers 0-9 are allowed • The following special characters are not allowed: # & ( ) | " ; < > ? The default key value is 01234567 ike-sa-lifetime The interval after which an SA must be replaced with a new SA or terminated. Longer lifetimes require less frequent renegotiations and result in fewer dropped packets. The lifetime is specified in seconds. Valid values are 3600–31536000. The default lifetime is 86400 seconds (1 day). ike-sa-dh-group {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18} The Diffie-Hellman group ID defines the strength supplied to the Diffie-Hellman calculation for the later creation of keys by the peers. Group 1 is the least secure and least computationally demanding. Group 18 provides the highest level of security and also involves the most processing. The default DH group ID is 2. 80 ETEP CLI User Guide Securing Management Port Traffic with IPsec Table 44 IPsec SA commands (Phase 2) Attribute Description ipsec-sa-lifetime The time interval after which an SA must be replaced with a new SA or terminated. The lifetime is specified in seconds. Valid values are 3600–31536000. The default lifetime is 28800 seconds (8 hours). ipsec-sa-pfs {none | 1 | 2 | 5 | 14 | 15 | 16 | 17 | 18} With perfect forward secrecy (PFS), every time encryption or authentication keys are computed, a new Diffie-Hellman key exchange is included. Group 1 is the least secure and least computationally demanding. Group 18 provides the highest level of security and also involves the most processing. Setting the value to none disables PFS. The default is 2. Example This example sets the preshared key to M1$har3dK3y and the IKE SA lifetime to 43200, and then restarts the IKE server to apply the changes. admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ike-params-set> ike-sa-presharedkey M1$har3dK3y ike-params-set> ike-sa-lifetime 43200 ike-params-set> restart-ike Viewing the Current IKE Parameter Settings The show-ike-params command lists the saved and active IKE negotiation parameters, as shown in Figure 14. The active settings are those that are running on the ETEP. The saved settings are parameters that have been edited, but not yet applied on the ETEP. To apply the saved settings, issue the restart-ike command. To view the IKE parameters: 1 Enter ipsec-config mode. admin> configure config> management-interface man-if> ipsec-config ipsec-config> 2 Enter the show command. show-ike-params ETEP CLI User Guide 81 Creating Policies Figure 14 show-ike-params command output Policy Configuration For any policy, you need to decide the following: ● Policy name: uniquely identifies the policy on the ETEP. ● Policy action: bypass, discard, or protect ● Protect policy In a protect policy, the ETEP encrypts the traffic that matches the policy selectors. You can use IKE or manual keys to generate the keys for a protect policy. Bypass policy In a bypass policy, packets pass through the ETEP without security processing being applied. Packets are passed in the clear and forwarded to their destination. You might use a bypass policy to pass unencrypted protocol-specific messaging packets such as ICMP or TLS, router-to-router messages, or packets from certain types of applications. Discard policy A discard policy instructs the ETEP to throw away specified packets. You might use a discard policy to throw away packets from a particular source, or any packets that don’t match your other policies. Policy keying For encryption policies, the ETEP supports IKE negotiated policies and manual keys policies on the management port. IKE policies use the IKE parameters that are described in “Configuring Global Settings for IKE Negotiations” on page 79. The keying method is automated, and keys are refreshed at designated intervals. Manually keyed policies use keys that the user enters. These keys are static and refreshed only when the policy is updated. All management port encryption policies deployed on the ETEP must use the same keying method. You cannot deploy a mix of IKE and manual key policies. ● Policy selectors IPsec selectors are essentially traffic filters. Management policies are usually granular policies that filter traffic based on specific IP addresses, protocol types, or source and destination ports. The local IP address selector is typically the ETEP’s management port IP address. ● Policy priority The policy priority specifies the order in which policies are processed on the ETEP. For each incoming packet the ETEP searches through the list of policies, starting with the policy that has the highest priority, until it finds a match. When it finds a match, the ETEP processes the packet according to the settings in the policy. When you add a new policy, the ETEP automatically assigns it a priority. To avoid duplicate policy priorities, the ETEP decrements the priority by one from the highest priority it finds. For example, if you have two policies with priorities of 65500 and 65499, the ETEP will assign priority 65498 to a 82 ETEP CLI User Guide Securing Management Port Traffic with IPsec new policy. If you have two policies with non-consecutive priorities, such as 62000 and 59000, a new policy will be assigned 61999. In many cases you will want to override the default priority assignments to ensure that traffic is processed in the order in which you intend. As you create policies, carefully consider the policy priority that you choose. Incorrect prioritization can produce unexpected results. For example, policy A is a bypass policy for a specific destination network for any protocol and has the highest priority. Policy B is a protect policy for the same destination network with a particular protocol, but it has a lower priority. Because policy A has the higher priority, all traffic passes in the clear and none of the traffic is encrypted. It is a good practice to review the priorities of your policies prior to deploying them. Use the showpolicy-set command to do this. Related topics: ● “Assigning Policy Names” on page 83 ● “Configuring an IKE Encryption Policy” on page 84 ● “Configuring a Manual Key Encryption Policy” on page 86 ● “Configuring a Bypass or Discard Policy on the Management Port” on page 89 ● “Backing Up the Policy Set” on page 91 ● “Modifying a Policy” on page 92 ● “Deploying Management Policies” on page 92 Assigning Policy Names Before you can perform any policy configuration, you must add a policy “container” and give it a name. The name is referenced in all subsequent policy configuration actions. Policy names must conform to the following conventions: ● Policy names can range from 1-32 characters. ● Valid characters are upper and lower case alpha characters (a-z), numeric characters (0-9), _ (underscore), and - (dash). ● Policy names must start with an alpha character or an underscore. The first character cannot be a numeric digit or a dash. ● Policy names cannot contain a space. ● Names are case-sensitive. To add a policy: 1 Enter ipsec configuration mode. admin> configure config> management-interface man-if> ipsec-config ipsec-config> 2 Add a policy and assign it a name policy-add 3 Repeat step 2 for each management policy that you want to add to the ETEP. ETEP CLI User Guide 83 Creating Policies Example The following example adds two policies. The first policy is named MyPolicy, and the second one is named TestPolicy. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-add MyPolicy ipsec-config> policy-add TestPolicy Configuring an IKE Encryption Policy In an IKE encryption policy, a security association is negotiated using automatically generated keys (IKE). You must define the following: ● IP address of the peer at the opposite end of the secure tunnel ● Which traffic to protect (selectors) ● How to protect it (transform sets) To define an IKE encryption policy: 1 Enter IPsec configuration mode. admin> configure config> management-interface man-if> ipsec-config ipsec-config> 2 Add a policy name, if you haven’t already done so (see “Assigning Policy Names” on page 83). policy-add 3 At the ipsec-config> prompt, enter policy-config mode. As part of the command you will need to enter the name of a policy that has been added. ipsec-config> policy-config 4 Set the policy-action command to “protect” to indicate that this is an encryption policy. policy-action protect 5 Set the policy-keying command to “ike” for automatic key generation. policy-keying ike 6 Configure the policy-ike-peer command to identify the peer at the opposite end of the secure tunnel. Enter the peer’s remote port IP address in IPv4 or IPv6 format. policy-ike-peer 7 Define the policy selectors, which determine which traffic the policy acts on. See Table 45 for a description of the command parameters. The ETEP accepts either IPv4 or IPv6 addresses in the selector, but not simultaneously. In a given selector, the address type must be consistent (either IPv4 or IPv6). policy-selector

8 Define the IKE and IPsec transforms, which determine how to protect the selected traffic. In the current implementation, the proposal is limited to one encryption algorithm and one hash algorithm. See Table 45 for a description of the command parameters. policy-ike-ipsec [encryption-algorithm] [authenticationalgorithm] 84 ETEP CLI User Guide Securing Management Port Traffic with IPsec 9 Assign a unique priority to the policy. Policies are enforced in descending order with the highest priority policy processed first. Each policy must have a unique priority. Valid values are 1-65500. policy-priority After configuring your policies, the next steps are to review the pending changes, backup the policy file, and then deploy the policies. See “Deploying Policies” on page 90 to learn how. Table 45 IKE encryption policy commands Command Description policy-ike-peer The peer’s remote port IP address. This can be an IPv4 or IPv6 address. policy-selector

The defaults are ESP (transform), 3des (encryption), hmac-sha1-96 (authentication). Only FIPS approved algorithms are allowed when the ETEP is operating in FIPS mode. Transform type {esp | ah} AH provides data authentication. ESP provides encryption, authentication, and integrity. Encryption algorithm [3des | aes128-cbc | aes256-cbc | null] The null option provides authentication without encryption. It is a valid option with AH or ESP. Authentication algorithm [hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 | hmac-sha2-384 | aes-xcbc-mac-96] Related topics: ● “Configuring Global Settings for IKE Negotiations” on page 79 ● “Viewing the Policy Set” on page 91 ● “Backing Up the Policy Set” on page 91 ● “Deploying Management Policies” on page 92 ETEP CLI User Guide 85 Creating Policies Example This example is an IKE encryption policy to encrypt all traffic between the ETEP management port and the management workstation. The ETEP management port IP address is 203.0.113.9 and the management workstation IP address is 192.0.2.124. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-add MyIKEPolicy ipsec-config> policy-config MyIKEpolicy policy-config> policy-action protect policy-config> policy-keying ike policy-config> policy-ike-peer 192.0.2.124 policy-config> policy-selector 192.0.2.124/32 203.0.113.9/32 any any any policy-config> policy-ike-ipsec esp aes256-cbc hmac-sha2-256 policy-config> policy-priority 64000 Configuring a Manual Key Encryption Policy In a manual key policy, the keys that secure the communication between peers are entered manually rather than being automatically generated as they are in an IKE policy. Manual key policies must be loaded on each of the two peers that form the secure tunnel endpoints, such as the ETEP and management workstation. The encryption and authentication keys must be entered identically on each peer. Each IPSec connection consists of two security associations (SAs), one for inbound packets and one for outbound packets. In a manual key policy each SA is configured individually. An SA’s direction is relative to the untrusted network, as shown in Figure 15. Packets that are inbound to the ETEP come from the remote peer, in this case the management workstation. Outbound packets come from the local peer (the ETEP) and are destined for the untrusted network. When configuring manually keyed policies on the ETEP and remote peer, it is important to remember that the inbound SPI and keys on the ETEP are the outbound SPI and keys on the peer, and vice versa. When defining an SA you manually enter more than just the keys. You also identify the traffic to protect (the selectors), and how to protect it (the transform set). Figure 15 Inbound and outbound SAs in a manual key policy To define a manual key encryption policy: 1 Enter IPsec configuration mode. admin> configure config> management-interface 86 ETEP CLI User Guide Securing Management Port Traffic with IPsec man-if> ipsec-config ipsec-config> 2 Add a policy name, if you haven’t already done so (see “Assigning Policy Names” on page 83). policy-add 3 At the ipsec-config> prompt, enter policy-config mode. As part of the command you will need to enter the name of a policy that has been added. ipsec-config> policy-config 4 Set the policy-action command to “protect” to indicate that this is an encryption policy. policy-action protect 5 Set the policy-keying command for a manually keyed policy. policy-keying manual-key 6 Configure the policy selectors, which define the traffic that the policy acts on. See Table 46 for a description of the command parameters. The ETEP accepts either IPv4 or IPv6 addresses in the selector, but not simultaneously. In a given selector, the address type must be consistent (either IPv4 or IPv6). policy-selector

7 Configure the inbound SA. See Table 46 for a description of the command parameters. policy-manual-key 8 Configure the outbound SA using the policy-manual-key command. The direction and SPI must be different than in the inbound SA. The encryption and authentication algorithms and their associated keys can be the same. 9 Assign a unique priority to the policy. Policies are enforced in descending order with the highest priority policy processed first. Each policy must have a unique priority. Valid values are 1-65500. policy-priority After configuring your policies, the next steps are to review the pending changes, backup the policy file, and then deploy the policies. See “Deploying Policies” on page 90 to learn how. Table 46 Manual key policy commands Command Description policy-selector

5 Assign a unique priority to the policy. Policies are enforced in descending order with the highest priority policy processed first. Each policy must have a unique priority. Valid values are 1-65500. policy-priority After configuring your policies, the next steps are to review the pending changes, backup the policy file, and then deploy the policies. See “Deploying Policies” on page 90 to learn how. ETEP CLI User Guide 89 Creating Policies Table 48 Policy-selector command Command Description policy-selector

The defaults are: 0.0.0.0/0 (remote ip), 0.0.0.0/0 (local ip), any (protocol), any (remote port), any (local port). remote-ip IPv4 or IPv6 address of the endpoint on the far side of the untrusted network in CIDR notation (IP address/prefix). The default is set to 0.0.0.0/0, which means “process all packets” coming from any address local-ip IPv4 or IPv6 address of the local endpoint in CIDR notation (IP address/ prefix). he default is set to 0.0.0.0/0, “process all packets.” Protocol A decimal value that identifies the IP layer protocol. “Any” accepts all protocols. Range is 1-254. Remote and local ports A decimal value that identifies the transport layer protocol port number for the remote or local endpoint. “Any” means “accept all.” Range is 1-65535. Related topics: ● “Viewing the Policy Set” on page 91 ● “Backing Up the Policy Set” on page 91 ● “Deploying Management Policies” on page 92 Example The following example adds a policy named BypassICMP. It is a bypass policy that passes ICMP traffic (protocol 1) in the clear from anywhere to anywhere. This policy will have the highest priority of all the policies on the ETEP. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-add BypassICMP ipsec-config> policy-config BypassICMP policy-config> policy-action bypass policy-config> policy-selector 0.0.0.0/0 0.0.0.0/0 1 any any policy-config> policy-priority 65500 Deploying Policies We recommend taking the following steps when deploying policies on the management port: 90 ● Review the active management policies and pending changes. ● Make a backup copy of the active policies running on the ETEP. ● Deploy the new policy set to the ETEP. ETEP CLI User Guide Securing Management Port Traffic with IPsec Viewing the Policy Set The show-policy-set command lists the deployed and pending policies. Status indicators are listed in Table 49. Table 49 show-policy-set status indicators Status Indicator Description * Deployed -- Pending + Edit session open for deployed policy For manual key policies, the parameters are associated with an inbound or outbound SA.The keys are wrapped to obscure the values entered by the user. IKE peers are shown at the end of the display. To view the policies: 1 From the ipsec-config> prompt, type show-policy-set. Figure 16 The show-policy-set commands lists the active and pending policies Backing Up the Policy Set Before making any changes to the management port policies, it is a good practice to make a backup copy of the active policies. In the event you want to return to the last known good set of policies after making some changes, you can easily restore from the backup file. This backup procedure applies only to policies on the management interface. The backup file persists through a power cycle. To create a backup copy of the active policies: 1 From the ipsec-config> prompt, type backup-policy-set and press ENTER. Related topics: ● “Viewing the Policy Set” on page 91 ● “Restoring the Policy Set” on page 94 ETEP CLI User Guide 91 Creating Policies Deploying Management Policies The deploy-policy-set command makes the pending management port policies active on the ETEP. It restarts the IKE server and updates the policy databases (SAD and SPD). Restarting the IKE server tears down existing IKE connections and updates the keys. Traffic is dropped until the new Phase 1 SAs are established. Prior to deploying policies, we recommend that you review the pending policies to make sure they are configured correctly. Pay particular attention to policy priorities, selectors, and IKE peer addresses. Use the show-policy-set command to view the active and pending policies If you find that the deployed policies are not executing as expected, you can restore the backup policies to revert to the previously executing set of policies. Deployed policies persist through a power cycle. Clear and discard policies take effect immediately upon boot up. IKE encrypt policies begin negotiating to establish SAs when policies are deployed to each peer. Manual key policies should take effect upon boot up. If a manual key policy is not automatically reestablished after a power cycle, initiate a new connection from the IPsec client. To deploy management port policies to the ETEP: 1 From the ipsec-config> prompt, type deploy-policy-set and press ENTER. Related topics: ● “Viewing the Policy Set” on page 91 ● “Backing Up the Policy Set” on page 91 Managing Policies This section describes how to manage the policies on the ETEP. Tasks include: ● “Modifying a Policy” on page 92 ● “Deleting a Policy” on page 93 ● “Restoring the Policy Set” on page 94 Modifying a Policy You can modify a policy by entering policy-config mode using the name of the policy that you want to change, and issuing the relevant commands with new settings. As always, it’s a good idea to make a backup copy of the active policies prior to making any changes. It’s also good practice to issue the show-policy-set command to review the pending changes prior to deployment. Related topics: 92 ● “Viewing the Policy Set” on page 91 ● “Backing Up the Policy Set” on page 91 ● “Deploying Management Policies” on page 92 ETEP CLI User Guide Securing Management Port Traffic with IPsec Deleting a Policy To delete a management port policy, first issue the policy-delete command using the policy name that you want to remove, and then deploy the policy set. The targeted policy continues to run on the ETEP until the policy set is deployed. You may want to create a backup copy of the active policies prior to making any changes to the policy set. To delete a policy: 1 From the ipsec-config> prompt, enter the policy-delete command for the policy that you wish to delete. policy-delete 2 Deploy the policy set for the changes to take effect on the ETEP. deploy-policy-set Related topics: ● “Restoring the Policy Set” on page 94 ● “policy-delete” on page 168 Clearing the Policy Set The clear-policy-set command clears the specified management port policy files, returning them to the factory state. Table 50 clear-policy-set description Attribute Description edit Clears the edit session. Pending policy changes and pending IKE parameters changes are removed. backup Clears the backup copy of the policy set. current Clears the active policies that are running on the ETEP, pending policies, and the backup policy set. This is the default setting. Clearing the current policies removes all the active policies that are running on the ETEP, pending policies, and the backup copy of the policy set. Clearing the management port policies removes the policies and then deploys the factory default IKE policy. The edit option removes the pending policies and pending IKE parameter changes. The backup option removes the backup policy set. These options do not affect the active, deployed policies. To clear the policy set: 1 From the ipsec-config> prompt, enter the clear-policy-set command (see Table 50). clear-policy-set {edit | backup | current} 2 At the confirmation prompt, type yes to continue, or press any key to cancel. Related Topics: ● “clear-policies” on page 133 ETEP CLI User Guide 93 Creating Policies Example The following example clears the pending policy changes to the management port policies. admin> configure config> management-interface man-if> ipsec-config ipsec-config> clear-policy-set edit Restoring the Policy Set The restore-policy-set command deploys the backup copy of the policy set. The backup copy of the policy set is retained after a restore operation. A subsequent backup overwrites the previous backup copy of the policy set. To restore the backup file: 1 From the ipsec-config> prompt, type restore-policy-set and press ENTER. Related topic: ● “Backing Up the Policy Set” on page 91 Policy Examples The policy examples in this section are based on Figure 17. The examples demonstrate how to create the following policies: ● IKE encryption policy to encrypt all traffic between the ETEP management port and the management workstation. ● Manual key encryption policy to encrypt all traffic between the ETEP management port and an NTP server ● Bypass policy to pass all ICMP traffic in the clear, from any source to any destination. This policy has the highest priority on the ETEP. ● Discard policy to discard any traffic that does not match the filters in the configured encryption and bypass policies. This policy has the lowest priority. The final example demonstrates how to review the active and pending policies, create a backup copy of the active policies on the ETEP, and deploy the policies. NOTE The examples demonstrate how to configure IKE and manual key policies for demonstration purposes. When deploying policies on the ETEP, all encryption policies must use the same keying method. You cannot deploy a mix of IKE and manual key policies. 94 ETEP CLI User Guide Securing Management Port Traffic with IPsec Figure 17 Management port policy example IKE Policy Example This example shows how to create an IKE policy to encrypt all traffic between the ETEP management port and the management workstation. The commands in the example are grouped according to the following tasks: ● The first set of commands enters ipsec-config mode, makes a backup copy of the active policy set, and then defines the pre-shared key. ● The second set of commands defines the IKE encryption policy. The ETEP management port IP address is 203.0.113.9 and the management workstation IP address is 192.0.2.124. The ike-ipsec proposal uses two encryption algorithms and two authentication algorithms. ● The last set of commands displays the pending policy changes, and then deploys the new policy. Deploying the policy automatically restarts the IKE server. admin> configure config> management-interface man-if> ipsec-config ipsec-config> backup-policy-set ipsec-config> ike-params-set ike-params-set> ike-sa-presharedkey M1$har3dK3y ike-params-set> exit ipsec-config> policy-add MyIKEPolicy ipsec-config> policy-config MyIKEpolicy policy-config> policy-action protect policy-config> policy-keying ike policy-config> policy-ike-peer 192.0.2.124 policy-config> policy-selector 192.0.2.124/32 203.0.113.9/32 any any any policy-config> policy-ike-ipsec esp aes128-cbc/aes256-cbc hmac-sha2-256/ hmac-sha2-384 policy-config> policy-priority 64000 policy-config> exit ipsec-config> show-policy-set ipsec-config> deploy-policy-set ETEP CLI User Guide 95 Creating Policies Manual Key Policy Example The following example defines a manual key encryption policy between the ETEP management port (203.0.113.9) and a time server (198.51.100.20). The inbound and outbound SAs have unique SPIs, but use the same algorithms and keys. ipsec-config> policy-add MyManualKeyPolicy ipsec-config> policy-config MyManualKeyPolicy policy-config> policy-action protect policy-config> policy-keying manual-key policy-config> policy-selector 198.51.100.20/32 203.0.113.9/32 any any any policy-config> policy-manual-key in 1004 esp aes128-cbc sha1-96-hmac Please enter 32 character hexadecimal number for encryption key: 11223344556677889900aabbccddeeff Please enter 40 character hexadecimal number for authentication key: 11223344556677889900aabbccddeeff87654321 policy-config> policy-manual-key out 1003 esp aes128-cbc sha1-96-hmac Please enter 32 character hexadecimal number for encryption key: 11223344556677889900aabbccddeeff Please enter 40 character hexadecimal number for authentication key: 11223344556677889900aabbccddeeff87654321 policy-config> policy-priority 60000 Bypass Policy Example The following example defines the selectors for a policy named BypassICMP. It is a bypass policy that passes ICMP traffic (protocol 1) in the clear from anywhere to anywhere. This policy is assigned the highest priority of any policies on the ETEP. ipsec-config> policy-add MyBypassICMP ipsec-config> policy-config BypassICMP policy-config> policy-action bypass policy-config> policy-selector 0.0.0.0/0 0.0.0.0/0 1 any any policy-config> policy-priority 65500 Discard Policy Example This example creates a low priority policy to discard traffic that doesn’t match any of the encryption or bypass policies on the ETEP. ipsec-config> policy-add DiscardAll ipsec-config> policy-config DiscardAll policy-config> policy-action discard policy-config> policy-selector 0.0.0.0/0 0.0.0.0/0 any any any policy-config> policy-priority 1000 Deploying Policies The commands in this example display the pending and active policies on the ETEP, create a backup copy of the active policies, and then deploy the new policies. The output of the show command is shown in Figure 18. 