Professional Documents
Culture Documents
ENT 07 Conditions
ENT 07 Conditions
Conditions
ACTE Training (Enterprise Track)
Analyze
• Why Do We Need To Classify? Business Objectives
• Condition Catalogs
o Host
Monitor
o Service and Analyze
o Time
• Allot Protocol Updates (APU) Define
Conditions
Create
Policies Actions
Catalogs
?
Manufacturer ?
Color ?
Type of Vehicle
?
Destination ?
Max Speed ?
Size
Themust
Classification method Conclusion
serve business objectives
The need for classifying traffic may be clear, but what methods should we use? To
take the example of street traffic, we can see that there are many different categories
by which we can classify cars. The car manufacturer, its color and its maximum speed
are just a few possibilities. Which one is the best?
How we classify depends on what we want to achieve. Classifying by car color for
example may be suitable if you manufacture paint for cars, but this type of
classification is of little use if your aim is to manage the road system.
How To Use
The first step of implementation will therefore be to define your business objectives.
Ask yourself what it is you want to achieve with the Allot solution. How would you
classify your network traffic to meet the desired outcome? For example, if a different
quality of service is to be implemented for different users, we need to classify our
users into categories. If you want to define different service parameters for different
applications, then classification needs to be per application type.
We will now review the different classification condition catalogs available.
Classification Enforcement
Conditions Actions
Here we see the enforcement policy editor in the NetXplorer, displaying the typical
policy that we saw earlier. Each row of the policy represents one of the rules that
makes up the policy. The highlighted area on the slide shows the conditions which
form a key part of every rule. The conditions determine which traffic is classified into
each rule.
Remember that there are more possible conditions available than those columns
displayed by default in the table. As we saw in an earlier module, the table view can
be configured so that the NetXplorer Administrator can decide which specific
conditions or actions to display in the table.
The conditions displayed for each rule are predetermined by catalogs. Some of these
condition catalogs (e.g: service catalogs) are pre-defined, while others need to be
configured in advance.
Analyze
• Why Do We Need To Classify? Business Objectives
• Condition Catalogs
o Host
Monitor
o Service and Analyze
o Time
• Allot Protocol Updates (APU) Define
Conditions
Create
Policies Actions
Catalogs
Host Catalog
Host
Catalog
• Host Catalog is used to
classify the traffic according
to its Source or Destination
Host Catalog is used to classify the traffic according to its Source or Destination. If, for
example, you would like to identify all the traffic generated by a specific IP address,
you should define this address in a Host Catalog. Then, insert this Host Catalog in the
desired place in the Policy Table.
There are some Host catalog values that are predefined by the system, such as Any,
Any IPv4 and Any IPv6. Those entries cannot be modified or deleted. However, new
values may be created, defining Hosts from the customer’s network.
Host List
10
11
There are several types of Host catalog entries, and it is important to understand the
hierarchical relationship between them – in particular between a host list and a host
group.
A Host List is a list of hosts defined by IPv4 Address, IPv4 Subnet, IPv4 Range, IPv6
Prefix or IPv6 Prefix Range, or any combination of these attributes. (Note: A Host List
can represent an individual subscriber, a corporate branch or a network subnet. How
you use a Host List depends on the policies you define to implement the relevant
network business objective.
Once you have defined Host Lists, you can group several of them into a Host Group.
Here is an example of using hosts to represent different locations. One Host Group
will represent North America. Inside this Host Group we can have multiple Host Lists,
each one representing a major city.
The city Host List represents the actual IP addresses, subnets and ranges used in the
specific city. Chicago is a Host List consisting of a simple IP subnet. New York is a Host
List made up of an IP range and an additional IP address outside of that range.
12
Hosts may be internal or external. Whether a host will be recognized by the Service
Gateway as internal or external depends on the interface of the bypass unit to which
that host is connected.
13
Host catalog entries are defined in the NetXplorer interface, irrespective of whether
they are to be used as internal or external host conditions. The decision to define a
host catalog as an internal host condition or an external one, is made at a later stage,
when you build your policy in the NetXplorer policy editor.
14
SG 3
By default, host lists and Host Groups which you define are global. This means that
they are sent to each Service Gateway in the network and can be used by them. If you
are working with large numbers of long and detailed host lists though, this might
unnecessarily compromise the performance of your Service Gateway. If you know
therefore that the catalogs you have defined are only relevant to a specific Service
Gateway on the network, it may be worth while limiting the scope of the catalog to
the relevant Service Gateway.