96 ETEP CLI User Guide Securing Management Port Traffic with IPsec policy-config> exit ipsec-config> show-policy-set ipsec-config> backup-policy-set ipsec-config> deploy-policy-set Figure 18 ETEP CLI User Guide The show-policy-set commands lists the active and pending policies 97 Creating Policies 98 ETEP CLI User Guide 5 Maintenance This section includes the following topics: ● Installing ETEP Software Updates ● File System Backup and Restore ● Restoring the Factory Configuration ● Changing the Port Status Installing ETEP Software Updates You can upgrade the ETEP software using the update-filesystem CLI command. In addition to loading new software on an appliance, the software upgrade process preserves a backup copy of the old file system and configuration. The ETEP software includes a digital signature, which is used by the ETEP to authenticate the new software after it is downloaded from the FTP site. If the ETEP cannot authenticate the new software, the upgrade process is terminated and the new software is not installed on the appliance. The show upgrade-status and show system-log CLI commands provide status on the upgrade process. During an upgrade the CLI is available from the serial port, but you cannot initiate an SSH session until the upgrade is complete. Related topics: ● “update-filesystem” on page 198 ● “File System Backup and Restore” on page 99 File System Backup and Restore The ETEP file system contains the software image, appliance configuration, policies and keys, log files, certificates, throughput licenses, and passwords. In additional to the current file system, the ETEP maintains a backup copy. The backup copy is used to restore the ETEP’s file system to a previous state. This is useful in the event of a software upgrade failure. ETEP CLI User Guide 99 Maintenance The backup copy of the file system is automatically created when the ETEP software is upgraded using the update-filesystem CLI command. The ETEP maintains only one backup copy of the appliance’s file system. After you generate a backup copy by upgrading, the previous backup copy is no longer available. The restore-filesystem command is used to restore the appliance file system from the backup copy. As a result of restoring the ETEP’s file system, the previous copy becomes the backup copy. The restore operation can be reversed by issuing the restore-filesystem command a second time. Review the following recommendations and cautions prior to restoring the file system: ● Make sure that you know the passwords used in the backup configuration. Once the backup image is restored on the appliance, you must use the passwords from the backup configuration to log in. ● After restoring the file system, redeploy policies to the ETEP to ensure that the appliance is using the current set of policies and keys. ● The restore operation replaces the current certificate with the backup certificate. If you replaced a certificate after the backup image was created, you will need to reinstall that certificate after the file system is restored. Failure to do so can result in a communication failure between the ETEP and the EncrypTight key generator. The restore-filesystem command is available only to the Administrator user. See “restore-filesystem” on page 185 for more information about using this command. Restoring the Factory Configuration Two CLI commands are available for restoring factory settings on the ETEP: ● The filesystem-download command installs a new software image and removes the previous appliance configuration files. ● The filesystem-reset command restores the factory software image without installing a new software version. It also removes the previous appliance configuration files. Both commands remove the previous appliance configuration, passwords, certificates, throughput licenses, and policies. The backup image is overwritten with a duplicate copy of the file system being installed by the command. The filesystem-download command replaces the backup image with a copy of the new software image, and the filesystem-reset command replaces the backup image with a duplicate of the existing factory software image. The filesystem-download and filesystem-reset commands are available from command mode to the Administrator user. These commands automatically reboot the appliance. After the system reboots, you will need to repeat the initial setup procedures described in “Configuring the ETEP” on page 35. The appliance cannot be managed through the Ethernet management port until the management port IP address is reset. You will also need to re-enter the throughput license. CAUTION The filesystem-download and filesystem-reset commands remove the policies and certificates loaded on the appliance. After the automatic reboot, all traffic will pass in the clear until new security policies are deployed to the appliance. The ETEP generates a new self-signed certificate after the reboot. Backup images and factory images are created and handled independently. Table 51 summarizes the behavior of the backup and factory image commands. It also shows which software version is the running 100 ETEP CLI User Guide Changing the Port Status image on the appliance after the command completes. Software versions 1.0 and 2.0 are used as examples in the Running Image column. Table 51 Backup and factory image commands Command Factory Image Backup Image Running Image New appliance (no command) Factory image created when appliance is formatted at the factory Backup image is a duplicate of the factory image (1.0) Factory image on the new appliance is 1.0 update-filesystem (or software upgrade from ETEMS) Factory image is overwritten by new software image Backup image is created from the old software image (1.0) Upgrades the software image to 2.0 filesystem-download Factory image is overwritten by new software image Backup image is overwritten with a copy of the new software image (2.0) Upgrades the software image to 2.0 restore-filesystem Factory image is unaffected Appliance boots to backup image (1.0) Reverts to the backup image, which is 1.0 filesystem-reset Restores appliance to factory image Backup image is overwritten with a copy of the factory image Restores the factory image To learn more about the command syntax see: ● “filesystem-download” on page 141 ● “filesystem-reset” on page 143 ● “restore-filesystem” on page 185 ● “update-filesystem” on page 198 Changing the Port Status The port-enable command lets you independently enable or disable the management, local, and remote interfaces. This port setting is persistent after a reboot. This command may be useful during software upgrades. You can disable traffic on the local and remote data ports until the software upgrade and subsequent reboot are successfully completed before re-enabling the data ports. The port-enable command is available only to the Admin user. Related topic: ● “port-enable” on page 181 ● “update-filesystem” on page 198 ETEP CLI User Guide 101 Maintenance 102 ETEP CLI User Guide 6 Troubleshooting This section includes the following topics: ● Symptoms and Solutions ● Diagnostic Commands ● Additional Diagnostic Tools Symptoms and Solutions The following tables provide some solutions to common problems that may occur with your ETEP. ● “Management Troubleshooting” on page 104 ● “Traffic Troubleshooting” on page 106 ● “Policy Troubleshooting” on page 107 ● “Error State” on page 109 ETEP CLI User Guide 103 Troubleshooting Management Troubleshooting Table 52 Management Symptoms and Solutions Symptom Explanation and Possible Solutions The management workstation can’t communicate with the ETEP. • Verify that the network connection to the management port is in place. • Check that the management interface default gateway is properly configured if the management port and the management host are on different subnets. • Digital certificate may be expired or invalid. • If trusted hosts are enabled on the ETEP, make sure that the management station is included in the trusted host list in ETEMS. If the management station IP address was entered incorrectly in the trusted host list, issue the disable-trustedhosts command to regain management connectivity (see “disable-trusted-hosts” on page 140). • The appliance may be in an error state (see “Error State” on page 109). • If IPSec is enabled on the management port, verify that the IPSec client is enabled on the workstation and that matching policy settings have been configured on each. If you stop securing the management port with IPsec, be sure to disable the IPSec client on the workstation. • Changing the management port IP address invalidates any corresponding IPsec policies on the management port. Modify the management IPsec policies with the new IP address and then redeploy the policies. ETEP is not sending SNMP objects to the management workstation. • Enable SNMP functionality by setting the community string. • Verify that the management workstation’s IP address is configured as the SNMP trap host address. Cannot download files from an FTP server. • Verify that the FTP server software is active on the specified host. • Verify the FTP server user name and password. Check for the following invalid characters: @ : ? # < > & • Check file name and location of the ETEP software image. • Ping the FTP server and ETEP management port. If not successful, contact the Network Administrator. • Review the steps listed in the row above (FTP server verification). • If you receive an error indicating that the ETEP cannot communicate with the SFTP server, issue the clear-knownhosts command (see “clear-known-hosts” on page 132). Cannot communicate with an SFTP server. 104 ETEP CLI User Guide Symptoms and Solutions Table 52 Management Symptoms and Solutions Symptom Explanation and Possible Solutions Cannot access the Ethernet management port using SSH. • Issue the show running-config command and verify that SSH enabled setting is true. • Entering either of the following commands causes the SSH daemon to restart, closing all open SSH connections: fipsmode-enable true and password-enforcement strong. Wait 30-60 seconds before trying to re-establish an SSH connection to the ETEP. • If you used SSH to manage the ETEP prior to replacing a certificate or entering FIPS mode, you may not be able to establish an SSH session after the configuration change. To correct this, clear the known host entry for your SSH client and retry. • You can use IKE or manual keys to generate the keys for a protect policy. All encryption policies deployed on the ETEP must use the same keying method. The ETEP will block the deployment of a policy that uses a keying method that is inconsistent with the active policies. • The local address selector must be the ETEP management port address. If you change the management port IP address, you must manually update your management port policy address selectors. • When the ETEP is configured for Layer 2 IKE operation on the data ports, you cannot deploy an IKE policy on the management port. Workarounds: Deploy an manual key policy on the management port, or take the ETEP out of Layer 2 IKE mode (policy-mode command). Unable to deploy an encryption policy on the management interface. User Configuration Troubleshooting Table 53 User Configuration Symptoms and Solutions Symptom Explanation and Possible Solutions User cannot log in to the ETEP • A new user account becomes active only after the Administrator assigns a password to the new user. See “Assigning Passwords to Users” on page 27 to learn how. • Check the audit log for login failures. Three login failures in a 15 minutes period lock a user out of the ETEP for 15 minutes. The Administrator can restore the account or the user can wait until the timeout expires and retry. • Issue the show command from the user-config> prompt. Disabled accounts are flagged with an asterisk. Only the Administrator can enable a disabled account. Passwords that use default password policy conventions are valid when strong password enforcement is enabled. • Strong password controls are enforced on any password that is entered after strong password enforcement is enabled. Passwords entered prior to that, using the default password policy, remain valid after the password policy is changed. Cannot change the login banner. • In this release of ETEP software the banner can be enabled and disabled, but the banner text cannot replaced. ETEP CLI User Guide 105 Troubleshooting Traffic Troubleshooting Table 54 Traffic Symptoms and Solutions Symptom Explanation and Possible Solutions Traffic is not being passed. • Verify that the local and remote port cables are properly seated. The port status LEDs illuminate when the link is active, and blink at a steady rate when traffic is passing on the port. • Ping end-to-end through the encrypted connection to verify a valid end-to-end connection. The local and remote ports do not respond to ping requests. • Put the ETEP in bypass mode and verify that it can pass unencrypted traffic. New ETEPs pass traffic in the clear until a policy is deployed. To put an in-service ETEP into bypass mode, issue the clear-policies command from policies mode. The device on the WAN side (remote port connection) of the ETEP is dropping packets. • Set the PMTU size to a number that doesn’t exceed the MTU of the device with the smallest MTU in the path. To get this number, run diagnostics on the device in question or check with your network administrator. The network operates normally when traffic passes in the clear, but loses packets when encryption is turned on. • Verify that IP address filters in the policies are correct for the traffic flow in question. • Check the SAD and SPD for a list of policies and security associations that are active on the appliance (see “Policy and Security Association Databases” on page 117). • Check for a mismatch between the date and time of the policy (shown in the SAD) and the date and time on the appliance (show date command). If the dates and times don’t match, you may have a time sync problem. See “Checking for Time Synchronization Problems” on page 112 for more information • In networks in which ICMP is blocked at the firewall, devices in the network cannot respond to PMTU path discovery packets. In this situation, the ETEP cannot tell the system to reduce the MTU to accommodate the additional overhead of the encryption header. The ETEP discards packets in which the do not fragment (DF) bit is set and the packet length, including the encryption header, exceeds 1518 bytes. If ICMP is blocked at the firewall and PMTU path discovery is not working, use ETEP to configure the Ignore DFBit setting on the local interface. This option applies only when the ETEP is configured as a Layer 3 encryptor. Traffic is being discarded. • When the ETEP detects a corrupted policy it enters a state in which it discards all packets that it receives. The ETEP sends a critical error trap to the management station as notification. To recover, redeploy the policies and then reboot the ETEP. DHCP broadcasts are being discarded. • The dhcprelay command needs to be enabled on ETEPs that have DHCP clients on the local port subnet that require access to a DHCP server that is on a different subnet. A local port IP address is required for proper DHCP Relay Agent behavior. The ETEP must be operating in nontransparent mode in order to have a valid local port IP address. See “dhcprelay” on page 139 for more information. 106 ETEP CLI User Guide Symptoms and Solutions Table 54 Traffic Symptoms and Solutions Symptom Explanation and Possible Solutions Traffic is running at reduced throughput • Check your throughput license (show license command). During the two week grace period the ETEP operates at full throughput, after which is reverts to the minimum speed for the hardware model. Policy Troubleshooting Table 55 Policy Symptoms and Solutions Symptom Explanation and Possible Solutions Layer 2 IKE traffic is not being encrypted Check the ETEPs for the following configuration errors: Layer 2 IKE traffic is being discarded. • Check the roles. One ETEP must be configured as “primary” and the other as “secondary.” • The ETEPs must use the identical preshared key. A typographical error will cause the SA negotiation to fail. • The same group ID must be used for each pair of ETEPs. • The policy-mode command must be configured for Layer 2 IKE operation for the policies to take effect. If you use a time service to set the time forward on the secondary ETEP after the SAs are established, traffic is dropped until the primary ETEP renegotiates, which may be as long as an hour. To force the primary ETEP to renegotiate the link, do the following: • Cannot enter local site policy configuration mode. ETEP CLI User Guide On the primary ETEP, issue the layer2-p2p command with the traffic handling attribute set to clear (layer2-p2p clear). Then change the command back to encrypt to force a renegotiation of the link. Local site policies cannot be configured or deployed when the ETEP is configured for Layer 2 IKE operation (layer2-p2p command). Local site policies are compatible only with EncrypTight policies. 107 Troubleshooting Table 55 Policy Symptoms and Solutions Symptom Explanation and Possible Solutions Traffic destined for a virtual IP address is being discarded (the ETEP is operating in nontransparent mode) Check the ETEP configuration for the following: • Transparent mode is disabled. • The ETEP is configured for Layer 3 operation • The local and remote port IP addresses, masks, and gateways have been entered correctly. If a default gateway is not configured and the destination IP address is on a different subnet than the transmitting port, the packets will be discarded. In EncrypTight ETPM: • In the Network Set, verify that the network addressing mode is remote IP or virtual IP. • In the policy editor, clear the check boxes for all Addressing Mode Overrides. In the router: • Add a static route entry and static ARP entry to the WAN router to ensure that traffic destined for the virtual IP address is sent to the ETEP’s remote port. See the EncrypTight User Guide for more information about creating and troubleshooting policies that use virtual IP addresses. When troubleshooting traffic problems, it may be helpful to understand how the ETEP handles source and destination MAC addressing in inbound and outbound packets. Source MAC addressing is determined dynamically, based on the transparency setting, traffic flow, and policy, as described in Table 56. Table 56 MAC resolution and transparency settings Transparency Mode Policy Type Source MAC Address Transparent • Encrypt • Clear Copies the source MAC address from the incoming packet. • Encrypt • Clear Non-transparent 108 Uses the MAC address of the transmitting port as the source MAC address. Destination MAC Address When the transmitting port is on the destination network, the ETEP uses ARP to resolve the destination MAC address. When the transmitting port and the destination address are on different subnets, the ETEP sets the destination MAC address to that of the default gateway. ETEP CLI User Guide Diagnostic Commands Error State Table 57 Error State Symptoms and Solutions Symptom Explanation and Possible Solutions The Alarm LED is illuminated The ETEP enters an error state when a boot test fails, the operating temperature threshold is exceeded, signature errors are detected on critical files pertaining to policies and keys, or a FIPS test fails when the ETEP is in FIPS mode When the ETEP is in an error state the Alarm LED illuminates, and the appliance discards all packets it receives. Depending on the error, other notifications may be sent (traps, status messages to the ETEMS or the terminal). To recover from an error state when FIPS mode is disabled: • When the ETEP detects a corrupted policy, it enters an error state and sends a critical error trap to the management station. To recover, redeploy the policies and then reboot the ETEP. • For non-policy errors, reboot the appliance. If the operating temperature threshold is exceeded, cycle the power to restart the ETEP. • If a failure occurs during the boot process, refer to “Diagnostic Commands” on page 109 for additional troubleshooting information. • If the actions listed above do not clear the error, contact customer support. To recover from an error state when the ETEP is in FIPS mode: • A FIPS test failure or signature error will cause the ETEP to zeroize. To learn more about the zeroization process and recovery from that state, see the ETEP Installation Guide. Diagnostic Commands The ETEP includes CLI commands that can be useful for checking status and troubleshooting. These commands are described in the following topics and in the “Command Reference” chapter. ● “Show Commands” on page 110 ● “Network Tools” on page 111 ● “Checking for Time Synchronization Problems” on page 112 ● “Determining the Cause of Dropped Packets” on page 112 ETEP CLI User Guide 109 Troubleshooting Show Commands The ETEP has several show commands that may be helpful in troubleshooting an appliance problem. The show commands display date and version information, and the content of log files. Show commands are available to the Admin and Ops users. Table 58 110 ETEP show commands Command Description show all Displays a collection of troubleshooting data, including runningconfig, encryption statistics, MIB2 statistics for the local, remote, and management ports, discarded packets, SPD, SAD, MAC statistics, ARP cache, route table, and system data such as disk and memory usage. See “Additional Diagnostic Tools” on page 114 for more information. show audit-log Displays the contents of the audit log file, such as successful and unsuccessful log in attempts. This command is available only to the Administrator user. show bootloader-version Displays the bootloader version that is loaded on the ETEP. show dataplane-log Displays the contents of the data plane log file, including: • Messages about packet processing and encryption • PMTU changes show date Displays the internal clock’s date and time settings. show discards Shows the number of discarded packets and the reason for the discards. A list of possible reasons for discarded packets is provided in “Discarded Packets” on page 115. show distkey-log Displays log messages about EncrypTight distributed key functionality, such as rekeys and policy deployments. show dual-power-status Displays the operational status of the ET1000A power supplies. show encrypt-policy Displays the encryption policy settings: Layer 2/Layer 3, EncrypTight policy management enabled/disabled, and pass TLS in the clear enabled/disabled. show fips-mode Shows whether FIPS mode is enabled or disabled on the ETEP. show throughput-speed Displays the throughput speed configured on the dataplane. show ntp-status Shows whether the NTP client is enabled, and if it is, displays NTP server information. See “Checking for Time Synchronization Problems” on page 112 for more information. show pki-log Displays the pki log, which contains messages about certificate usage. show running-config Displays the configuration that is running on the appliance. show sad Shows the security association database entries. See “Viewing the SAD Entries” on page 118 for a description of the SAD fields. show serial-number Displays the unit’s serial number. show snmp-log Displays the messages in the SNMP log file. show spd Shows the security policy database entries. See “Viewing the SPD Entries” on page 117 for a description of the SPD selectors. show system-log Displays the contents of the system log file, which contains significant system events that are not associated with the other pre-defined facilities, including: • NTP clock sync successes and failures • XML-RPC calls from ETEMS to the ETEP ETEP CLI User Guide Diagnostic Commands Table 58 ETEP show commands Command Description show upgrade-status Displays the status of the current upgrade operation. show version Displays software and firmware version information, and system up time. The system uptime shows how long the Linux operating system has been running, the number of users and load average. The load average represents the percentage of system utilization over a period of time. It appears in the form of three numbers, which represent the system load during the last one-, five-, and fifteen-minute periods. A value less than 1.0 means that the CPU load is underloaded and no processes had to wait. Values greater than 1.0 indicate the CPU is overloaded. For more information about the show command, see “show” on page 187. Network Tools Several standard Linux network diagnostic commands are available from within the ETEP CLI. The syntax of these commands follows Linux conventions. The tools available in this release are ping and traceroute. ● Ping is a computer network administration utility used to test whether a particular host is reachable across an IP network and to measure the round-trip time for packets sent from the local host to a destination computer. The IPv4 and IPv6 versions of ping are supported on the ETEP. ● Traceroute is a computer network tool used to determine the route taken by packets across an IP network. The commands are issued from the ETEP’s management port. They are available from network-tools mode to both Admin and Ops users. To view the command syntax and available options, enter ping --help or traceroute --help. See “Related topics:” on page 111 for links to the command reference and additional examples. Examples The following example pings host 192.168.1.1 from the ETEP management port. The count specifies the ping operation will stop after sending (and receiving) 10 ECHO_RESPONSE packets. ping -c10 192.168.1.1 The next example sends a traceroute probe from the ETEP management port to host 24.93.38.29. traceroute 24.93.38.29 Related topics: ● “ping” on page 161 ● “ping6” on page 163 ● “traceroute” on page 194 ETEP CLI User Guide 111 Troubleshooting Checking for Time Synchronization Problems If you think that you may be having time synchronization problems between the ETEP and the NTP server, you can verify the status using the show ntp-status command. Syntax show ntp-status Example The fields described in Table 59 can help you determine if there is a time sync problem. Table 59 show ntp-status command output Field Description remote IP address of the NTP server. st (stratum) A stratum value of 16 indicates a time synchronization failure. when Number of seconds since the last poll. This value should be less than or equal to the poll value. A “when” value that exceeds the “poll” value indicates a time sync problem. poll Polling interval in seconds. The “poll” value will be greater than the “when” value when the time server is synchronizing successfully. jitter A value of 4000.00 indicates a time synchronization failure. If the output of the show ntp-status command indicates a time synchronization problem, check the following: ● Verify that the NTP server IP address is a valid address. ● If you are using a local NTP server, check to see if the NTP server is powered on. ● Check for network problems that may prevent the ETEP from reaching the NTP server. Determining the Cause of Dropped Packets The policy packet counters provide a mechanism for tracking packets through multiple ETEPs. This can help you determine why certain packets are being dropped in your network. When the reason for the dropped packets isn’t obvious and cannot be explained by the discard counters, the policy packet counters let you compare packet counts between the sending and receiving ETEPs to determine the source of the problem. The way that the policy packet count works is this. When the policy-packet-count command is enabled, the ETEP adds a count to the security policy and security association databases (SPD and SAD, respectively). The counters increment as packets use the policies and SAs. The counts are displayed when you issue any of the following CLI commands: show spd, show sad, and show policy-packet-count- 112 ETEP CLI User Guide Diagnostic Commands clear. By comparing the counters on each ETEP, you can determine if the packets are being encrypted and sent from one ETEP, and then received at the other. For example, if the counters increment on ETEP-1 but not on ETEP-2, it demonstrates that ETEP-1 is sending packets, but they are not being received at ETEP-2. This indicates a network problem, perhaps with the router. You can create policies for debugging purposes that track a particular packet type, protocol, or port. On the other hand, if the counters are incremented equally on each ETEP but the packets are not reaching their destination, it indicates that the packets are getting through the network but are perhaps being discarded by the ETEP. Checking the discard statistics on the ETEP (show discards) can provide an indication of the nature of the discards and therefore the problem. The encryption statistics in the show all command is another area to check when you are experiencing packet loss. The policy packet count feature is disabled by default. To minimize the impact on performance, we recommend enabling the feature for troubleshooting, and disabling it for normal operation. The policy-packet-count command is available in policies configuration mode to the Admin user. NOTE The policy packet counters are available only through the CLI show commands. They do not appear in SAD or SPD files that are exported using ETEMS. Figure 19 Sample output of policy counters To configure the policy packet counters: 1 Enter policies configuration mode. admin> configure config> policies 2 Enable or disable the policy-packet-count command. policy-packet-count {enable | disable} To reset the policy packet counters: 1 From the command prompt, type show policy-packet-count-clear. This command displays the SAD and SPD entries and their associated packet counters, and then resets the counters to zero. The counters can be cleared only when the policy-packet-count command is enabled. If traffic is flowing when the counters are reset, they immediately resume incrementing following the reset. ETEP CLI User Guide 113 Troubleshooting Example This example enables the policy-packet-count command. admin> configure config> policies policies> policy-packet-count enable This example displays and then resets the policy packet counters in the SPD and SAD. admin> show policy-packet-count-clear Related topic: ● “Discarded Packets” on page 115 ● “policy-packet-count” on page 177 ● “show” on page 187 Additional Diagnostic Tools Additional tools for diagnosing problems with the ETEP are available from ETEMS. These tools are described in Table 60. Tools that are available from both ETEMS and the CLI are listed in Table 61. Table 60 ETEMS Feature Description Retrieve log files from an appliance Allows you to examine an individual log file for a specific log facility or view a concatenated file of all log messages. SNMP traps To monitor ETEP events, system status, and warning and error conditions, ETEMS lets you set up SNMP trap reporting. Table 61 114 ETEMS diagnostic tools Tools available from the CLI and ETEMS Feature Description View port status Shows information about the local and remote ports (see “Port Status” on page 115). View discarded packet counts Shows the number of discarded packets and the reason for the discards. A list of possible reasons for discarded packets is provided in “Discarded Packets” on page 115. View encryption statistics Shows the number of packets successfully encrypted and decrypted (see “Encryption Statistics” on page 116). View a variety of frame and packet counters See “MAC Statistics” on page 116 for a complete list of counters. Export the security policy database (SPD) and security association database (SAD) to a CSV file See “Policy and Security Association Databases” on page 117 for information about using these files to troubleshoot policy problems. ETEP CLI User Guide Additional Diagnostic Tools Port Status ETEMS displays the status of the local and remote ports (View > Status), including: ● Operational status (interface up or down) ● Physical address ● Link speed ● MTU The Refresh button updates the display (Figure 20). Using the CLI, port status is displayed by the show running-config and show all commands. Figure 20 Port status Discarded Packets When packets are discarded, the ETEP displays the number of discarded packets and the reason for the discards. To view discarded packet counts, issue the show discards command or click View > Status in ETEMS. Discard reasons are listed in Table 62. Table 62 Discard packet descriptions Reason Reason continued Fragmentation error Remote port non IP ICMP non-zero fragment Local port non IP v4 Reassembly error Remote port non IP v4 Internal packet order error Local port IP length error Internal packet queue error Remote port IP length error Management port forwarding error Remote port no SA error Management port packet RX error Local port no policy error Remote port packet RX error Remote port no policy error Local port packet RX error Local port drop policy Linux not ready error Remote port drop policy Local port packet too large Local port invalid policy Remote port packet too large Remote port invalid policy ETEP CLI User Guide 115 Troubleshooting Table 62 Discard packet descriptions Reason Reason continued Local port unsupported VLAN type Remote port policy not IPSEC Remote port unsupported VLAN type Remote port failed decrypt check Local port unsupported MPLS type Remote port crypto error Remote port unsupported MPLS type Remote port failed auth check Local port non IP Encryption Statistics Encryption statistics show the number of packets successfully encrypted and decrypted. Inbound packets are received on the remote port and decrypted before being sent to the trusted network. Outbound packets are encrypted and sent from the remote port across an untrusted network. The encryption statistics counters are 32-bit counters, which roll over after reaching their maximum value. To view encryption statistics: ● From the CLI, enter the show all command ● In ETEMS, click View > Statistics MAC Statistics MAC statistics show frame and packet counters on the ETEP local and remote ports. The MAC statistics counters are 64-bit counters, which roll over after reaching their maximum value. To view MAC statistics: ● From the CLI, enter the show all command ● In ETEMS, click View > Statistics Counters Counters are displayed for transmitted and received packets on the local and remote ports. The counters are shown for packets that are received on the appliance’s local port and transmitted from its remote port, and vice versa: RxLocalPort, TxRemotePort, RxRemotePort, TxLocalPort. 116 ● Bytes ● Packets ● Multicast packets ● Broadcast packets ● Oversize packets ● Undersize packets ● Fragments ● Control frames ● Pause frames ● Jabber frames ● CRC errors ETEP CLI User Guide Additional Diagnostic Tools Tx Counters The following counters are displayed for packets transmitted from the local and remote ports. ● Pause frames honored ● Frames dropped ● Defers ● Excess Defers ● Single Collisions ● Multiple Collisions ● Late Collisions ● Excessive Collisions ● Total Collisions Rx Counters The following counters are displayed for packets received on the local and remote ports. ● Packets dropped ● Unknown opcode ● Align errors ● Frame length errors ● Code errors ● Carrier Sense errors TxRx Counter The following counters show the number of transmitted and received packets on each port, grouped by frame size. ● 64 byte frames ● 65 to 127 byte frames ● 128 to 255 byte frames ● 256 to 511 byte frames ● 512 to 1023 byte frames ● 1024 to 1518 byte frames ● 1519 to 1522 byte frames Policy and Security Association Databases ETEMS can export the security policy database (SPD) and security association database (SAD) from the ETEP to CSV files to aid in troubleshooting (View > Statistics). You can also view these databases directly from the CLI by issuing the show spd and show sad commands. Viewing the SPD Entries Security policies are rules that tell an encryption appliance how to process different packets that it receives. Security policies are stored in the appliance’s security policy database (SPD). Each entry in the ETEP CLI User Guide 117 Troubleshooting SPD represents a policy. The SPD shows which policies the ETEP is going to enforce and in what order. Policies are listed in descending priority order, with the highest priority policy listed first. Table 63 SPD selectors SPD Selector Description Destination IP, subnet mask, and port The destination IP address, subnet mask, and protocol port specified in the policy. Direction Packets are categorized as inbound or outbound. Inbound packets arrive at the remote port from the untrusted network. Outbound packets are sent from the remote port to the untrusted network. Policy Type The policy type is displayed as one of the following: • IPSec (encrypt) • Discard (drop) • None (pass in the clear) Source IP, subnet mask, and port The source address, subnet mask, and protocol port specified in the policy. Priority Value The order in which SPD entries are processed. SPD entries are processed from highest to lowest priority value. Although the priority index uses a different numbering scheme than EncrypTight ETPM, the relative priority ordering is maintained. EtherType For Layer 2 traffic, 65535 is an EtherType of “any.” For Layer 3 traffic, 2048 indicates an IP payload. VLAN ID For Layer 2 traffic, this field displays the VLAN ID value (1-4094). If no VLAN ID is specified, “any” is displayed. Figure 21 SPD exported to an Excel spreadsheet Viewing the SAD Entries A security association (SA) is a set of security information that describes the particular security mechanisms that are used to secure communications between two appliances. The appliance’s security associations are contained in its security association database (SAD). Viewing the SAD can help you verify that a given SA is active on the ETEP, view the source and destination addresses, and encryption algorithm. Table 64 118 SAD entries Field Description SPI The security parameter index (SPI) uniquely identifies an SA at its destination. Source and destination IP Source and destination IP addresses. Date created Date that the SA was created. ETEP CLI User Guide Additional Diagnostic Tools Table 64 SAD entries Field Description Expire lifetime This field always displays a zero. It is not populated with a meaningful value in this release. Renegotiate lifetime For IKE policies, this value represents the time, in seconds, before an SA is renegotiated. In distributed key policies, the Renew keys/Refresh lifetime value specifies the length of time that the keys and policies will be active before the EncrypTight sends new keys. The lifetime specified in the distributed key policy is stored on the EncrypTight key server, not on the ETEP, therefore this value is always zero on the ETEP. Protocol The protocol is always ESP for encryption policies. Mode The ETEP operates in tunnel mode when enforcing Layer 3 IP policies. For Layer 2 Ethernet policies and Layer 4 payload encryption policies, the ETEP is in transport mode. Cipher algorithm AES or 3DES. Hash algorithm SHA1 or MD5. Figure 22 ETEP CLI User Guide SAD exported to an Excel spreadsheet 119 Troubleshooting 120 ETEP CLI User Guide 7 FIPS 140-2 Level 2 Operation The ETEPs are FIPS Level 2 compliant. This section describes the FIPS mode of operation on the ETEPs. If you plan to operate the ETEP in FIPS mode, we recommend enabling FIPS mode as your first configuration task. Entering FIPS mode resets many configuration items, such as passwords, policies, and certificates. To avoid having to reconfigure the ETEP, enable FIPS mode and then perform the rest of the appliance and policy configuration tasks. FIPS Mode Requirements When operating in FIPS mode, the ETEP must be configured to use FIPS-approved encryption and authentication algorithms. FIPS approved algorithms are listed in Table 65. Note that some of the FIPSapproved algorithms are available only for use on the management port. The ETEP prevents entry into FIPS mode when any of the following conditions are true: ● EncrypTight distributed key policies are installed that use non-FIPS approved algorithms ● IKE policies are configured on the management port interface that use non-FIPS approved algorithms ● Manual key policies are installed on the management port interface. If you plan to use manual key policies, you must deploy them after FIPS mode is enabled on the ETEP. ● SNMPv3 configuration uses cryptography for SNMP trap hosts, but no IPsec policy has been configured to protect the SNMP traffic for each specific trap host ● The debug shell is in use ● Strict client authentication is enabled on the management port If you plan to use strict authentication to secure management port communications, you must enable FIPS mode prior to enabling strict authentication. To learn more about using strict authentication, see the EncrypTight User Guide. Table 65 FIPS approved encryption and authentication algorithms Encryption algorithms Authentication algorithms 3des-cbc sha1-96-hmac aes128-cbc sha2-256-hmac aes256-cbc sha2-384-hmac ETEP CLI User Guide 121 FIPS 140-2 Level 2 Operation Entering FIPS Mode To place the ETEP in FIPS mode, issue the fips-mode-enable command. To verify the state of FIPS mode on the ETEP, issue the show running-config CLI command. Placing the ETEP in a FIPS-compliant configuration can take several minutes. Some communications services are reset when FIPS is enabled and disabled. Open SSH sessions are terminated, and cannot be reestablished until FIPs mode is fully operational. When putting the ETEP in FIPS mode, the ETEP performs the following actions and self-tests: ● Runs self-tests during the boot process and when entering FIPS mode that include cryptographic algorithm tests, firmware integrity tests, and critical function tests ● Performs a software integrity test ● Clears pre-existing polices and keys, as described in Table 66. ● Generates a new self-signed certificate on the management interface ● Removes all externally signed certificates ● Resets passwords to the factory defaults ● Closes remote SSH client sessions Table 66 Effects of clearing policies and keys when entering FIPS mode Policy Type Action upon entering FIPS mode Distributed key policies Traffic passes in the clear until new encryption policies are created and deployed to the ETEP. Point-to-point Layer 2 policies Keys are automatically renegotiated. Traffic is discarded in the interim. Management port policies Keys are automatically renegotiated. Traffic is discarded in the interim. Operational Notes Entering FIPS mode may cause some delays when communicating with the ETEP. 122 ● When the ETEP is rebooted with FIPS mode enabled, the ETEP does not become operational until 30-60 seconds after the login prompt is displayed. In the interim, attempts to communicate with the ETEP from ETEMS or the CLI result in error messages (attempting to access a locked shared resource or failure to create input stream). If you receive an error message, wait several seconds and retry. ● The Ethernet management interface uses FIPS-approved cipher and authentication algorithms for SSL and SSH connections. When operating in FIPS mode, it can take 30-40 seconds to establish an SSH session. ● If you used SSH to manage the ETEP prior to entering FIPS mode, you may not be able to establish an SSH session after FIPS is enabled. To correct this, clear the known host entry for your SSH client and retry. ETEP CLI User Guide FIPS Mode Failures and Zeroization If the ETEP is operational when you enable FIPS mode and one of the FIPS tests fail, the ETEP continues to operate with FIPS disabled. If the ETEP fails to boot properly while in a FIPS-enabled state or the cover is opened or removed while the unit is powered up, the appliance is zeroized. During zeroization, the ETEP enters an error state and all traffic is discarded. All configuration and policy data is destroyed and keys are zeroized, preventing encryption and decryption of data. Other Operating Boundaries Other operating boundaries are as follows: ● The ETEP appliance must be operated in accordance with the instructions in this manual, the ETEP Installation Guide, and the EncrypTight User Guide. ● ETEP appliances are shipped with all encryption mechanisms disabled to allow installation test and acceptance. Prior to operation, encryption mechanisms should be enabled. ● The appliance’s tamper-evident seal must be intact. If the tamper-evident seal is broken, the ETEP appliance is not FIPS-140-2 Level 2 compliant. ● The ETEP appliance must be installed in a controlled area with access limited to authorized personnel. ● The ETEP appliance will not be used to process, protect, or store classified information. Related topics: ● ETEP Installation Guide, “Maintenance” chapter ● Visit the NIST website at http://csrc.nist.gov/cryptval/ to learn more about FIPS PUB 140-2 and the ETEP FIPS Security Policy Exiting FIPS Mode The ETEP performs the following actions when exiting FIPS mode: ● Existing policies continue to run until they are replaced or deleted. ● SSH is reset when FIPS is disabled, terminating the current session. ETEP CLI User Guide 123 FIPS 140-2 Level 2 Operation 124 ETEP CLI User Guide 8 Command Reference This section includes the following topics: ● CLI Overview ● Commands CLI Overview The CLI can be accessed using a direct connection to the serial port or remotely through a secure SSH connection. To log in to the CLI, enter the user name and password. User names are associated with a role, which determines the tasks that a user can perform and the CLI commands that are available. The ETEP has two roles: Administrator and Ops. The Administrator has access to all of the CLI commands, while the Ops user has access to a limited subset of the commands. The default user names and passwords are listed in Table 67. Table 67 Default user names and passwords on the ETEPs Role Default user name Default password Administrator admin admin Ops ops ops Most commands take effect when they are issued. Commands that affect the file system, such as loading new software or restoring the backup file system, require a reboot to take effect. Related topics: ● “Format Conventions” on page 125 ● “Tips on Command Usage” on page 126 Format Conventions Command references listed in this chapter are presented using the following format conventions. ● Arguments are shown in monospaced type, and must be entered exactly as they appear in the text. ETEP CLI User Guide 125 Command Reference ● Brackets [ ] indicate that the enclosed parameter is optional. ● Braces { } indicate that the enclosed arguments or parameters are required. ● Arguments separated by the vertical bar | indicate that any one of the arguments may be used. For example, a | b means enter a or b, but not both. ● Parameters that a user needs to enter are enclosed in angle brackets < >. For example, indicates that the user needs to enter an IP address, such as 192.168.1.1. ● When entering a command with several optional parameters, you must enter the optional parameters up to and including the parameter of interest. Subsequent optional parameters will be left at their default settings. Examples In this example the arguments are to be entered exactly as shown. show version In the next example, enter “show” followed by either “version” or “date.” show version|date The ip command includes required parameters that are enclosed in braces (ip address and subnet mask), and an optional parameter that is enclosed in brackets (gateway). If an optional attribute is not explicitly configured the appliance will use its default value. ip { } [gateway] The ip command with the optional gateway attribute might look like this: ip 10.168.224.1 255.255.0.0 10.168.1.1 The user-add command includes several optional parameters. user-add [password-max-days] [password-warn-days] [password-min-days] To specify the password-warn-days of the Ops user “dallas”, you must also enter the password-maxdays. If the password-min-days is omitted, it defaults to 0. user-add dallas ops 60 5 The following example specifies only the password-max-days and leaves password-warn-days and password-min-days at the default values user-add dallas ops 45 Tips on Command Usage This section explains how to get help about CLI commands, how to use the auto-complete feature for entering commands, and provides a list of the cursor movement keys. Context Sensitive Help [?] - Display context sensitive help. This is either a list of possible command completions with summaries, or the full syntax of the current command. A subsequent repeat of this key, when a command has been resolved, displays a detailed reference. Auto-completion Each of the following keys perform auto-completion for the current command line. A subsequent repeat of the key displays possible completions. 