To set the scope of the entry to a specific platform:
1. Click the Scope browse button. The Entry Scope Properties dialog box is displayed.
2. To make the entry available to a selected platform only, select Specific Device and
then select the platform from the drop-down list.
3. Click OK. The Host List Entry Properties dialog box is displayed.
4. Click Save.
16
It is also possible to import large groups of hosts from an external text file. The user
updates this text file and the NetXplorer checks for changes every 10 minutes. As
long as the text file is not updated, no NX resources are used. Note – the default
value of 10 minutes can be changed. Contact Allot Global Support Services to enable
this change if required.
Make sure you have the file on the NX at all times (if you delete it, the host entry
based on this file will have no data in it).
There are 3 different methods for importing external text files. The user can create:
- A new external text file host list
- A new external text file host group
- A new dynamic external text file host group
Host Text File entries (for all types) may be provided in IPv4 or IPv6 format.
17
There are 3 different methods for importing external text files. The user can create:
• A new external text file host list
• A new external text file host group
• A new dynamic external text file host group
The dynamic external text file host group functionality was developed to help
customers who wish regularly to use particularly large text files containing tens of
thousands of entries.
With the regular external text file host group we can only support a few thousand
hosts, but the Dynamic version enables us to support many more. Each NetXplorer
can support up to 1000 Dynamic External Host Files. Each Service Gateway can
support up to 1000 Dynamic External Host Files, up to 50K Hosts within dynamic text
file, 500K Host IPs in total (in all Dynamic External Host files).
There are, however, several restrictions when using the dynamic mechanism:
It can only be used to support internal hosts.
It only supports individual IPs (ranges and subnets will be ignored)
An IP may appear in only ONE Dynamic External Host File.
Note that another side effect of the dynamic system is that the IPs updated with the
Dynamic text file are deleted when the Service Gateway reboots. The NetXplorer
server will update the IPs again after approximately 10 minutes, but until then there
will be no rule matching to the pipes and VCs in the Enforcement Policy that use
those text files in their conditions.
Example:
NOTES:
• Each entry must be on a separate line
• Dynamic External Text file Host Group supports only IPv4 address entry type
18
Using this feature, you can import long lists of hosts from an external text file into a Host
Group or Host List Catalog on the NetXplorer.
There are five types of hosts that can be imported: IP address, IP range, IP subnet, IPv6
address and IPv6 range. When using the dynamic method, IP address is the only type of
field that can be imported.
Create a text file according to the guidelines defined below, making sure that you enter
each host entry on a separate line. The text file format for each type of hosts is as follows:
IPv4 address: Name;IP
IPv4 subnet: Name;IP/Mask
IPv4 range: Name;IP-IP
IPv6 address prefix: Name;IP\prefix length
IPv6 address range: Name;IP-IP\prefix length
NOTE: This method creates individual hosts with corresponding names but they are all
added to a single group. They cannot be separated.
NOTE: There should be no space between the name and the IP itself. The semi colon sign
is the separator.
File Location on
NX Server
19
Let's see how to create a new external text file host list. From the Hosts item in the
catalogs pane, choose “New External Text File Host List”. The External Text File Host
Entry Properties dialog is opened, and the path of the text file is entered. Locate the
file on the NetXplorer Server.
2 Groups are
created – 1 per
each host
Host: “IP2”
Used with Host Group
20
Here we see how the system would handle the same text file, when the administrator
creates an external text file host list and an external text file host group.
A text file is created which includes two host names: IP1 and IP2. IP1 contains two IP
addresses and one IP subnet, and IP2 contains one IP and one IP range. Here we see
an imported host list, which simply extract all instances of the file to be host items in
this host list.
Below we see an imported host group, consisting of 2 host entries. Clicking each host
entry will show us what it contains.
This difference has important implications later when we come to work with
templates (in Module 9).
Host Search
In which Host LIST is a host defined?
Search for this Host IP:
21
When you are working with long lists of hosts, you might lose track of individual host
entries. The host search is used to find a host definition from within a host list.
1. Select Catalogs and right-click Hosts in the Navigation pane and select Host Search
from the popup menu.
OR
In the Application Details pane, right-click an entry in the Host Catalog and select
Host Search from the popup menu.
The Host Search Properties dialog is displayed.
2. A Host Entry can be searched for by Host Name, IP or MAC address. Enter the
details of the host which you are looking for.
3. Click Search. Results are shown in the Search Results list.
4. Click Close to close the dialog.
Note that the search does not search within host groups.