126 ETEP CLI User Guide Commands ● [enter] - Auto-completes a command, checks the syntax, and then executes the command. If a syntax error is found, the offending part of the command line is highlighted and explained. ● [space] - Auto-completes a command, or inserts a space if the command is already resolved. Navigation Keys This section lists: ● Cursor movement keys ● Deletion keys ● Escape sequence keys Table 68 Cursor movement keys Key Description [CTRL-A] Move to the start of the line [CTRL-E] Move to the end of the line. [up] Move to the previous command line held in history. [down] Move to the next command line held in history. [left] Move the insertion point left one character. [right] Move the insertion point right one character. Table 69 Deletion keys Key Description [CTRL-C] Delete the entire line. [CTRL-D] Delete the character to the right on the insertion point. [CTRL-K] Delete all the characters to the right of the insertion point. [backspace] Delete the character to the left of the insertion point. Table 70 Escape sequences Sequence Description !! Substitute the last command line. Commands Commands, arguments and parameters are not case-sensitive. For example, show, SHOW, and Show are all accepted as the same command. ETEP CLI User Guide 127 Command Reference The CLI has several hierarchy levels, which are listed in Table 71. Table 71 CLI Hierarchy Levels mode description Command mode This is the login hierarchy level. Copy commands, show commands, and most maintenance commands are accessed at this level. Configuration mode This is where commands are entered to configure the appliance. Enter configuration mode by typing configure. Interface configuration mode This is where the settings are defined for the management, local, and remote interfaces. Enter interface configuration mode from configuration mode. Policy configuration mode This is where Layer 2 point-to-point policies are defined, and the ETEP is set for Layer 2 or Layer 3 operation. Enter policy configuration mode from configuration mode. Network tools mode This mode provides access to Linux-based network monitoring tools. Enter network tools mode from command mode. The exit command leaves the current CLI mode and returns to the previous hierarchy level. The top command returns to command mode from any level. Commands are listed in alphabetical order. autoneg Description The autoneg command configures auto-negotiation and flow control on the management, local, and remote ports. Each port is configured independently of the others. User Type Administrator and Ops. Ops access is limited to management interface configuration. Hierarchy Level Management, local, and remote interface configuration modes. Syntax autoneg {enable} | {disable [] []} Attributes enable – Enables auto-negotiation on the specified port. This is the default setting. disable – Disables auto-negotiation on the specified port. Use this setting to manually set the link speed and flow control. speed – [default | 1000m | 100m-full | 10m-full | 100m-half | 10m-half] When auto-negotiation is disabled, the speed attribute specifies the link speed and duplex setting. On the management port the speed defaults to 100m-full. On the local and remote ports, the speed of the default setting is hardware dependent: ET0010A = 10m-full, ET0100A = 100m-full, and ET1000A = 1000m. 128 ETEP CLI User Guide Commands flow-control – [on | off] When auto-negotiation is disabled, this attribute configures the flow control setting. The flow control setting defaults to on. Usage Guidelines The default setting for the ETEP enables auto-negotiation, which negotiates the link speed, duplex setting, and flow control. Use the autoneg command if the device that the ETEP connects to from a particular port does not support auto-negotiation or flow control. It is important to configure the ETEP and the other device the same way. Both devices should either autonegotiate or be set manually to the same speed and duplex mode. Having one device set manually and the other auto-negotiate can cause problems that make the link perform slowly. When manually setting the ETEP link speed, configure the speed and duplex mode to match that of the other device. On the management port, the ETEPs support the speeds shown in Table 72. Table 72 Link speeds on the management port Link speed 10 Mbps Half-duplex 10 Mbps Full-duplex 100 Mbps Half-duplex 100 Mbps Full-duplex 1000 Mbps Full-duplex 1000 Mbps Half-duplex Auto-negotiate Auto-negotiate Fixed Speed ET0010A ET0100A / ET1000A All ETEPs 3 3 3 3 3 3 3 3 3 3 3 3 3 3 On the local and remote ports, the ETEPs support the speeds shown in Table 73. Table 73 Link speeds on the local and remote ports Link speed 10 Mbps Half-duplex 10 Mbps Full-duplex 100 Mbps Half-duplex 100 Mbps Full-duplex 1000 Mbps Full-duplex Auto-negotiate Fixed Speed Fixed Speed All ETEPs ET0010A / ET0100A ET1000A 3 3 3 3 3 3 3 3 3 3 NOTE If you are using copper SFP transceivers, auto-negotiation must be enabled on the ET1000A and on the device that the ET1000A is connecting to. The recommended copper SFP transceivers negotiate only to 1 Gbps, even though they advertise other speeds. See the ETEP Release Notes for a list of recommended transceivers. ETEP CLI User Guide 129 Command Reference Example The following example disables auto-negotiation on the management port, sets the speed to 100 Mbps full-duplex, and turns on flow control. admin> configure config> management-interface man-if> autoneg disable 100m-full on The next example restores auto-negotiation on the remote port. admin> configure config> remote-interface rem-if> autoneg enable backup-policy-set Description The backup-policy-set command makes a backup copy of the deployed policies. This command is available when working with IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Level ● ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) Syntax backup-policy-set Usage Guidelines The backup-policy-set command makes a backup copy of the deployed policies. The command’s scope is limited to the configuration mode in which you are operating when the command is issued: it backs up either the management port policies or the local-site policies on the data ports. Before editing any policies, it is a good practice to make a backup copy of the active policies. In the event you want to return to the last known good set of policies after making made some changes, you can easily restore from the backup file. The backup file persists through a power cycle. Related topics: ● “Making a Backup Copy of the Local Site Policy Set” on page 73 ● “Backing Up the Policy Set” on page 91 Example The following example creates a backup copy of the local-site policies. 130 ETEP CLI User Guide Commands config> policies policies> local-site-policies local-site-policy> backup-policy-set banner-config Description The banner-config command places the ETEP in banner configuration mode. User Type Administrator Hierarchy Level Configuration mode Syntax banner-config Example config> banner-config banner-config> clear-certificates Description The clear-certificates command removes all certificates from the appliance and generates a self-signed certificate. User Type Administrator Hierarchy Level Management interface configuration mode (config > management-interface) Syntax clear-certificates Usage Guidelines You might need to use this command if you want to remove the ETEP from service and use it elsewhere. You might also want to use the clear-policies command. Before you issue this command, you should disable strict authentication. If you clear certificates while strict client authentication is enabled, you can lose the ability to communicate with the appliance from the ETEP CLI User Guide 131 Command Reference management workstation. You will be prompted for confirmation before the command executes. This command briefly interrupts communication with the ETEP. Related topics: ● “clear-policies” on page 133 ● “strict-client-authentication” on page 193 Example The following example clears the certificates that are used on the management port. admin> configure config> management-interface man-if> clear-certificates clear-known-hosts Description The clear-known-hosts command clears the known_hosts list on the ETEP. This list stores the keys used to communicate with an SFTP server. User Type Administrator and Ops Hierarchy Level Management interface configuration mode (config > management-interface) Syntax clear-known-hosts {} Attributes ip – IP address of the SFTP server. The ETEP accepts IPv4 and IPv6 addresses. Usage Guidelines When the ETEP connects to an SFTP server, the two devices exchange keys. The ETEP saves the keys in a known_hosts file, which it references whenever it communicates with that server. If the SFTP server changes for some reason (the operating system was reinstalled, the site changed servers), its keys also change. The ETEP will be unable to communicate with the SFTP server until the known_hosts list is cleared to remove the outdated keys. Related topic: ● “Management Troubleshooting” on page 104 Example The following example clears the SSH known hosts file. admin> configure config> management-interface man-if> clear-known-hosts 132 ETEP CLI User Guide Commands clear-policies Description The clear-policies command replaces the active EncrypTight distributed key policies with a default policy that passes all traffic in the clear. User Type Administrator Hierarchy Level Policies mode (config > policies) Syntax clear-policies Usage Guidelines The clear-policies command clears EncrypTight distributed key policies. It does not affect Layer 2 pointto-point policies, local-site policies, or IPsec policies on the management port. This command removes all encrypt and drop policies currently installed on the ETEP. All traffic is sent in the clear until you create and deploy new policies, or until the policies are rekeyed. You will be prompted for confirmation. Example admin> configure config> policies policies> clear-policies clear-policy-set Description The clear-policy-set command clears the specified policy files, returning them to their factory state. This command is available when working with IPsec policies on the ETEP management interface and localsite policies. User Type Administrator Hierarchy Level ● ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) Syntax clear-policy-set {edit | backup | current} ETEP CLI User Guide 133 Command Reference Attributes edit – Clears the edit session. Pending policy changes are removed. backup – Clears the backup copy of the policy set. current – Clears the active policies that are running on the ETEP, pending policies, and the backup policy set. This is the default setting. Usage Guidelines The clear-policy-set command clears the specified policy files, returning them to their factory state. The scope of the clear-policy-set command is limited to the configuration mode in which you are operating when the command is issued: it affects either the management port policies or the local-site policies on the data ports. This command does not affect EncrypTight distributed key policies or Layer 2 point-topoint policies. Clearing the current policies removes the active policies that are running on the ETEP, pending policies, and the backup copy of the policy set. Clearing the management port policies removes the policies and then deploys the factory default IKE policy. Clearing the current policies from local-site policy mode removes all local site policies. The edit and backup options remove only the pending policies or backup policy set, respectively. These options do not affect the active, deployed policies. The clear-policy-set command requires confirmation to execute. Example admin> configure config> policies policies> local-site-policies local-site-policy> clear-policy-set backup cli-inactivity-timer Description The cli-inactivity-timer command sets an inactivity timer for the CLI. The timer applies to a CLI session initiated through the serial port or through SSH. User Type Administrator Hierarchy Level Configuration mode Syntax cli-inactivity-timer {} 134 ETEP CLI User Guide Commands Attributes n – 0–1440 minutes (24 hours) Usage Guidelines The CLI session is terminated if no activity is detected on the CLI in a specified amount of time. When the CLI inactivity time-out is set to zero the session does not expire. The inactivity timer is set to 10 minutes by default. Setting the inactivity timer does not affect the current CLI session. The change is effective on all subsequent CLI sessions. Example admin> configure config> cli-inactivity-timer 250 configure Description The configure command enters configuration mode from command mode. User Type Administrator and Ops Hierarchy Level Command mode Syntax configure Example admin> configure config> date Description The date command sets the ETEP system clock. User Type Administrator and Ops Hierarchy Level Configuration mode ETEP CLI User Guide 135 Command Reference Syntax date { } Attributes day – 01–31 hour – 00–23 minutes – 00–59 seconds – 00–59 Usage Guidelines The time zone on the ETEP is set to UTC 0 (Coordinated Universal Time), and is not user configurable. Enter the date and time relative to UTC 0, also referred to as Greenwich Mean Time (GMT). To calculate the local time relative to UTC, add or subtract the offset hours from UTC for the local time zone (UTC ± n). The following examples give the local time at various locations at 12:00 UTC when daylight saving time is not in effect: ● New York City, United States: UTC-5; 07:00 ● New Delhi, India: UTC+5:30; 17:30 Rebooting is not required when setting the date and time during initial setup of the ETEP. We recommend rebooting the appliance after changing the date and time under other circumstances. If you are setting the date because of a certificate problem and cannot communicate with the appliance using ETEMS: ● Issue the date command to change the date and time ● Issue the filesystem-reset command after you change the date in order to regenerate a certificate on the ETEP. This is a drastic step that wipes out your existing configuration data and policies, and automatically reboots the appliance. See “filesystem-reset” on page 143 prior to issuing this command. Example admin> configure config> date 2008 08 11 15 30 00 debug-shell Description The debug-shell command provides access to a number of system files that can be useful when troubleshooting problems with the ETEP. This command is intended for use only by customer support and authorized Black Box personnel. Incorrect use of the debug shell can permanently damage the ETEP file system and render the unit inoperable. User Type Administrator 136 ETEP CLI User Guide Commands Hierarchy Level Command mode Syntax debug-shell Usage Guidelines The debug shell commands are intended for use only under the direction of customer support personnel. In order to enter the debug shell, FIPS mode must be disabled on the ETEP. To return to command mode from the debug shell, type exit at the debug_shell> prompt. WARNING The debug shell supports read and write access to the ETEP file system. Changes to the file system may corrupt critical system components, making the unit inoperable. Do not execute scripts or modify the file system unless directed by Customer Support. Example admin> debug-shell debug_shell> deploy-policy-set Description The deploy-policy-set command deploys policies to the ETEP. This command is available when working with IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Level ● ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) Syntax deploy-policy-set Usage Guidelines The scope of the deploy-policy-set command is limited to the configuration mode in which you are operating when the command is issued: it deploys either the management port policies or the local-site policies on the data ports. Prior to deploying policies, we recommend that you review the pending policies to make sure they are configured correctly. Pay particular attention to policy priorities, selectors, and IKE peer addresses (where ETEP CLI User Guide 137 Command Reference applicable). Use the show-policy-set command to view the active and pending policies. The show-ikeparams lets you review the global settings used for IKE negotiations in management port policies. If you find that the deployed policies are not executing as expected, you can restore the backup policies to revert to the previously executing set of policies. Related topic: ● “show-policy-set” on page 189 Example The following example deploys policies to the ETEP management port. config> management-interface man-if> ipsec-config ipsec-config> deploy-policy-set dfbit-ignore Description The dfbit-ignore command determines whether the ETEP ignores the DF bit in the IP header or acts in accordance the DF bit setting. User Type Administrator Hierarchy Level Local interface configuration mode (config > local-interface) Syntax dfbit-ignore {on | off} Attributes on – The ETEP ignores the DF bit in the IP header and fragments outbound packets greater than the MTU of the system. When the reassembly command is set to gateway, the ETEP sets the dfbit-ignore command to on. This is the default setting. off – The ETEP acts in accordance with the DF bit setting in the IP header. Usage Guidelines When the ETEP is configured for use in Layer 3 IP encryption policies, its default behavior is to ignore the “do not fragment” (DF) bit in the IP header, and fragment outbound packets that exceed the MTU of the system. This setting should be used under the following conditions: 138 ● Reassembly mode is set to gateway ● ICMP is blocked at the firewall ● PMTU path discovery isn’t working ETEP CLI User Guide Commands A symptom of a PMTU problem is when the network operates normally when traffic passes in the clear but loses packets when encryption is turned on. You can override the default behavior by disabling the DF Bit handling on the local port. The ETEP will then discard packets in which the DF bit is set and the packet length, including the encryption header, exceed the PMTU. Related topic: ● “reassembly” on page 181 Example The following example restores the default setting for the dfbit-ignore command. admin> configure config> local-interface loc-if> dfbit-ignore off dhcprelay The dhcprelay command allows DHCP clients on the local port subnet to access a DHCP server that is on a different subnet. The DHCP relay feature is applicable in Layer 3 IP networks. User Type Administrator Hierarchy Level Local interface configuration mode (config > local-interface) Syntax dhcprelay {enable | disable} Attributes enable – Enables the DHCP relay feature on the ETEP. ipAddress – Sets a unicast IP host address for use by the ETEP. This is the IP address of the DHCP server. disable – Disables the DHCP relay feature. This is the default setting. Usage Guidelines The dhcprelay command needs to be enabled only on ETEPs that have DHCP clients on the local port that require access to a DHCP server that is on a different subnet from the local clients (see Figure 23). This feature is not needed when DHCP servers or relay agents are on the same local network with the DHCP clients, nor is it needed on the ETEP at the remote site where the DHCP server is located. ETEP CLI User Guide 139 Command Reference Figure 23 DHCP Relay allows local clients to access a DHCP server on a remote subnet Local and remote port IP addresses are required for proper DHCP Relay Agent behavior. In order to use local and remote port IP addresses, the ETEP must be operating in non-transparent mode. Complete the following steps to use the DHCP relay feature: 1 Assign local and remote port IP addresses to the ETEP, using the ip command. 2 Disable transparent mode operation, using the transparent-mode-enable command. 3 Configure the DHCP relay feature on the ETEP. Related topics: ● “ip” on page 148 ● “transparent-mode-enable” on page 196 Example The following example assigns local and remote port IP addresses to the ETEP, disables transparent mode, and then enables the dhcprelay command, specifying 10.168.67.55 as the DHCP server address. admin> configure config> remote-interface rem-if> ip 192.168.1.145 255.255.192.0 192.168.1.1 rem-if> exit config> local-interface config> ip 192.168.1.125 255.255.192.0 loc-if> exit config> transparent-mode-enable false config> local-interface loc-if> dhcprelay enable 10.168.67.55 disable-trusted-hosts Description The disable-trusted-hosts command disables the trusted host list on the ETEP. Its primary purpose is to restore ETEMS’s ability to communicate with the ETEP if the management workstation IP address has been entered incorrectly in the trusted host list. 140 ETEP CLI User Guide Commands User Type Administrator and Ops Hierarchy Level Configuration mode Syntax disable-trusted-hosts Usage Guidelines When the trusted host feature is enabled on the ETEP, packets that are received from non-trusted hosts are discarded. This feature is enabled and configured using ETEMS. When the trusted host feature is enabled, the ETEMS management station must be included in the trusted host list. If you enter the management station IP address incorrectly, ETEMS is unable to communicate with the ETEP. The disable-trusted-hosts command disables the trusted hosts on the ETEP, allowing it to be managed from ETEMS again. Example admin> configure config> disable-trusted-hosts exit Description The exit command exits the current CLI mode and returns to the previous hierarchy level. From the top level, the exit command logs out of the CLI. User Type Administrator and Ops Hierarchy Level All Syntax exit filesystem-download Description The filesystem-download command installs a new software image on the appliance and resets the appliance to the default settings associated with the new software image. The previous appliance configuration, passwords, throughput licenses, certificates, and policies are removed. The new software ETEP CLI User Guide 141 Command Reference image replaces the previous file system image and the previous backup image. The old backup image is overwritten with a duplicate copy of the new software image and default settings. User Type Administrator Hierarchy Level Command mode Syntax filesystem-download { } [] Attributes ftpIP - IP address of the FTP host. The command accepts IPv4 and IPv6 addresses. ftpPath - The path and directory name of the software image on the FTP server. Enter the directory listing relative to the root FTP directory; do not enter the entire path. ftpUser - User ID of a user on an FTP host. ftpPassword - FTP user’s password. ftpSecure - [ftp | sftp] Defines the file transfer protocol. The default value is FTP, in which files are transferred unencrypted. SFTP secures the file transfer with SSH encryption. Usage Guidelines Do not use the following invalid characters in the FTP user name or password: @ : ? # < > & After issuing the command, you will be prompted to confirm that you want to continue. Type yes to continue or no to cancel. This command automatically reboots the appliance. Upon reboot, you will need to reset the management IP address in order to manage the appliance. You will also need to re-enter the throughput license. All traffic will pass in the clear until new security policies are deployed to the appliance. The ETEP generates a new self-signed certificate after the reboot. Related topic: ● “Restoring the Factory Configuration” on page 100. Example admin> filesystem-download 10.168.1.3 etep MyftpName MyftpPassword ATTENTION: You have issued a service affecting file system reset command. WARNING: Performing this command will wipe out all configuration data as well as policies, logs and certificates. The appliance will be reset to factory defaults. After the automatic reboot, you will need to reset the management ip address via the command line. All traffic will pass in the clear until new encryption policies are deployed to the appliance. ARE YOU SURE YOU WANT TO CONTINUE? (enter 'yes' to confirm) > yes 142 ETEP CLI User Guide Commands filesystem-reset Description The filesystem-reset command restores the factory image on the appliance without installing a new software version. The previous appliance configuration, passwords, throughput licenses, certificates, and policies are removed. The factory image is also saved as the backup file system, overwriting any previous backup image that was stored on the ETEP. User Type Administrator Hierarchy Level Command mode Syntax filesystem-reset Usage Guidelines The file system image stored on the appliance is updated each time you perform a software upgrade. The filesystem-reset command restores the image that was most recently installed on the appliance, which is not necessarily the original software version that was loaded on your appliance at the factory. After issuing the command, you will be prompted to confirm that you want to continue. Type yes to continue or no to cancel. This command automatically reboots the appliance. Upon reboot, you will need to reset the management IP address in order to manage the appliance. You will also need to re-enter the throughput license. All traffic will pass in the clear until new security policies are deployed to the appliance. The ETEP generates a new self-signed certificate after the reboot. Related topic: ● “Restoring the Factory Configuration” on page 100. Example admin> filesystem-reset ATTENTION: You have issued a service affecting file system reset command. WARNING: Performing this command will wipe out all configuration data as well as policies, logs and certificates. The appliance will be reset to factory defaults. After the automatic reboot, you will need to reset the management ip address via the command line. All traffic will pass in the clear until new encryption policies are deployed to the appliance. ARE YOU SURE YOU WANT TO CONTINUE? (enter 'yes' to confirm) > yes ETEP CLI User Guide 143 Command Reference fips-mode-enable Description The fips-mode-enable command enables and disables FIPS mode on the ETEP. User Type Administrator Hierarchy Level Configuration mode Syntax fips-mode-enable {true | false} Usage Guidelines When operating in FIPS mode, the ETEP must be configured to use FIPS-approved encryption and authentication algorithms. The ETEP prevents entry into FIPS mode when any of the following conditions are true: ● EncrypTight distributed key policies are installed that use non-FIPS approved algorithms ● IKE policies are configured on the management port interface that use non-FIPS approved algorithms ● Manual key policies are installed on the management port interface ● SNMPv3 configuration uses cryptography for SNMP trap hosts, but no IPsec policy has been configured to protect the SNMP traffic for each specific trap host ● The debug shell is in use ● Strict client authentication is enabled on the management port Placing the ETEP in a FIPS-compliant configuration can take several minutes. When putting the ETEP in FIPS mode, the ETEP performs the following actions and self-tests: ● Runs self-tests during the boot process and when entering FIPS mode that include cryptographic algorithm tests, firmware integrity tests, and critical function tests ● Performs a software integrity test ● Clears pre-existing polices and keys ● Generates a new self-signed certificate on the management interface ● Removes all externally signed certificates ● Resets passwords to the factory defaults ● Closes remote SSH client sessions When FIPS is disabled, the existing policies continue to run until they are replaced or deleted. The current SSH session is terminated. See “FIPS 140-2 Level 2 Operation” on page 121 for more information about FIPS mode. 144 ETEP CLI User Guide Commands Example admin> configure config> fips-mode-enable true help Description The help command displays the CLI help text. User Type Administrator and Ops Hierarchy Level All Syntax help ike-params-set Description The ike-params-set command enters IKE parameters configuration mode on the management interface. From here you can define the global Phase 1 and Phase 2 negotiation settings used in IKE encryption policies. These settings are applied to all IKE encryption policies that are configured on the management port. User Type Administrator Hierarchy Level IPsec configuration mode on the management interface (config > management-interface > ipsec-config) Syntax ike-params-set Example admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ETEP CLI User Guide 145 Command Reference ike-sa-dh-group Description The ike-sa-dh-group command specifies the Diffie-Hellman group to use for Phase 1 ISAKMP communications in IPsec management policies. User Type Administrator Hierarchy Level ike-parameters-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax ike-sa-dh-group {} Attributes DH-group-ID - {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18} The Diffie-Hellman group ID. The default value is 2. Usage Guidelines The Diffie-Hellman group ID defines the strength supplied to the Diffie-Hellman calculation for the later creation of keys by the peers. Group 1 is the least secure and least computationally demanding. Group 18 provides the highest level of security and also involves the most processing. The Diffie-Hellman group ID is a global setting that will be used in all IKE encryption policies on the ETEP management port. Related topic: ● “Configuring Global Settings for IKE Negotiations” on page 79 Example This following example specifies the use of Diffie-Hellman group 5. admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ike-params-set> ike-sa-dh-group 5 ike-sa-lifetime Description The ike-sa-lifetime command specifies the SA lifetime to use for Phase 1 ISAKMP communications in IKE policies on the management port. 146 ETEP CLI User Guide Commands User Type Administrator Hierarchy Level ike-params-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax ike-sa-lifetime {} Attributes lifetime - IKE Phase 1 SA lifetime in seconds. Valid values are 3600-31536000 seconds. The default is 86400 (1 day). Usage Guidelines The IKE Phase 1 lifetime specifies the interval after which an SA must be replaced with a new SA or terminated. When an IKE Phase 1 SA expires, packets are dropped until a new Phase 1 SA is renegotiated. Longer lifetimes require less frequent renegotiations and result in fewer dropped packets. The IKE SA lifetime is a global setting that will be used in all IKE encryption policies on the ETEP management port. Related topic: ● “Configuring Global Settings for IKE Negotiations” on page 79 Example This following example specifies an IKE Phase 1 SA lifetime of 43,200 seconds (12 hours). admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ike-params-set> ike-sa-lifetime 43200 ike-sa-presharedkey Description The ike-sa-presharedkey command specifies the preshared key to be used for IKE negotiations on the management port. User Type Administrator Hierarchy Level ike-parameters-set mode (config > management-interface > ipsec-config > ike-parameters-set) ETEP CLI User Guide 147 Command Reference Syntax ike-sa-presharedkey {} Attributes key-value - The preshared key is a case-sensitive alphanumeric string from 8-255 characters in length. The default key value is 01234567. Usage Guidelines The ike-sa-presharedkey command supplies the preshared key that will be used to create the security association in an IKE encryption policy on the management port. The ETEP uses preshared keys to authenticate the identities of the communicating parties during IKE Phase 1 negotiation. The identical key value must be used by both peers. Note the following conventions when creating a preshared key: ● The key is a case-sensitive alphanumeric string from 1-255 characters in length. A minimum of 8 characters is recommended. ● Upper and lower alpha characters, and numbers 0-9 are allowed ● The following special characters are not allowed: # & ( ) | " ; < > ? The IKE preshared key is a global setting that will be used in all IKE encryption policies on the ETEP management port. Related topic: ● “Configuring Global Settings for IKE Negotiations” on page 79 Example This following example sets the preshared key to be used in IKE policies on the management port. admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ike-params-set> ike-sa-presharedkey M1$har3dK3y ip Description The ip command sets an IPv4 IP address, subnet mask, and default gateway for the interface being configured. On the management interface, the command is always available. On the local and remote interfaces, the ip command is used when the ETEP is operating in non-transparent mode, that is, when the transparentmode-enable command is set to false. User Type Administrator and Ops. Ops access is limited to management interface configuration. 148 ETEP CLI User Guide Commands Hierarchy Level Management, local, and remote interface configuration modes Syntax ip { } [gateway] Attributes ip address - IPv4 IP address in dotted decimal notation. subnet mask - The management interface mask must be entered in dotted decimal notation. gateway - On the management port, the gateway specifies how to route traffic between the ETEP management port and the management station and/or other EncrypTight components such as the key generation platform or time service. When these other devices are on a different subnet than the management port, specify the IP address of the router’s local port on the same subnet as the ETEP management port. If the devices are on the same subnet as the management port, you do not have to enter a default gateway, although it is a good practice to do so. On the remote and local ports, the default gateway IP address is used when the ETEP is in a routed network. If the ETEPs are in the same subnet with no routers between them, you may leave the default gateway field blank. The ETEP determines if the packet destination is on the same subnet as the port, and if so, uses ARP to resolve the destination MAC address. If the packet destination IP address is on a different subnet, the ETEP sends the packet to the designated default gateway. Usage Guidelines The management port must have an assigned IP address in order to be managed remotely and communicate with other devices. An IPv4 management port address is mandatory, even when the ETEP is operating in an IPv6 networks. When the ETEP is operating in an IPv6 network, configure the ETEP for dual-homed operation by assigning IPv4 and IPv6 addresses to the management port. The local and remote ports require IP addresses, masks, and gateways only when transparent mode is disabled on the ETEP. The remote port connects the ETEP to an untrusted network, which is typically a WAN, campus LAN, or MAN. The local port IP address identifies the ETEP to the device on the local side of the network, such as a server or a switch. When operating in non-transparent mode, first configure the ip command on the local and remote interfaces, and then set the transparent-mode-enable command to false. If you change the remote IP address on an ETEP that is already deployed in an EncrypTight policy, you must redeploy your policies after the new configuration is pushed to the appliance. Related topics: ● “Configuring the Management Port” on page 36 ● “ip6” on page 150 ● “transparent-mode-enable” on page 196 Example This example enters management interface configuration mode, sets the management IP address, mask, and gateway, and then exits to command mode. ETEP CLI User Guide 149 Command Reference admin> configure config> management-interface man-if> ip 192.168.1.224 255.255.192.0 192.168.1.1 man-if> top admin> ip6 Description The ip6 command sets an IPv6 address and default gateway for the management interface. User Type Administrator and Ops Hierarchy Level Management configuration mode (config > management-interface) Syntax ip6 {/} [gateway] Attributes ip address - IPv6 address of the ETEP management port. This is a 128-bit address consisting of eight hexadecimal groups that are separated by colons. Each group is a 4-digit hexadecimal number. The hexadecimal letters in IPv6 addresses are not case sensitive. prefix-length - A decimal value that indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address. The decimal value is preceded by a forward slash (/). gateway - IPv6 address of the router port that is on the same local network as the ETEP management port. Usage Guidelines The management port must have an assigned IP address in order to be managed remotely and communicate with other devices. An IPv4 IP address is mandatory, even when the ETEP is operating in an IPv6 network. When the ETEP is operating in an IPv6 network, configure the ETEP for dual-homed operation by assigning an IPv4 and an IPv6 address to the management port. IPv6 addresses are typically composed of two logical parts: a network prefix (a block of address space, like an IPv4 subnet mask), and a host part. The following is an example of an IPv6 address with a 64-bit prefix: 2001:0DB8:0000:0000:0211:11FF:FE58:0743/64 IPv6 representation can be simplified by removing the leading zeros in any of the hexadecimal groups. Trailing zeroes may not be removed. Each group must include at least one digit. 150 ETEP CLI User Guide Commands IPv6 addresses often contain consecutive groups of zeros. To further simplify address entry, you can use two colons (::) to represent the consecutive groups of zeros when typing the IPv6 address. You can use two colons(::) only once in an IPv6 address. Table 74 IPv6 address representations Address Format Address Representation Full format 2001:0DB8:0000:0000:0211:11FF:FE58:0743 Leading zeroes dropped 2001:DB8:0:0:211:11FF:FE58:743 Compressed format (two colons) with leading zeroes dropped 2001:DB8::211:11FF:FE58:743 Related topics: ● “Configuring the Management Port” on page 36 ● “ip” on page 148 Example This example enters management interface configuration mode, sets an IPv6 IP address with a 64 bit prefix and default gateway on the management port, and then exits to command mode. admin> configure config> management-interface man-if> ip6 2001:DB8::211:11FF:FE58:743/64 2001:DB8::20F:F7FF:FE84:BFC2 man-if> top admin> ipsec-config Description The ipsec-config command enters IPsec configuration mode from management interface configuration mode. From here you can access commands for creating and managing IPsec policies on the management interface. User Type Administrator Hierarchy Level Management interface configuration mode (config > management-interface) Syntax ipsec-config Example admin> configure config> management-interface man-if> ipsec-config ipsec-config> ETEP CLI User Guide 151 Command Reference ipsec-sa-lifetime Description The ipsec-sa-lifetime command defines lifetime in seconds of the IPsec Phase 2 security association (SA) in IKE policies on the management port. User Type Administrator Hierarchy Level ike-params-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax ipsec-sa-lifetime {} Attributes lifetime - SA lifetime in seconds. Valid values are 3600-31536000 seconds. The default is 28800 (8 hours). Usage Guidelines The IPsec SA lifetime is the interval after which an SA must be replaced with a new SA or terminated. This is a global setting that will be used in all IKE encryption policies on the ETEP management port. Related topic: ● “Configuring Global Settings for IKE Negotiations” on page 79 Example This example sets the IPsec Phase 2 SA lifetime to 7200 seconds (2 hours). admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ike-params-set> ipsec-sa-lifetime 7200 ipsec-sa-pfs Description The ipsec-sa-pfs command configures the Diffie-Hellman group ID used when perfect forward secrecy (PFS) is enabled. This command applies to IKE policies on the management interface. User Type Administrator 152 ETEP CLI User Guide Commands Hierarchy Level ike-params-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax ipsec-sa-pfs {} Attributes PFS-group-ID - {none | 1 | 2 | 5 | 14 | 15 | 16 | 17 | 18} The default Diffie-Hellman group ID is 2. Usage Guidelines With perfect forward secrecy (PFS), every time encryption or authentication keys are computed, a new Diffie-Hellman key exchange is included. Group 1 is the least secure and least computationally demanding. Group 18 provides the highest level of security and also involves the most processing. Setting the PFS-group-ID to none disables perfect forward secrecy. This is a global setting that will be used in all IKE encryption policies on the ETEP management port. Related topic: ● “Configuring Global Settings for IKE Negotiations” on page 79 Example The following example disables PFS. admin> configure config> management-interface man-if> ipsec-config ipsec-config> ike-params-set ike-params-set> ipsec-sa-pfs none ipv6Traffic Description The ipv6Traffic command determines how the ETEP handles IPv6 packets on the data path. User Type Administrator Hierarchy Level Policies mode (config > policies) Syntax ipv6Traffic {clear | discard} ETEP CLI User Guide 153 Command Reference Attributes clear - IPv6 packets are passed in the clear. This is the default setting. discard - IPv6 packets are discarded. Usage Guidelines Layer 3 encryption policies support only IPv4 traffic. The ipv6Traffic command determines how the ETEP handles any IPv6 packets that it receives on its local and remote ports. The ETEP can either pass the IPv6 packets in the clear or discard them. This setting applies only when the ETEP is configured for Layer 3 operation. Related topics: ● “IPv6 Traffic Handling” on page 50 Example This example configures the ETEP to discard IPv6 traffic. admin> configure config> policies policies> ipv6Traffic discard layer2-p2p Description The layer2-p2p command defines a Layer 2 point-to-point policy. This command is used in conjunction with the policy-mode command to configure the ETEP to operate as a Layer 2 point-to-point encryptor using negotiated keys. User Type Administrator Hierarchy Level Policies mode (config > policies) Syntax layer2-p2p {} [] [] [] [] Attributes traffic-handling - {encrypt | clear | discard} Defines the method of processing packets. The default value is encrypt. role - {primary | secondary} When the traffic-handling attribute is set to encrypt, the ETEP uses the role to negotiate SAs with its 154 ETEP CLI User Guide Commands peer. One of the ETEPs must be assigned the primary role and the other the secondary role. The role is not used when traffic-handling is set to clear or discard. auth-method - preshared-key The authentication method used in Layer 2 point-to-point policies is preshared keys. preshared-key - The preshared key is a case-sensitive alphanumeric string from 8-255 characters in length. Valid characters are upper and lower alpha characters, and numbers 0-9. All special characters are allowed except the following: ? “ { } [ ] ( ) = \ < > & and #. To include a space, enclose it in double quotes.The default key value is 01234567. group-id - Valid group ID values range from 0-9. The default value is 0. Usage Guidelines Consider the following when configuring a Layer 2 point-to-point policy: ● When traffic-handling is set to clear or discard, no other parameters are required. Role, auth-method, preshared-key, and group-id apply only to encrypted traffic. ● When the traffic-handling attribute is set to encrypt, one of the ETEPs must be assigned the primary role and the other the secondary role. The appliance role is used in the process of establishing security associations (SAs) between a pair of ETEPs. ● Both ETEPs must use the same preshared key and group ID. ● The policy does not take effect until the policy-mode command has been configured for Layer 2 point-to-point operation. The ETEP uses preshared keys to authenticate the identities of the communicating parties during IKE Phase 1 negotiation. The ETEPs use IKE negotiations to establish security associations (SAs) between peer appliances. In a point-to-point network, the two ETEPs must be configured with the same group ID in order to communicate properly with each other. If you are using only one pair of ETEPs in the same subnet you can use the default group ID. If more than one pair of ETEPs is used within the same Layer 2 network, the group ID isolates the traffic from one pair of ETEPs from any other pair. Each appliance can belong to only one group. Example The first example configures the ETEP to encrypt all traffic, assigns the secondary role to the ETEP, defines a preshared key, and sets the group ID to 0. layer2-p2p encrypt secondary preshared-key myPr3Shar3dK3y 0 The next example configures the ETEP to pass all traffic in the clear. layer2-p2p clear license Description The license command enables the appropriate throughput speed on the ETEP. ETEP CLI User Guide 155 Command Reference User Type Administrator Hierarchy Level Configuration mode Syntax license {} Attributes string - The license provided by Black Box. The license is case-sensitive. Usage Guidelines The license command is applicable only to ETEPs that are managed from the command line. In EncrypTight deployments, licenses must be managed from the EncrypTight software. Licenses control the ETEP throughput speed. Each ETEP is capable of transmitting traffic at a range of speeds that varies by model. When you install the license you purchased, ETEPs transmit traffic at the speed specified by the license. You need to install a license on each ETEP that you use. Licenses are linked to the serial number of the ETEP on which they are installed. You cannot install a license intended for one ETEP on a different ETEP. Related topic: ● “Entering the Throughput License” on page 40 Example The following example adds a 10 Mbps license to the ET0010A. admin> configure config> license 1:0:0508C482:10:258482fab2 local-interface Description The local-interface command allows configuration of the local interface. User Type Administrator Hierarchy Level Configuration mode 156 ETEP CLI User Guide Commands Syntax local-interface Example config> local-interface loc-if> local-site-policies Description The local-site-policies command enters local-site policy configuration mode from policies configuration mode. From here you can access commands for creating and managing local-site policies on the remote and local interfaces. User Type Administrator Hierarchy Level Policies mode (config > policies) Syntax local-site-policies Usage Guidelines Local site policies cannot be created or deployed when the ETEP is configured for Layer 2 stand-alone operation as described in “Creating Layer 2 Point-to-Point Policies” on page 57. Example admin> configure config> policies policies> local-site-policies local-site-policy> logon-banner-enable Description The logon-banner-enable command enables and disables the logon banner. User Type Administrator Hierarchy Level Banner-config mode (config > banner-config) ETEP CLI User Guide 157 Command Reference Syntax logon-banner-enable {true | false} Usage Guidelines The logon banner appears after a successful login to the CLI and the EncrypTight application. The banner is disabled by default. The banner contains the standard US Department of Defense logon banner text. The text cannot be modified or replaced. Example The following example enables the logon banner. admin> configure config> banner-config banner-config> logon-banner-enable true management-interface Description The management-interface command allows configuration of the management interface. User Type Administrator and Ops Hierarchy Level Configuration mode Syntax management-interface Example config> management-interface man-if> network-tools Description The network-tools command enters network-tools mode.The commands available from network-tools mode are basic Linux commands and use Linux syntax. User Type Administrator and Ops Hierarchy Level Command mode 158 ETEP CLI User Guide Commands Syntax network-tools Example admin> network-tools network-tools> password Description The password command allows a user to modify his or her own password. User Type Administrator and Ops Hierarchy Level Command mode Syntax password Usage Guidelines Users can modify their own passwords to maintain account security and when reminded that the current password is going to expire. The password command resets a user’s password, in compliance with the password policy enabled by the Administrator (default or strong password controls). After entering the password command, the ETEP prompts you for the new password. Enter the new password, and when prompted, re-enter it to confirm. Related topics: ● “Default Password Conventions” on page 27 ● “Enabling and Disabling Accounts” on page 29 Example In this example, an Ops user changes the password for his account. Password text is not displayed on the terminal. ops> password Password: Retype new password: ETEP CLI User Guide 159 Command Reference password-enforcement Description The password-enforcement command configures the password control policy on the ETEP, which includes the stringency of password conventions, expiration, and history exclusion. User Type Administrator Hierarchy Level User-config mode (config > user-config) Syntax password-enforcement {default | strong} Attributes default – Enforces the default password controls. This is the default setting. strong – Enforces strong password controls. Usage Guidelines Strong password controls enforce more stringent password rules and conventions than the default password controls. The strong controls affect the following items: ● Password conventions ● Password history exclusion, which limits the reuse of passwords ● Password expirations, warnings, and grace periods ● Maximum number of login sessions allowed per user The strong password controls enforce the following rules on any password that is entered after strong password enforcement is enabled. Related topics: ● “Assigning Passwords to Users” on page 27 ● “Enabling and Disabling Accounts” on page 29 Example This examples enables strong password controls. admin> configure config> user-config user-config> password-enforcement strong 160 ETEP CLI User Guide Commands password-modify Description The password-modify command lets the Administrator change a user’s password. User Type Administrator Hierarchy Level User-config mode (config > user-config) Syntax password-modify {} Usage Guidelines After entering the password-modify command and user name, the ETEP prompts you for the new password. Enter the new password, and when prompted, re-enter it to confirm. The password conventions are based on the password policy enabled by the Administrator (default or strong password controls). Related topics: ● “Default Password Conventions” on page 27 ● “Enabling and Disabling Accounts” on page 29 Example In this example, the Administrator changes the password for a user named “tech1.” Password text is not displayed on the terminal. admin> configure config> user-config user-config> password-modify tech1 Password: Retype new password: ping Description The ping command is an IPv4 command that sends an ICMP ping from the management port to the specified destination to verify connectivity. The ping command is implemented as a standard Linux command that can be accessed from within the ETEP CLI. The syntax of the command follows Linux conventions. Linux commands are case-sensitive. User Type Administrator and Ops ETEP CLI User Guide 161 Command Reference Hierarchy Level Network-tools mode (admin > network-tools) Syntax ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline] [-p pattern] [-s packetsize] [-t ttl] [-I interface or address] [-M mtu discovery hint] [-S sndbuf] [-T timestamp option] [-Q tos] [hop1 ...] destination Attributes -L - Suppress loopback of multicast packets. -R - Record route. -U - Print full user-to-user latency. -b - Allow pinging a broadcast address. -d - Set the SO_DEBUG option on the socket being used. -f - Flood ping. -n - Show network addresses as numeric output only. -q - Quiet output. -r - Bypass the normal routing tables and send directly to a host on an attached interface. -v - Verbose output. -V - Show version. -a - Audible ping. -A - Adaptive ping. -c count - Stop after sending count ECHO_REQUEST packets. With deadline option, ping waits for count ECHO_REPLY packets, until the timeout expires. -i interval - Wait interval seconds between sending each packet. -w deadline - Specify a timeout, in seconds, before ping exits regardless of how many packets have been sent or received. -p pattern - You may specify up to 16 “pad” bytes to fill out the packet that you send. -s packetsize - Specifies the number of data bytes to be sent. -t ttl - Set the IP Time to Live. -I address - Set the source address to a specified interface address. -M hint - Select Path MTU Discovery strategy. hint may be “do” (prohibit fragmentation), “want” (do PMTU discovery and fragment locally when packet is large), or “dont” (do not set DF flag). -S sndbuf - Set socket sndbuf. 162 ETEP CLI User Guide Commands -T timestamp option - Set special IP timestamp options. -Q tos - Set Quality of Service-related bits in ICMP datagrams. destination - The IP address of the network host that you are trying to reach. --help - Displays help information. Usage Guidelines The ping is sent from the ETEP’s management ports. The ping operation stops after sending (and receiving) a specified number of packets (count) or after a specified time interval (deadline). If a terminating event is not specified, enter CTRL-C to stop the ping. To view the command syntax and available options from the CLI, enter ping --help. If you need more detailed usage guidelines on ping attributes than is documented here, consult the Linux man pages. Super user options are not allowed when issuing the ping command on the ETEP. Related topic: ● “ping6” on page 163 Example The following example sends 4 ICMP ECHO-REQUEST packets from the ETEP management interface to host 192.168.1.124. admin> network-tools network-tools> ping -c4 192.168.1.124 PING 192.168.1.124 (192.168.1.124) from 192.168.1.69 eth2: 56(84) bytes of data. 64 bytes from 192.168.1.124: icmp_seq=1 ttl=128 time=0.462 ms 64 bytes from 192.168.1.124: icmp_seq=2 ttl=128 time=0.270 ms 64 bytes from 192.168.1.124: icmp_seq=3 ttl=128 time=0.270 ms 64 bytes from 192.168.1.124: icmp_seq=4 ttl=128 time=0.335 ms --- 192.168.1.124 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 0.270/0.334/0.462/0.079 ms ping6 Description The ping6 command is the IPv6 version of the ping command. It works much the same way as IPv4 ping, sending an ICMP ping from the management port to the specified destination to verify connectivity. The main difference is that the ping6 options and parameters reflect the changes made in addressing and routing in IPv6. The ping command is implemented as a standard Linux command that can be accessed from within the ETEP CLI. The syntax of the command follows Linux conventions. Linux commands are case-sensitive. User Type Administrator and Ops ETEP CLI User Guide 163 Command Reference Hierarchy Level Network-tools mode (admin > network-tools) Syntax ping6 [-hLVdnrqfs] [-c count] [-i interval] [-p pattern] [-s packetsize] destination Attributes Informational options: -h, --help Display help information and exit. -L, --L Display license information and exit. -V, --version Display version information and exit. Options valid for all request types: -c, --count N Stop sending after N packets. -d, --debug Set the SO_DEUG option. -i, --interval N Wait N seconds between sending each packet. -n, --numeric Do not resolve host addresses. -r, --ignore-routing Send directly to a host on an attached network. Options valid for --echo requests: -f, --flood Flood ping. This is a super-user option; it is not allowed on the ETEP. -l, --preload N Send N packets as fast as possible before falling into normal mode of behavior. This is a super-user option; it is not allowed on the ETEP. -p, --pattern PAT Fill ICMP packet with a given hexadecimal pattern. -q, --quiet Quiet output. -s, --size N Set number of data packets to send. Usage Guidelines The ping6 packets are sent from the ETEP’s management ports. The ping operation stops after sending (and receiving) a specified number of packets (count) or after a specified time interval (deadline). If a terminating event is not specified, enter CTRL-C to stop the ping. To view the command syntax and available options from the CLI, enter ping --help. If you need more detailed usage guidelines on ping attributes than is documented here, consult the Linux man pages. Super user options are not allowed when issuing the ping command on the ETEP. Related topic: ● “ping” on page 161 Example The following example sends 4 ICMP ECHO-REQUEST packets from the ETEP management interface to host 2003:a8::124, waiting 2 seconds between sending each packet. 164 ETEP CLI User Guide Commands admin> network-tools network-tools> ping6 -c4 -i2 2003:a8::124 PING 2003:a8::124 (2003:a8::124): 56 data bytes 64 bytes from 2003:a8::124: icmp_seq=0 ttl=64 time=2.261 ms 64 bytes from 2003:a8::124: icmp_seq=1 ttl=64 time=0.545 ms 64 bytes from 2003:a8::124: icmp_seq=2 ttl=64 time=0.545 ms 64 bytes from 2003:a8::124: icmp_seq=3 ttl=64 time=0.598 ms --- 2003:a8::124 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.545/0.987/2.261/0.736 ms policies Description The policies command enters policies configuration mode. From here you can access policy-specific commands, which include defining a Layer 2 point-to-point policy, defining local-site policies, and setting the policy mode. The policy mode configures the ETEP for Layer 2 or Layer 3 operation, sets its keying method, and specifies TLS traffic handling. User Type Administrator Hierarchy Level Configuration mode Syntax policies Example config> policies policies> policy-action Description The policy-action command determines how the ETEP acts on the packets that match the policy selectors: encrypt them, pass them in the clear, or discard them. This command is used in IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Levels ● IPsec policy-config mode (config > management-interface > ipsec-config > policy-config) ● local-site policy-config mode (config > policies > local-site-policies > policy-config) ETEP CLI User Guide 165 Command Reference Syntax policy-action {protect | discard | bypass} Attributes protect - Packets that match the policy selectors will be encrypted. discard - Packets that match the policy selectors will be discarded. bypass - Packets that match the policy selectors will be passed in the clear. This is the default. Usage Guidelines This command is used in conjunction with other policy commands to create management port policies or local-site policies. A policy definition consists of a name, action, selectors, and priority. For encryption policies, you must also specify encryption and authentication algorithms. Example The following example sets the policy action to protect in a management port policy. The example assumes that MyPolicy has already been added to the ETEP. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-config MyPolicy policy-config> policy-action protect The next example sets the policy action to bypass in a local-site policy. The example assumes that AnotherPolicy has already been added to the ETEP. admin> configure config> policies policies> local-site-policies local-site-policy> policy-config AnotherPolicy policy-config> policy-action bypass policy-add Description The policy-add command adds a policy to the ETEP. This command is available when working with IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Level 166 ● ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) ETEP CLI User Guide Commands Syntax policy-add {} Attributes name - The policy name uniquely identifies the policy. The name is referenced when configuring the other policy commands. This attribute is mandatory. There is no default value, it must be specified by the user. Usage Guidelines The scope of the policy-add command is limited to the configuration mode in which you are operating when the command is issued: it adds either a management port policy or a local-site policy. This command essentially opens a policy container (or document) with a unique name. The policy parameters are specified later with the policy-config mode commands. Policy names must conform to the following conventions: ● Policy names can range from 1-32 characters. ● Valid characters are upper and lower case alpha characters (a-z), numeric characters (0-9), _ (underscore), and - (dash). ● Policy names must start with an alpha character or an underscore. The first character cannot be a numeric digit or a dash. ● Policy names cannot contain a space. ● Names are case-sensitive. Example The following example adds two local-site policies. The first policy is named MyPolicy, and the second one is named TestPolicy. admin> configure config> policies policies> local-site-policies local-site-policy> policy-add MyPolicy local-site-policy> policy-add TestPolicy policy-config Description The policy-config command enters policy configuration mode. From here you can access policy-specific commands, which include defining the policy action, selectors, priority, and keying method. This command is available when working with IPsec policies on the ETEP management interface and localsite policies. User Type Administrator ETEP CLI User Guide 167 Command Reference Hierarchy Level ● ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) Syntax policy-config {} Attributes name - The name of the policy you want to configure. The policy name must already exist on the ETEP. Usage Guidelines The scope of the policy-config command is limited to the configuration mode in which you are operating when the command is issued. The policy configuration mode is specific to management port policies or local-site policies on the data ports. The policy-config command requires that you enter an existing policy name. The policy name is entered using the policy-add command. Example The following example adds a management port policy named Test, and enters policy-config mode for that policy. config> management-interface man-if> ipsec-config ipsec-config> policy-add Test ipsec-config> policy-config Test policy-config> policy-delete Description The policy-delete command removes a policy from the ETEP. This command is available when working with IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Level ● ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) Syntax policy-delete {) Attributes name - The name of the policy that you want to delete. 168 ETEP CLI User Guide Commands Usage Guidelines The scope of the policy-delete command is limited to the configuration mode in which you are operating when the command is issued: it deletes either the management port policies or the local-site policies on the data ports. To delete a policy, first issue the policy-delete command and then deploy the policy set. The targeted policy continues to run on the ETEP until the policy set is deployed. Example This following example deletes a policy named MyPolicy from the ETEP, and then deploys the modified policy set. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-delete MyPolicy ipsec-config> deploy-policy-set policy-ike-ipsec Description The policy-ike-ipsec command defines the IPsec transform set, which includes the IPsec protocol and encryption and hash algorithms to be used in an IKE encryption policy on the management interface. User Type Administrator Hierarchy Level IPsec policy-config mode (config > management-interface > ipsec-config >policy-config) Syntax policy-ike-ipsec {

} Attributes transform-type - {esp | ah} AH provides data authentication. ESP provides encryption and authentication. The default is ESP. encryption-algorithm - {3des | aes128-cbc | aes256-cbc | null} The default is 3des. authentication-algorithm - {hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 | hmacsha2-384 | aes-xcbc-mac-96} The default is hmac-sha1-96. ETEP CLI User Guide 169 Command Reference Usage Guidelines This command is valid for IKE encryption policies. Prior to configuring the policy-ike-ipsec command, set the policy-action command to “protect” and policy-keying to “ike.” In an IKE negotiation, the encryption and hash algorithms constitute a proposal. In the current implementation, the proposal is limited to one encryption algorithm and one hash algorithm. To authenticate but not encrypt the communications, choose null as the encryption algorithm. Only FIPS approved algorithms are allowed when the ETEP is operating in FIPS mode. Related topics: ● “Configuring Global Settings for IKE Negotiations” on page 79 ● “Configuring an IKE Encryption Policy” on page 84 ● “FIPS 140-2 Level 2 Operation” on page 121 Example This example defines a transform set for an IKE policy on the management port named MyPolicy. The policy uses ESP, AES-256-CBC as the encryption algorithm, and HMAC-SHA1-96 as the hash algorithm. The example assumes that MyPolicy has already been added to the ETEP. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-config MyPolicy policy-config> policy-action protect policy-config> policy-keying ike policy-config> policy-ike-ipsec esp aes256-cbc hmac-sha1-96 policy-ike-peer Description The policy-ike-peer command identifies the peer at the opposite end of the secure tunnel in an IPsec policy on the management port. User Type Administrator Hierarchy Level IPsec policy-config mode (config > management-interface > ipsec-config > policy-config) Syntax policy-ike-peer {} Attributes ip - The peer’s remote port IP address. This can be an IPv4 or IPv6 address. 170 ETEP CLI User Guide Commands Usage Guidelines The policy-ike-peer command identifies the peer with whom the ETEP will be negotiating a secure tunnel. The ETEP accepts IPv4 and IPv6 addresses. Related topics: ● “Configuring an IKE Encryption Policy” on page 84 Example The following example defines a peer IP address for an IKE encryption policy named MyIKEpolicy. The example assumes that MyIKEpolicy has already been added to the ETEP. man-if> ipsec-config ipsec-config> policy-config MyIKEpolicy policy-config> policy-action protect policy-config> policy-keying IKE policy-config> policy-ike-peer 10.168.1.124 policy-keying Description The policy-keying command determines how the ETEP generates keys in an encryption policy. Keys can be generated automatically, using IKE, or entered manually. This command is used in IPsec encryption policies on the ETEP management interface. User Type Administrator Hierarchy Level IPsec policy-config mode (config > management-interface > ipsec-config > policy-config) Syntax policy-keying {manual-key | ike} Attributes manual-key - Use manually entered keys in the policy. ike - Use IKE to automatically generate keys. This is the default. Usage Guidelines The policy-keying command applies only when the policy action is set to “protect.” The ETEP supports IKE negotiated policies and manual key encryption policies on the management port. IKE policies use the global IKE parameters that are described in “Configuring Global Settings for IKE Negotiations” on page 79. The keying method is automated, and keys are refreshed at designated intervals. Manually keyed policies use keys that the user enters manually. These keys are static and not refreshed until the policy is updated. ETEP CLI User Guide 171 Command Reference All encryption policies deployed on the ETEP must use the same keying method. You cannot deploy a mix of IKE and manual key policies. Related topics: ● “Configuring an IKE Encryption Policy” on page 84 ● “Configuring a Manual Key Encryption Policy” on page 86 Example The following example sets the policy keying method to manual keys. The example assumes that MyPolicy has already been added to the ETEP. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-config MyPolicy policy-config> policy-keying manual-key policy-layer2-selector Description The policy-layer2-selector command defines the traffic filters for a Layer 2 local-site policy. User Type Administrator Hierarchy Level local-site policy-config mode (config > policies > local-site-policies > policy-config) Syntax policy-layer2-selector { } Attributes ethertype - The Ethertype can be entered as a hexadecimal or decimal value. Hexadecimal values must be preceded by 0x. Enter “any” to accept any Ethertype. vlan - { | any } Enter a VLAN ID in the range of 1–4094, or enter “any” to accept any VLAN ID. Usage Guidelines This command is valid only when the ETEP is configured for Layer 2 operation. Related topics: 172 ● “Configuring a Local Site Bypass or Discard Policy” on page 67 ● “Configuring a Local Site Encryption Policy” on page 69 ● “policy-mode” on page 176 ETEP CLI User Guide Commands Example The following example configures Layer 2 selectors that filter traffic on the Ethertype for ARP packets with any VLAN ID. The Ethertype is entered in hexadecimal. This example assumes that a policy named MyLayer2Policy has already been added. admin> configure config> policies policies> local-site-policies local-site-policy> policy-config MyLayer2Policy policy-config> policy-layer2-selector 0x0806 any policy-manual-key (local-site policies) Description The policy-manual-key command configures the settings required to create manually keyed security associations (SAs) for local-site policies. User Type Administrator Hierarchy Level local-site policy-config mode (config > policies > local-site-policies > policy-config) Syntax policy-manual-key { } Attributes direction - {out | in | any} Specifies the direction of the SA. The any attribute creates two bi-directional SAs. spi - The SPI is a decimal value between 256 and 4096. encryptionAlgorithm - {3des-cbc | aes256-cbc} authenticationAlgorithm - {md5-96-hmac | sha1-96-hmac} encryptionKey - Hexadecimal number with the appropriate length according to the selected algorithm. In FIPS mode, you have to enter the encryption and authentication keys twice. authenticationKey - Hexadecimal number with the appropriate length according to the selected algorithm. In FIPS mode, you have to enter the encryption and authentication keys twice. Usage Guidelines Prior to configuring the policy-manual-key command, set the policy-action command to “protect.” ETEP CLI User Guide 173 Command Reference Each secure connection consists of two security associations (SAs), one for inbound packets and one for outbound packets. In a manual key policy you can either configure each SA individually, or set the direction to “any,” which sets up two bi-directional SAs that share the same SPI, algorithms, and keys. When the ETEP is configured for Layer 2 operation, you must use aes256-cbc and sha1-96-hmac as the encryption and authentication algorithms. When the ETEP is configured for Layer 3 operation, it will accept any of the encryption and authentication algorithms. Only FIPS approved algorithms are allowed when the ETEP is operating in FIPS mode. When FIPS mode is enabled, the encryption and authentication keys must each be entered twice. Table 75 Key lengths Encryption algorithm Encryption key length (characters) Authentication algorithm Authentication key length (characters) 3des-cbc 48 md5-96-hmac 32 aes256-cbc 64 sha1-96-hmac 40 Related topics: ● “Configuring a Local Site Encryption Policy” on page 69 Example The following example defines a bidirectional SA for the ETEP. This example assumes that a policy named MyProtectPolicy has already been added. Encryption and authentication keys are displayed only until the ENTER key is pressed. The example below shows the keys for demonstration purposes, even though they are not displayed this way on the terminal. admin> configure config> policies policies> local-site-policies local-site-policy> policy-config MyProtectPolicy policy-config> policy-manual-key any 1007 aes256-cbc sha1-96-hmac Please enter 64 character hexadecimal number for encryption key: 1234567890123456789012345678901212345678901234567890123456789012 Please enter 40 character hexadecimal number for authentication key: 1234567890123456789012345678901234567890 policy-manual-key (management IPsec policies) Description The policy-manual-key command configures the settings required to create manually keyed security associations (SAs) on management interface. User Type Administrator Hierarchy Level IPsec policy-config mode (config > management-interface > ipsec-config > policy-config) 174 ETEP CLI User Guide Commands Syntax policy-manual-key { } Attributes direction - {out | in} Specifies the direction of the SA. Each policy requires an inbound and outbound SA. spi - Each SA must have a unique SPI. The SPI is a decimal value between 256 and 4096. protocol - {esp | ah} AH provides data authentication. ESP provides encryption and authentication. encryptionAlgorithm - {3des-cbc | aes128-cbc | aes256-cbc} authenticationAlgorithm - {md5-96-hmac | sha1-96-hmac | sha2-256-hmac | sha2384-hmac | aes-xcbc-mac-96 } encryptionKey - Hexadecimal number with the appropriate length according to the selected algorithm. In FIPS mode, you have to enter the encryption and authentication keys twice. authenticationKey - Hexadecimal number with the appropriate length according to the selected algorithm. In FIPS mode, you have to enter the encryption and authentication keys twice. Usage Guidelines This command is valid for manually keyed encryption policies. Prior to configuring the policy-manualkey command, set the policy-action command to “protect” and policy-keying to “manual-key.” Each IPSec connection consists of two security associations (SAs), one for inbound packets and one for outbound packets. In a manual key policy each SA is configured individually. Only FIPS approved algorithms are allowed when the ETEP is operating in FIPS mode. When FIPS mode is enabled, the encryption and authentication keys must each be entered twice. Table 76 Key lengths Encryption algorithm Encryption key length (characters) Authentication algorithm Authentication key length (characters) 3des-cbc 48 md5-96-hmac 32 aes128-cbc 32 sha1-96-hmac 40 aes256-cbc 64 sha2-256-hmac 64 none N/A sha2-384-hmac 96 aes-xcbc-mac-96 96 Related topics: “Configuring a Manual Key Encryption Policy” on page 86 ETEP CLI User Guide 175 Command Reference Example The following example defines an inbound SA for the ETEP. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-config MyManualKeyPolicy policy-config> policy-manual-key in 1004 esp aes128-cbc sha1-96-hmac Please enter 32 character hexadecimal number for encryption key: 11223344556677889900aabbccddeeff Please enter 40 character hexadecimal number for authentication key: 11223344556677889900aabbccddeeff87654321 policy-mode Description The policy-mode command defines the encryption policy settings for the ETEP. This includes the following: ● Configure the ETEP for use in Layer 2 or Layer 3 policies ● Enable or disable EncrypTight policy and key generation, distribution, and management ● Enable or disable passing TLS traffic in the clear, which allows TLS-based management traffic to pass unencrypted. User Type Administrator Hierarchy Level Policies mode (config > policies) Syntax policy-mode {

} [] Attributes policy - {layer2 | layer3} Specifies whether the ETEP will be configured for use in Layer 2 or Layer 3 policies. enable-CE - {true | false} To use EncrypTight for policy management, set the attribute to true. For Layer 2 IKE polices, set the attribute to false. tls-clear - [true | false] To pass TLS traffic in the clear, set the attribute to true. This is an optional attribute that defaults to true when EncrypTight is enabled. It defaults to false when the EncrypTight is set to false. 176 ETEP CLI User Guide Commands Usage Guidelines The policy setting determines whether the ETEP can be used in Layer 2 Ethernet or Layer 3 IP policies. ETEPs that are configured for Layer 2 cannot be used in Layer 3 policies and vice versa. If you intend to create a Layer 4 policy to encrypt only the packet payload, set the policy setting to Layer 3. The EncrypTight setting defines whether or not EncrypTight is used for policy management. To deploy Layer 2 IKE policies, set enable-CE to false. For distributed key polices, the enable-CE attribute must be set to true. Passing TLS-based management traffic in the clear is required for EncrypTight distributed key policies, and when the ETEP is managed in-line. When the ETEP is operating in Layer 2 distributed key mode, ARP traffic is also passed in the clear when tls-clear is set to true. When the ETEP is operating in Layer 2 point-to-point mode, the tls-clear setting is false. When you change the policy-mode of an in-service ETEP, all encrypt and drop policies currently installed on the ETEP are removed. Traffic is sent in the clear until you create and deploy new policies. Example The first example configures the ETEP for Layer 2 operation. It will be used in a Layer 2 point-to-point policy, so EncrypTight is disabled. In Layer 2 point-to-point policies, the tls-clear attribute is always set to false. config> policies policies> policy-mode layer2 false false The next example configures the ETEP for Layer 3 operation in a distributed key environment, in which EncrypTight is used for policy management. TLS traffic will pass in the clear. config> policies policies> policy-mode layer3 true true policy-packet-count Description The policy-packet-count command provides a mechanism for tracking packets through multiple ETEPs. This can help you determine why certain packets are being dropped in your network. When the packet counters are enabled, you can compare packet counts between the sending and receiving ETEPs to help pinpoint the source of the problem. User Type Administrator Hierarchy Level Policies mode (config > policies) Syntax policy-packet-count {enable | disable} ETEP CLI User Guide 177 Command Reference Usage Guidelines When the policy-packet-count command is enabled, the ETEP adds a count to the security policy and security association databases (SPD and SAD, respectively). The counters increment as packets use the policies and SAs. The counts are displayed when you issue any of the following CLI commands: show spd, show sad, and show policy-packet count. By comparing the counters on each ETEP, you can determine if the packets are being encrypted and sent from one ETEP, and then received at the other. The policy packet counters are disabled by default. We recommend enabling the feature for troubleshooting, and disabling it for normal operation. To clear the counters, issue the show policy-packet-count-clear command. Related topics: ● “Determining the Cause of Dropped Packets” on page 112 ● “show” on page 187 Example The following example enables the policy packet counters on the ETEP. admin> configure config> policies policies> policy-packet-count enable policy-priority Description The policy-priority command assigns a processing priority to a policy. This command is used in IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Level ● IPsec policy-config mode (config> management-interface > ipsec-config> policy-config) ● local-site policy-config mode (config > policies > local-site-policies > policy-config) Syntax policy-priority {} Attributes priority - For local-site policies the valid range is 65001–65500. For management port policies the valid range is 1–65500. 178 ETEP CLI User Guide Commands Usage Guidelines The policy priority specifies the order in which policies are processed on the ETEP. Policies are enforced in descending order with the highest priority policy processed first. Each policy must have a unique priority. When you add a new policy, the ETEP automatically assigns it a priority. To avoid duplicate policy priorities, the ETEP decrements the priority by one from the highest priority that it finds. For example, if you have two policies and they are assigned priorities 65500 and 65499, the ETEP will assign priority 65498 to a new policy. If you have two policies with priorities 62000 and 61300, a new policy will be assigned 61999. In many cases you will want to override the default priority assignments to ensure that traffic is processed in the order in which you intend. It is a good practice to review the priorities of your policies prior to deploying them. Use the show-policy-set command to do this. The local-site policies are assigned a higher priority than the priorities available to EncrypTight distributed key policies. This ensures that the local-site policies are not affected by EncrypTight policies that are deployed to the ETEP from ETPM. Related topic: ● “Policy Configuration” on page 65 (local-site policies) ● “Policy Configuration” on page 82 (management port policies) Example This following example sets the priority of a management port policy named MyPolicy to 50000. The example assumes that MyPolicy has already been added to the ETEP. admin> configure config> management-interface man-if> ipsec-config ipsec-config> policy-config MyPolicy policy-config> policy-priority 50000 policy-selector Description The policy-selector command defines the traffic filters for a Layer 3 policy. This command is used in IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Level ● IPsec policy-config mode (config> management-interface > ipsec-config> policy-config) ● local-site policy-config mode (config > policies > local-site-policies > policy-config) ETEP CLI User Guide 179 Command Reference Syntax policy-selector {

} [

] Attributes remote-ip - IP address of the endpoint on the far side of the untrusted network. Enter the address using CIDR notation (IP address/prefix). The default is set to 0.0.0.0/0, which means “process all packets” coming from any address. local-ip - IP address of the local endpoint. Enter the address using CIDR notation (IP address/ prefix). Default is set to 0.0.0.0/0, “process all packets.” protocol - A decimal value that identifies the IP layer protocol. The default is set to any, which accepts all protocols. Range is 1-254. remote-port - A decimal value that identifies the transport layer protocol port number for the remote endpoint. The default is set to any, which means “accept all.” Range is 1-65535. local-port - A decimal value that identifies the transport layer protocol port number for the local endpoint. The default is set to any, which means “accept all.” Range is 1-65535. Usage Guidelines IPsec selectors are traffic filters. Local site policies can be configured with fairly coarse traffic filters, specifying an entire subnet or all destinations (0.0.0.0/0). Or, you can create more granular policies using selectors based on partial subnets, individual destinations, protocol types, or source and destination ports. Management policies are typically granular policies that filter traffic based on specific IP addresses, protocol types, or source and destination ports. The local IP address selector is typically the ETEP’s management port IP address. Policies on the management port can accept IPv4 or IPv6 addresses in CIDR notation, but not simultaneously. In a given selector, the address type must be consistent (either IPv4 or IPv6). Local-site policies accept only IPv4 addresses. The local-site policy-selector command accepts CIDR notation or dot-decimal notation for the subnet mask. The selectors default to all traffic, any protocol, any remote port, any local port: 0.0.0.0/0, 0.0.0.0/0, any, any, any. Related topic: ● “Policy Configuration” on page 65 (local-site policies) ● “Policy Configuration” on page 82 (management port policies) Examples The following example defines the selectors for a management port policy named BypassICMP. It is a bypass policy that passes ICMP traffic (protocol 1) in the clear from anywhere to anywhere. man-if> ipsec-config ipsec-config> policy-config BypassICMP policy-config> policy-action bypass policy-config> policy-selector 0.0.0.0/0 0.0.0.0/0 1 any any 180 ETEP CLI User Guide Commands The next example defines selectors for a Layer 2 local-site policy named EncryptPolicy. It is a protect policy that encrypts traffic with VLAN ID 10. policies> local-site-policies local-site-policy> policy-config EncryptPolicy policy-config> policy-action protect policy-config> policy-layer2-selector any 10 port-enable Description The port-enable command lets you independently enable or disable the management, local, and remote interfaces. User Type Administrator Hierarchy Level Management, local, and remote configuration mode Syntax port-enable {true | false} Usage Guidelines Each port is configured independently of the others. This port setting is persistent after a reboot. Example The following example disables the remote port. admin> configure config> remote-interface rem-if> port-enable false reassembly Description The reassembly command applies to packets entering the ETEP’s local port that are subject to fragmentation. This command specifies whether packets are fragmented before or after they are encrypted and who performs the reassembly of the fragmented packet: the destination host or gateway. User Type Administrator Hierarchy Level Local interface configuration mode (config > local-interface) ETEP CLI User Guide 181 Command Reference Syntax reassembly {host | gateway} Attributes host – This setting is required for the ETEPs to interoperate successfully with some security gateways. Packets are fragmented before they are encrypted, and the encryption header is added to the packet fragments. The destination host performs the reassembly. gateway – This setting is recommended for ETEP-ETEP encryption. Packets are encrypted first and then fragmented based on the new packet size, which includes the encryption header. This behavior is consistent with RFC 2401. The gateway (ETEP) performs the reassembly. This is the default setting. Usage Guidelines The reassembly mode command applies only when the ETEP’s policy mode is set to Layer 3. When the policy mode is set to Layer 2, packets that are subject to fragmentation are encrypted prior to fragmentation. Layer 2 jumbo packets that exceed the PMTU are discarded. When the reassembly command is set to gateway, the ETEP sets the dfbit-ignore command to on. When the reassembly command is set to host, the ETEP sets the dfbit-ignore command to off by default but allows the setting to be changed. Related topics: ● “policy-mode” on page 176 ● “dfbit-ignore” on page 138 Example The following example sets the reassembly mode to gateway. admin> configure config> local-interface loc-if> reassembly gateway reboot Description The reboot command halts all operations on the ETEP and starts the boot process in the same manner as when the power is cycled. User Type Administrator and Ops Hierarchy Level Command mode Syntax reboot 182 ETEP CLI User Guide Commands Usage Guidelines Rebooting is required when loading new software on the appliance and when restoring factory settings. Example admin> reboot CAUTION Rebooting the appliance interrupts the data traffic on the ETEP local and remote ports. remote-interface Description The remote-interface command allows configuration of the remote interface. User Type Administrator Hierarchy Level Configuration mode Syntax remote-interface Example config> remote-interface rem-if> remote-user-cert-auth-mode Description The remote-user-cert-auth-mode command enables and disables remote user certificate authentication on the ETEP. This feature is required to support the Common Access Card feature in an EncrypTight deployment. User Type Administrator Hierarchy Level User-config mode (config > user-config) Syntax remote-user-cert-auth-mode {enable | disable} ETEP CLI User Guide 183 Command Reference Usage Guidelines The EncrypTight system supports the use of smart cards such as the DoD Common Access Card (CAC). Using a CAC provides user authorization in addition to certificate-based authentication. When you use a CAC, EncrypTight components use the certificates installed on the card to determine if a user is authorized to perform a specific action. In order to access the system, every user must have an authorized CAC. A smart card reader is connected to the management workstation. To access the workstation, you must insert a CAC into the reader. The EncrypTight software reads the identity certificate on the CAC, as well as any trusted root or intermediate certificates. When the EncrypTight software communicates with other EncrypTight components, the common name field from the identity certificate is included in the communications. If the common name used in the communications is on the access list, the operation is allowed. Each component in the EncrypTight system must maintain a list of authorized users (EncrypTight software, ETKMS, and ETEP). Communications that do not use an authorized common name and a valid certificate are rejected. Setting up the ETEP to use a CAC involves several tasks: 1 Install certificates on the ETEPs. This task is performed using the EncrypTight software. 2 Enable strict authentication on the ETEPs. 3 Enable remote user certificate authentication on the ETEPs. 4 Add common names to the existing user accounts on the ETEPs, or add new user accounts with common names. 5 On the ETEP, add a user account with a common name for each ETKMS. Additional steps are required to prepare the EncrypTight workstation and ETKMS to use strict authentication with CACs. Be sure to complete all of the required steps in order, as described in the “Using Enhanced Security Features” chapter of the EncrypTight User Guide. Related topics: ● “Adding Users” on page 20 ● “user-add” on page 199 ● “strict-client-authentication” on page 193 Example admin> configure config> user-config user-config> remote-user-cert-auth-mode enable restart-ike Description The restart-ike command tears down and restarts any existing IKE connections. It applies changes made to the IKE parameters used in policies on the ETEP management port. 184 ETEP CLI User Guide Commands User Type Administrator Hierarchy Level ike-params-set mode (config > management-interface > ipsec-config > ike-parameters-set) Syntax restart-ike Usage Guidelines If you modify any of the ike-params-set commands, you can issue the restart-ike command to make them active on the ETEP. This command allows you to change the IKE parameters without redeploying policies. The IKE parameters are global settings that are applied to all IKE encryption policies on the ETEP management port. Related topic: ● “Changing the IKE Parameters” on page 79 ● “Deploying Management Policies” on page 92 Example admin> restart-ike restore-filesystem Description The restore-filesystem command restores the appliance file system from the backup copy. The file system contains the software image, configuration files, policies, log files, throughput licenses, certificates, and passwords. As a result of restoring the ETEP’s file system, the previous copy becomes the backup copy. The restore operation can be reversed by issuing the restore-filesystem command a second time. User Type Administrator Hierarchy Level Command mode Syntax restore-filesystem Usage Guidelines Review the following recommendations and cautions prior to issuing this command: ETEP CLI User Guide 185 Command Reference ● Make sure that you know the passwords used in the backup configuration. Once the backup image is restored on the appliance, you must use the passwords from the backup configuration to log in. ● After restoring the file system, redeploy policies to the ETEP to ensure that the appliance is using the current set of policies and keys. ● The restore operation replaces the current certificate with the backup certificate. If you replaced a certificate after the backup image was created, you will need to reinstall that certificate after the file system is restored. Failure to do so can result in a communication failure between the ETEP and the EncrypTight key generator. After issuing the restore-filesystem command, you will be prompted to confirm that you want to continue. Type yes to continue or no to cancel. This command automatically reboots the appliance. Related topic: ● “File System Backup and Restore” on page 99. Example admin> restore-filesystem ATTENTION: You have issued a service affecting restore command. WARNING: This command restores the backup copy of the appliance file system including the software image, configuration files, policies, certificates, and passwords. Once the backup image is restored on the appliance, you must use the passwords from the backup configuration to log in. This command automatically reboots the appliance. ARE YOU SURE YOU WANT TO CONTINUE? (enter 'yes' to confirm) > yes restore-policy-set Description The restore-policy-set command restores the backup copy of the policy set. This command is available when working with IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Level ● ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) Syntax restore-policy-set Usage Guidelines The restore-policy-set command deploys the backup copy of the policy set, making them the active policies on the ETEP. The backup copy of the policy set is retained after a restore operation. A subsequent backup overwrites the previous backup copy of the policy set. 186 ETEP CLI User Guide Commands The scope of the restore-policy-set command is limited to the configuration mode in which you are operating when the command is issued: it restores either the management port policies or the local-site policies on the data ports. Example The following example restores the backup copy of the local-site policies. config> policies policies> local-site-policies local-site-policy> restore-policy-set show Description The show command displays information that is useful for troubleshooting problems with the ETEP, such as date and version information, the configuration running on the appliance, and log file contents. The show command is available in command mode to Administrator and Ops users. The show command is also available to the Administrator from several configuration modes, such as policy-config, ipsec-config, user-config, and banner-config. User Type Administrator and Ops have access to the show command from command mode. Only the Administrator can access the config mode show commands. Hierarchy Level Command mode, banner-config mode, ipsec-config mode, policies mode, and user-config mode Syntax show {} Attributes all - Displays a collection of troubleshooting data, including running-config, encryption statistics, MIB2 statistics for the local, remote, and management ports, discarded packets, SPD, SAD, MAC statistics, ARP cache, route table, and system data such as disk and memory usage. audit-log - Displays the contents of the audit log file. This command is available only to the Administrator user. bootloader-version - Displays the bootloader version that is loaded on the ETEP. dataplane-log - Displays the contents of the data plane log file. date - Displays the internal clock’s date and time settings in the following format: . discards - Shows the number of discarded packets and the reason for the discards. distkey-log - Displays the contents of the distkey log file. ETEP CLI User Guide 187 Command Reference dual-power-status - Displays the operational status of the ET1000A power supplies. encrypt-policy - Displays the encryption policy settings: Layer 2/Layer 3, EncrypTight enabled/ disabled, and pass TLS in the clear setting true/false. fips-mode - Shows whether FIPS mode is enabled or disabled on the ETEP. ntp-status - Shows whether the NTP client is enabled, and if it is, displays NTP server information. pki-log - Displays the contents of the pki log, which contains messages about certificate usage. policy-packet-count-clear - Displays the SAD and SPD entries and associated packet counters, and then resets the counters to zero. running-config - Displays the configuration that is running on the appliance, along with a list of users that are currently logged in. sad - Displays the security association database entries. serial-number - Displays the unit’s serial number. snmp-log - Displays the contents of the SNMP log file. spd - Displays the security policy database entries. system-log - Displays the contents of the system log file. throughput-speed - Displays the throughput speed configured on the dataplane. upgrade-status - Displays the status of the current upgrade operation. version - Displays version information and system up time. Usage Guidelines The show commands display the last 300 lines of a log file. To view more information, use ETEMS to send the appliance log files to the management workstation. When the show command is issued from a configuration mode it displays information specific to a particular set of configuration items, such as policies or users. Examples The show date command displays the date and time configured on the ETEP. admin> show date Thu Feb 21 19:34:16 UTC 2010 The show command is available from several configuration modes. The next example demonstrates the show command issued from policy-config mode. admin> configure config> policies policies> show Encryption policy Layer 2 EncrypTight policy management enabled: TLS is traffic in clear: enabled 188 true ETEP CLI User Guide Commands show-ike-params Description The show-ike-params command lists the settings used in IKE negotiations on the management port These are global settings that are applied to all IKE encryption policies that are configured on the management port. User Type Administrator Hierarchy Level ipsec-config mode (config > management-interface > ipsec-config) Syntax show-ike-params Usage Guidelines The show-ike-params command displays the saved and active IKE negotiation parameters. The active settings are those that are running on the ETEP. The saved settings are parameters that have been edited, but not yet applied on the ETEP. To apply the changes, issue the restart-ike command or deploy the policy set. Related topics: ● “Viewing the Current IKE Parameter Settings” on page 81 ● “restart-ike” on page 184 Example admin> configure config> management-interface man-if> ipsec-config ipsec-config> show-ike-params show-policy-set Description The show-policy-set command lists the deployed and pending policies. This command is available when working with IPsec policies on the ETEP management interface and local-site policies. User Type Administrator Hierarchy Level ● ipsec-config mode (config > management-interface > ipsec-config) ● local-site configuration mode (config> policies > local-site-policies) ETEP CLI User Guide 189 Command Reference Syntax show-policy-set Usage Guidelines The scope of the show-policy-set command is limited to the configuration mode in which you are operating when the command is issued: it displays either the management port policies or the local-site policies. The show-policy-set command lists the deployed and pending policies. Policy status indicators are listed in Table 77. Table 77 show-policy-set status indicators Status Indicator Description * Deployed -- Pending + Edit session open for deployed policy Related topic: ● “Viewing the Local Site Policy Set” on page 72 ● “Viewing the Policy Set” on page 91 Example In the following example the Administrator displays the local-site policies. admin> configure config> policies policies> local-site-policies local-site-policy> show-policy-set shutdown Description The shutdown command halts all running tasks on the ETEP and prepares it for being powered off. User Type Administrator and Ops Hierarchy Level Command mode Syntax shutdown 190 ETEP CLI User Guide Commands Usage Guidelines It is important that a proper system shutdown is performed prior to powering off the appliance. Do not simply unplug the power cable to shut down the ETEP. Failure to perform a shutdown may lead to file system corruption and potential appliance failure. The ETEP remains in a shutdown state until the power is cycled. The shutdown state is indicated with an operational code on the diagnostic display. Example In the following example the Administrator shuts down the ETEP. admin> shutdown snmpv3-engine-id-seed Description The snmpv3-engine-id-seed command allows you to input a string of characters from which the ETEP will generate the SNMP engine ID. User Type Administrator Hierarchy Level Configuration mode Syntax snmpv3-engine-id-seed Attributes seed - The engine ID seed is a string from 1-256 characters. Valid values in include upper and lower case alpha characters (a-z), numbers 0-9, spaces, and most printable keyboard characters. The following characters are not allowed: @ : ? # < > &. Usage Guidelines The engine ID identifies the ETEP as a unique SNMP entity. The ETEP automatically generates its own engine ID upon startup, or you can manually enter an engine ID seed that the ETEP will use to generate the engine ID. Each ETEP must have a unique engine ID. Duplicate engine IDs can cause SNMP errors. To prevent duplicate IDs, we recommend letting the ETEP generate its own pseudo-random ID. If you manually enter an engine ID seed, be sure to use a different seed for each ETEP. Before the manager can authenticate and process traps generated by the ETEP, you must copy the ETEP’s engine ID and trap host user information to the trap recipients/managers. To view the ETEP’s engine ID, issue the show running-config command. ETEP CLI User Guide 191 Command Reference Example In the following example the Administrator configures an engine ID seed on the ETEP. admin> snmpv3-engine-id-seed myEngineIDseed12345# The next example shows a snippet of the output from the show command that displays the engine ID. admin> show running-config snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server contact "" location "" name "1c69" trap enable criticalError trap host 192.168.1.124 criticalError agent engineID 0x80001f88042231323334353522 ssh-enable Description The ssh-enable command enables and disables SSH access to the management port. User Type Administrator Hierarchy Level Configuration mode Syntax ssh-enable {true | false} Attributes true – Enables SSH on the management port. This is the default setting. false – Disables SSH on the management port. Usage Guidelines SSH is used to secure remote CLI management sessions through the 10/100 Ethernet management port. If you want to prevent remote access to the CLI, set the ssh-enable command to false. When SSH is disabled, CLI access is limited to the serial port. Related topic: ● “Management Troubleshooting” on page 104 Example The following example enables SSH on the management port. admin> configure config> ssh-enable true 192 ETEP CLI User Guide Commands strict-client-authentication Description The strict-client-authentication command enables and disables strict client authentication. With strict client authentication, all management communications with the appliance are secured with TLS and authenticated with CA-issued certificates. User Type Administrator Hierarchy Level Management interface configuration mode (config > management-interface) Syntax strict-client-authentication {enable | disable} Attributes enable – Enables strict client authentication. disable – Disables strict client authentication. Usage Guidelines Normally, you enable and disable strict client authentication from the EncrypTight software, but there can be situations where you cannot communicate with the appliance from the management workstation. In this case, you can connect to the appliance through the serial port for troubleshooting or recovery. You will be prompted for confirmation before the command executes. To learn more about using strict client authentication, refer to the EncrypTight User Guide. Strict authentication must be disabled in order to enter FIPS mode. After placing the ETEP in FIPS mode you can enable strict authentication. Related topics: ● “FIPS 140-2 Level 2 Operation” on page 121 ● “clear-certificates” on page 131 ● “clear-policies” on page 133 Example The following example enables strict client authentication on the management port. admin> configure config> management-interface man-if> strict-client-authentication enable ETEP CLI User Guide 193 Command Reference top Description The top command returns to the top hierarchy level, command mode. User Type Administrator and Ops Hierarchy Level All levels except command mode Syntax top traceroute Description The traceroute command tracks the route taken by packets across an IP network on their way to a given host. This command is implemented as a standard Linux command that can be accessed from within the ETEP CLI. The syntax of the command follows Linux conventions. Linux commands are case-sensitive. User Type Administrator and Ops Hierarchy Level Network-tools mode (config > network-tools) Syntax traceroute [-dFInrvx] [-g gateway] [-i iface] [-f first_ttl] [-m max_ttl] [-p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime] [-z pausemsecs] host [packetlen] Attributes -d - Enable socket-level debugging. -F - Set the “don’t fragment” bit. -I - Use ICMP ECHO for probes. -n - Print hop addresses numerically. Do not try to map IP addresses to host names. -r - Bypass normal routing tables and send directly to a host on an attached network. -v - Verbose output. -x - Prevent traceroute from calculating checksums. 194 ETEP CLI User Guide Commands -g gateway - Tells traceroute to add an IP source routing option to the outgoing packet that tells the network to route the packet through the specified gateway. -i iface - Specifies the interface through which traceroute should send packets. The ETEP management port is eth2. -f first_ttl - Set the starting TTL value. The default value is 1. -m max_ttl - Set the maximum number of hops the traceroute will probe. The default is 30. -p port - Set the base UDP port to be used in probes. The default is 33434. -q nqueries - Set the number of probe packets per hop. The default is 3. -s src_addr - Set an alternative source IP address to use in outgoing probe packets. -t tos - Set the type of service (tos) value in probe packets. The default is zero. Useful values are 16 (low delay) and 8 (high throughput). -w waittime - Set the time (in seconds) to wait for a response from a probe. The default is 5 seconds. -z pausemsecs - Minimal time interval between probes (default is 0). host - IP address of the network host. It can be followed by the size of the probing packet that is sent to the host (default is 40). --help - Displays help information. Usage Guidelines The traceroute command is sent from the ETEP’s management port. The only required parameter is the IP address of the destination host. This parameter can be followed by the size of the probing packet sent to that host (40 by default). To view the command syntax and available options from the CLI, enter traceroute --help. If you need more detailed usage guidelines on ping attributes than is documented here, consult the Linux man pages. Super user options are not allowed when issuing the traceroute command on the ETEP. Example The following example tracks the route packets take from the management interface to host 192.168.1.124. admin> network-tools network-tools> traceroute 192.168.1.124 traceroute to 192.168.1.124 (192.168.1.124), 30 hops max, 40 byte packets 1 192.168.1.124 (192.168.1.124) 0.727 ms 0.563 ms 0.455 ms ETEP CLI User Guide 195 Command Reference transparent-mode-enable Description The transparent-mode-enable command configures whether the ETEP is viewable from a network standpoint. When operating in transparent mode, the local and remote ports do not utilize user-assigned IP addresses. User Type Administrator Hierarchy Level Configuration mode Syntax transparent-mode-enable {true | false} Usage Guidelines Transparent mode is the ETEP’s default mode of operation on the local and remote ports. It is required for Layer 2 policies and is appropriate for most distributed key policies. When operating in transparent mode the ETEP preserves the network addressing of the protected networks by copying the original source IP and MAC addresses from the incoming packet to the outbound packet header. In transparent mode, the ETEP is not viewable from a network standpoint. The local and remote ports do not utilize user-assigned IP addresses. In Layer 3 IP networks the local and remote ports cannot be contacted through an IP address, and they do not respond to ARPs. The ETEP is also transparent in Ethernet networks when configured as a Layer 2 encryptor. If you want to conceal the original source IP address when sending encrypted traffic, configure the ETEP to operate in non-transparent mode. Non-transparent mode is also used when sending traffic over the internet. Since private IP addresses cannot be routed over the internet, any traffic between private networks transmitted over the internet must use public IP addresses. In non-transparent mode, the original source IP address in the outbound packet header is replaced with either an IP address for the remote port or a virtual IP address. The ETEP port MAC address is used as the packet’s source MAC address. You must assign IP addresses to the local and remote ports when configuring the ETEP for this mode of operation. Non-transparent mode applies only when the ETEP’s policy mode is set to Layer 3. To place the ETEP in a non-transparent mode of operation, first configure the local and remote IP addresses, and then set the transparent-mode-enable command to false. See the EncrypTight User Guide for more information about addressing options and creating policies using virtual IP addresses. Example The following example disables transparent mode on the ETEP. admin> configure config> transparent-mode-enable false 196 ETEP CLI User Guide Commands tx-enable Description The tx-enable command determines how the transmitter detects and responds to a loss of signal on either of the ETEP data ports. User Type Administrator Hierarchy Level Local and remote interface configuration mode Syntax tx-enable {always | follow-rx} Attributes always – The transmitter is always on regardless of whether a signal is received. follow-rx – The transmitter follows the behavior of the receiver. If loss of signal is detected on the remote port, then the transmitter on the local port is disabled. Similarly, if loss of signal is detected on the local port, the ETEP disables the transmitter on the remote port. When the lost signal is restored, the correlating transmitter is enabled. This is the default setting. Usage Guidelines The ETEP can be configured to propagate a loss of signal event detected at one of its data ports to the device connected to its other data port. The ETEP performs this function by monitoring for loss of signal at the port’s receiver. For example, when the loss of signal is detected on the ETEP’s remote port, the local port transmitter is disabled, generating a loss of signal event in connecting device’s port. When the loss of signal event clears on the remote port, the local port transmitter is enabled, clearing the event in the connecting device’s port. Similarly, when a loss of signal is detected on the local port, the remote port transmitter is disabled. Alternatively, the ETEP port transmitter can be configured to always remain enabled, regardless of the other port’s link state. In this state the ETEP can reliably recover from a link loss. But because the transmitter is always on, the appliance may inadvertently mask cable or device failures in the network. The transmitter behavior configuration should be the same on both the local and remote ports. Example The following example configures the tx-enable command on the remote interface. The commands sets the transmitter to follow the receiver. admin> configure config> remote-interface rem-if> tx-enable follow-rx ETEP CLI User Guide 197 Command Reference update-filesystem Description The update-filesystem command downloads a new file system from an FTP server to the ETEP. This command performs a software upgrade, and merges the current appliance configuration with the upgraded file system upon reboot. This preserves the appliance configuration including the management IP address, passwords, and other settings. In addition to loading new software on an appliance, the update-filesystem command preserves a backup copy of the old file system and configuration. User Type Administrator Hierarchy Level Command mode Syntax update-filesystem { } [] Attributes ftpIP - IP address of the FTP host. The command accepts IPv4 and IPv6 addresses. ftpPath - The path and directory name of the software image on the FTP server. Enter the directory listing relative to the root FTP directory; do not enter the entire path. ftpUser - User ID of a user on an FTP host. ftpPassword - FTP user’s password. ftpSecure - [ftp | sftp] Defines the file transfer protocol. The default value is FTP, in which files are transferred unencrypted. SFTP secures the file transfer with SSH encryption. Usage Guidelines Do not use the following invalid characters in the FTP user name or password: @ : ? # < > & This command requires a reboot to take effect. Rebooting immediately after an upgrade is strongly recommended. Any changes that are made between the upgrade and subsequent reboot will be lost when the appliance reboots. This includes changes to policies and keys (including scheduled rekeys), certificates, and appliance configuration. The software prevents simultaneous upgrades on an appliance. Once an upgrade is complete, but prior to reboot, the software prevents another upgrade until a reboot is issued. Example The following example loads a new file system from FTP host 192.168.1.124 to the ETEP using SFTP as the file transfer protocol. 198 ETEP CLI User Guide Commands admin> update-filesystem 192.168.1.124 etep myName myPassword sftp user-add Description The user-add command lets the Administrator add ETEP users. Each user is assigned a user name and role. When strong password enforcement is enabled, the Administrator specifies the password expiration, expiration warning, minimum interval between password changes, and the maximum number of concurrent login sessions allowed per user. The Administrator can also assign a common name to a user account. User Type Administrator Hierarchy Level User-config mode (config > user-config) Syntax user-add { } [common-name] [

] Attributes name – Specifies the user name. role – {admin | ops} Associates a user role with the user name. common-name – The common name from the Common Access Card’s identity certificate. By default, a common name is not used. password-expiration – The password expiration period, specified in days. password-minimum – The number of days that a user must wait before changing the password. password-warning – The number of days prior to password expiration that a warning is given to the user. password-grace-period – The number of days after the password expires that a user can log in using the expired password. maximum-login-sessions – The maximum number of concurrent sessions allowed per user on the ETEP. Usage Guidelines When default password enforcement is enabled on the ETEP, standard values are used for password expiration and maximum number of user logins. ETEP CLI User Guide 203 Command Reference When strong password enforcement is enabled, the Administrator can also modify the settings for password expiration and maximum login sessions. If the last time the a user’s password was changed exceeds the password expiration days, the ETEP will require the password to be reset before allowing you to modify other user settings. The valid values for the password expiration settings depend on the ETEP’s password enforcement policy, as shown in Table 78. These parameters are user-configurable only when strong password enforcement is enabled. Table 79 Password enforcement values Parameter Default password enforcement Standard password enforcement Password expiration 99999 days Default is 60. Range is 1-60. Password reset minimum 0 days Default is 1. Range is 1-7. Password warning 7 days Default is 10. Range is 1-30. Password grace period 0 days Default is 10. Range is 1-30. Maximum login sessions 2 days Default is 2. Range is 1-5. The EncrypTight system supports the use of smart cards such as the DoD Common Access Card (CAC). CACs provide user authorization in addition to certificate-based authentication. You need to add a common name to a user account only if you are implementing this feature in your EncrypTight system. To remove a common name from a user account, enter “none” as the common name attribute. Related topics: ● “Understanding User Roles” on page 21 ● “Password Enforcement Options” on page 17 ● “Modifying Users” on page 24 ● “Enabling and Disabling Accounts” on page 29 Examples This example changes the tech1 user’s role from ops to admin. Default password enforcement is in effect on the ETEP. user-config> user-modify tech1 admin In the next example the ETEP is configured for strong password enforcement. The Administrator changes the tech1 Ops user warning days to 3. The password maximum is 60, and the password minimum is 3. user-config> user-modify tech1 ops Maximum days before password expires [60]: Minimum days between password reset [1]: 3 Password expiration warning days [10]: 3 Expiration grace period days [10]: Maximum login sessions [2]: The following example removes a common name from an Administrator user named dallas. admin> configure config> user-config user-config> user-modify dallas admin none 204 ETEP CLI User Guide Commands vlan-tag Description The vlan-tag command applies a specific VLAN tag to IKE negotiation packets. It is used in networks that require a specific VLAN tag for all Ethernet traffic. User Type Administrator Hierarchy Level Remote interface configuration mode (config > remote-interface) Syntax vlan-tag {enable [] []} | {disable} Attributes enable – Enables the VLAN tag function. disable – Disables the VLAN tag function. tag-priority – Sets the VLAN tag priority. Valid values range from 0–7. The default value is 0. tag-id – Sets the VLAN ID. Valid values range from 0–4094. The default value is 1. Usage Guidelines The vlan-tag command is needed when the following two conditions are met: ● The ETEP is deployed in a Layer 2 point-to-point configuration ● A specific VLAN tag is required for all Ethernet traffic sent through the network. If you are operating in a network that uses VLAN tags, IKE negotiations will not complete successfully until you have configured this command. This command does not apply to EncrypTight distributed key policies. Example The following example enables the VLAN tag feature on the ETEP. The priority is set to 1 and the VLAN ID is set to 4. admin> configure config> remote-interface rem-if> vlan-tag 1 4 ETEP CLI User Guide 205 Command Reference 206 ETEP CLI User Guide Index A audit log, 32 autoneg command, 38, 41, 128 auto-negotiation, configuring local and remote ports, 41 management port, 37 B backing up the file system, 100 backup-policy-set command, 130 banner-config command, 131 banners default banner text, 30 enabling and disabling, 30 viewing the login banner, 30 C CAC, using for user authorization, 32 clear-certificates command, 131 clear-known-hosts command, 132 clear-policies command, 133 clear-policy-set command, 133 CLI See command line interface CLI inactivity time-out, setting, 44 cli-inactivity-timer command, 134 command line interface CLI hierarchy, 15, 128 format conventions, 125 logging in, 14 overview, 125 usage tips, 126 commands autoneg, 128 backup-policy-set, 130 banner-config, 131 clear-certificates, 131 clear-known-hosts, 132 clear-policies, 133 ETEP CLI User Guide clear-policy-set, 133 cli-inactivity-timer, 134 configure, 135 date, 135 debug-shell, 136 deploy-policy-set, 137 dfbit-ignore, 138 dhcprelay, 139 disable-trusted-hosts, 140 exit, 141 filesystem-download, 141 filesystem-reset, 143 fips-mode-enable, 144 help, 145 ike-params-set, 145 ike-sa-dh-group, 146, 161 ike-sa-presharedkey, 147 ip, 148 ip6, 150 ipsec-config, 151 ipsec-sa-lifetime, 152 ipsec-sa-pfs, 152 ipv6Traffic, 153 layer2-p2p, 154 license, 155 local-interface, 156 local-site policies, 157 logon-banner-enable, 157 management-interface, 158 network-tools, 158 password, 159 password-enforcement, 160 password-modify, 161 peer-delete, 161 peer-dpd, 161 ping, 161 ping6, 163 policies, 165 policy-action, 165 policy-add, 166 policy-config, 167 policy-delete, 168 207 Index policy-ike-peer, 170 policy-keying, 171 policy-layer2-selector, 172 policy-manual-key (local-site policies), 173 policy-manual-key (management IPsec policies), 174 policy-mode, 176 policy-packet-count, 177 policy-priority, 178 policy-selector, 179 port-enable, 181 reassembly, 181 reboot, 182 remote-interface, 183 remote-user-cert-auth-mode, 183 restart-ike, 184 restore-filesystem, 185 restore-policy-set, 186 show, 187 show-ike-params, 189 show-policy-set, 189 shutdown, 190 snmpv3-engine-id-seed, 191 ssh-enable, 192 strict-client-authentication, 193 top, 194 traceroute, 194 transparent-mode-enable, 53, 196 tx-enable, 197 update-filesystem, 198, 199 user-config, 201 user-delete, 201 user-enable, 202 user-modify, 203 vlan-tag, 198 common access card for user authorization, 32 common names, adding to user accounts, 32 configure command, 135 configuring the ETEP basic configuration, 36–44 Layer 2 operation, 45–46 Layer 2 point-to-point policies, 57–?? Layer 3 operation, 47–50 local-site policies, 64–75 management port policies, 77–96 customer support, 10 D date command, 135 date, changing, 40 debug-shell command, 136 default gateway configuration, management port, 36 208 default password conventions, 27 deploy-policy-set command, 137 DF bit handling configuring, 49 description, 49 dfbit-ignore command, 138 DHCP relay, using on a remote network, 50 dhcprelay command, 139 diagnostics additional diagnostic tools, 114 CLI commands, 110 disable-trusted-hosts command, 140 discarded packets, viewing, 115 E enable-CE attribute, configuring, 60 EncrypTight, enabling and disabling, 60 encryption statistics, viewing, 116 error state, description and recovery, 109 exit command, 141 F factory configuration, restoring, 100 file system, backing up and restoring, 99 filesystem-download command, 141 filesystem-reset command, 143 FIPS mode operation, 121 fips-mode-enable command, 144 fragmented packets, reassembling, 48 H help command, 145 I IKE policies See management port policies See point-to-point policies IKE VLAN tag, enabling, 45 ike-params-set commands ike-sa-dh-group, 146, 161 ike-sa-lifetime, 146 ike-sa-presharedkey, 147 ipsec-sa-lifetime, 152 ipsec-sa-pfs, 152 restart-ike, 184 show-ike-params, 189 inactivity timer, 44, 134 initial setup auto-negotiation settings, 37 logging in through the serial port, 14 prerequisites, 13 ETEP CLI User Guide Index setting the management IP address, 36 IP address, setting on the management port, 36 ip command, 148 ip6 command, 150 ipsec commands ike-params-set, 145 ipsec-config, 151 IPv6 traffic handling on the data ports, configuring, 50 ipv6Traffic command, 153 L Layer 2 See also local-site policies See also point-to-point policies appliance configuration, 45–46 policy configuration, 57–60 Layer 3 See also local-site policies appliance configuration, 47–51 layer2-p2p command, 154 license entering, 40 viewing, 41 license command, 155 link state transparency, 43 load average, description, 111 local port ip address, assigning, 52 local-interface command, 156 local-site policies backing up the policy set, 73 clearing the policy set, 74 deleting a policy, 74 deploying policies, 72–73 modifying a policy, 74 policy concepts action, 65 policy keying, 66 priority, 65 selectors, 65 policy configuration bypass policy, 67 discard policy, 67 manual key encryption policy, 69 policy examples, 75 policy name, assigning, 66 restoring the policy set, 75 viewing the policy set, 72 logging in through the serial port, 14 logging, using the audit log, 32 login banner See banners, 30 login failures, limits and recovery, 30 ETEP CLI User Guide logon-banner-enable command, 157 loss of signal pass through, configuring, 43 M MAC statistics, viewing, 116 maintenance installing software updates, 99 restoring the factory configuration, 100 system backup, 99 management interface, configuring auto-negotiation, 37 default gateway, 36 description, 36 IP address, 36 management port policies backing up the policy set, 91 clearing the policy set, 93 deleting a policy, 93 deploying policies, ??–73, 90–92 IKE parameters default settings, 79 modifying, 79 restarting the ike server, 79 viewing active and saved settings, 81 IPsec client configuration, 78 modifying a policy, 92 policy concepts action, 82 policy keying, 82 priority, 82 selectors, 82 policy configuration bypass policy, 89 discard policy, 89 IKE encryption policy, 84 manual key encryption policy, 86 policy examples, 94 policy name, assigning, 83 restoring the policy set, 94 task overview, 78 viewing the policy set, 91 management-interface command, 158 managing the ETEP default user names and passwords, 13 management options, 12 management port policies, 77–96 prerequisites, 13 securing management traffic, 12 N network tools, diagnostic commands, 111 network-tools command, 158 209 Index NTP, troubleshooting, 112 P password command, 159 password-enforcement command, 160 password-modify command, 161 passwords assigning to users, 27 changing the password enforcement policy, 28 changing your own password, 28 default password conventions, 27 default passwords, 13 password enforcement overview, 17 strong password conventions, 27 ping command, 161 ping6 command, 163 point-to-point policies Layer 2 defining a policy, 58 overview, 57 policy example, 60 policy mode, configuring, 59 verifying policies, 62 policies See also local-site policies See also management port policies See also point-to-point policies troubleshooting, 107, 117, 118 policy commands backup-policy-set, 130 deploy-policy-set, 137 local-site policies, 157 policies, 165 policy-action, 165 policy-add, 166 policy-config, 167 policy-delete, 168 policy-ike-peer, 170 policy-keying, 171 policy-layer2-selector, 172 policy-manual-key (local-site policies), 173 policy-manual-key (management IPsec policies), 174 policy-mode, 176 policy-packet-count, 177 policy-priority, 178 policy-selector, 179 policy-track, 112 restore-policy-set, 186 show-policy-set, 189 policy mode(Layer 2/Layer 3), configuring, 60 policy troubleshooting, 107 210 port status enabling and disabling, 101 monitoring, 106 port-enable command, 181 R reassembly command, 181 reassembly mode, configuring, 48 reboot command, 182 remote port ip address, assigning, 52 remote-interface command, 183 remote-user-cert-auth-mode command, 183 restart-ike command, 184 restore-filesystem command, 185 restore-policy-set command, 186 restoring configurations on an appliance, 100 factory defaults, 100 file system, 100 roles See users, 21 S SAD, viewing entries, 118 security association (SA), definition, 63 serial port, logging in to the CLI, 14 session timer, 44, 134 SFTP, using for software updates, 198 show command, 187 banner-config show, 30 Layer 2 policy show, 62 user-config show, 26 show commands for troubleshooting, 110 show-ike-params command, 189 show-policy-set command, 189 shutdown command, 190 shutting down the ETEP, 54 smart cards, using for user authorization, 32 snmpv3-engine-id-seed command, 191 software, installing updates, 99 securing with SFTP, 198 SPD, viewing entries, 117 SSH disabling SSH on the management port, 192 troubleshooting, 105 using for secure remote management, 12 ssh-enable command, 192 strict-client-authentication command, 193 strong password controls conventions, 27 description, 18 enabling, 28 ETEP CLI User Guide Index system backup, 99 system up time displaying, 111 load average, 111 T technical support, 10 throughput license See also license entering, 40 licensed ETEP speeds, 41 time synchronization, checking for problems, 112 time, changing, 40 tls-clear attribute, configuring, 60 top command, 194 traceroute command, 194 traffic troubleshooting, 106 transparent mode behavior and addressing, 108 configuring, 53 verifying the setting, 46 transparent-mode-enable command, 196 troubleshooting detecting network routing problems, 112 diagnostic commands, 110 diagnostic tools, overview, 114 discarded packets, 115 encryption statistics, 116 error state, 109 MAC statistics, 116 management communications, 105 non-transparent mode traffic, 108 packet counters, 116 policies, 107 policy tracking tool, 112 port status, 115 SPD and SAD files, 117 time synchronization problems, 112 traffic problems, 106 user configuration, 104 tx-enable command, 43, 197 users adding default password enforcement, 22 overview, 20 strong password enforcement, 23 default user names, 13, 21 deleting, 25 disabling an account, 29 modifying, 24 restoring an account, 29 user role description, 21 viewing a list of ETEP users, 26 V VLAN tag, assigning to Layer 2 traffic, 45 vlan-tag command, 198 Z zeroization in FIPS mode, 123 using the filesystem-reset command, 143 U update-filesystem command, 198, 199 upgrading software, 99 user commands user-add, 199 user-config, 201 user-delete, 201 user-enable, 202 user-modify, 203 user configuration troubleshooting, 104 ETEP CLI User Guide 211 Index 212 ETEP CLI User Guide Black Box Tech Support: FREE! Live. 24/7. Tech support the way it should be. Great tech support is just 30 seconds away at 724-746-5500 or blackbox.com. About Black Box Black Box Network Services is your source for more than 118,000 networking and infrastructure products. You’ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 30 seconds or less. © Copyright 2011. All rights reserved. Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Any third-party trademarks appearing in this manual are acknowledged to be the property of their respective owners. ET0010A CLI User Guide, version 1 724-746-5500 | blackbox.com

Et0010a_cli_userguide

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.