Please keep in mind that Host Name (here it is called “Host”) and MAC Address
options are available only in the legacy product, AC-400, which is no longer sold.
22
Knowing your business objectives, you can use the host catalog to group different
users' groups. For example: per geographical location, per importance to the
organization, per department, etc.
On the other hand, you can use host catalog to identify crucial network elements.
Later, you can build your policy to ensure that enough bandwidth is allocated to each
of these network elements.
Can you think of other uses for host catalogs? Share your thoughts with your trainer
and the training class.
23
Returning to the enforcement policy editor in the NetXplorer, we see again the typical
policy that we saw earlier.
The highlighted area on the slide shows the internal host conditions defined for every
rule in the policy.
Analyze
• Why Do We Need To Classify? Business Objectives
• Condition Catalogs
o Host
Monitor
o Service and Analyze
o Time
• Allot Protocol Updates (APU) Define
Conditions
Create
Policies Actions
Catalogs
24
25
The standard packet inspection process (shallow packet inspection) extracts basic
protocol information such as IP addresses (source, destination) and other low-level
connection states. This information typically resides in the packet header itself and
reveals the principal communication intent. The inspection level in the shallow
inspection process is insufficient to reach any application-related conclusions. For
example, if a packet is the result of an application trying to set up additional
connections for its core operation, an examination of the source or destination
addresses as they appear within the packet header itself will not reveal any useful
information regarding the connections to be used in the future, as requested by the
application.
Furthermore, it is very common that the necessary information is spread over several
packet transactions; and once again, examination of the header information alone
overlooks the complete transaction perspective.
DART, on the other hand, provides application awareness. This is achieved by
analyzing the content in both the packet header and the payload over a series of
packet transactions. At the heart of Allot’s solutions is a DPI engine which feeds off a
comprehensive library of signatures and behavior.
Services
www.footlive.com HTTP based
UDS
There are several different types of service objects - Service Groups and Monitored
Service Groups, Services and User Defined Signatures (UDS). The different types are
organized hierarchically.
Service groups enable you to efficiently assign multiple services to policies, instead of
defining separate policies on a service-by-service basis.
Monitored Service Group enables you to efficiently monitor multiple services,
irrespective of their policy assignment. It means that when monitoring groups of
apps, you don’t need to be limited by the groups you created for the purposes of
policy enforcement.
Services are the protocol or application-based criteria for traffic classification.
Services can exist in only one location in the hierarchy at any given time.
UDS objects give huge flexibility to define signatures using any of the HTTP header
fields. We will discuss UDS in details in module 10.
27
Service Group
Service defined by
Signature and Port
Service
HTTPS
Service defined by
Port only
28
To better understand services and service groups, let’s look at the Web Applications
Service group.
This group includes several services: HTTP, HTTP Proxy, HTTPS and more. Each service
is defined by its application signature and by its port numbers. HTTP is based on the
HTTP application signature, and it includes both a signature and a port number (80).
HTTPS is based on the Other TCP application and it includes a port only (443).
We will now review the steps to create a new service and explain all the different
options available.
29
While NetXplorer comes with an extensive set of common services, you may want to
define additional services. There are two methods for defining additional services:
1. Creating a new service based on an existing application type recognized by
Allot’s DPI engine.
2. Selecting a known service from the protocol library containing over 1000
protocols recognized by IANA (Internet Assigned Names Authority) assigned
ports.
The new service created by the user will be marked with a small blue question mark,
to indicate that this is a user created service, and not part of the Allot Protocol Pack.
To add a new service using the protocol library in the Navigation pane, right-click
Services and select New. The Service Entry Properties dialog box is displayed.
To create a new service based on an existing application from the Application Type
drop-down list, select the basic application type, and choose ADD. Assign additional
properties to it, such as port number and define the entry identification method. We
can also take a recognized application and re-define the way in which it is recognized.
Identification method options:
• Default: The DPI engine identifies the traffic by signature. If the signature is not
recognized, then the traffic is identified according to the port used, regardless of
the application.
• Signature: The DPI engine identifies the traffic according to the signature of origin,
regardless of the port. You can choose to check for this signature on particular
ports or on all ports. By using this method, you can distinguish between
applications which use the same signature on different ports.
• Port/Server based: Traffic on this destination port or server will be identified as
the service you have defined.
To select a publicly recognized port assignment for the application, click Library in the
Service Entry Properties dialog box. The Service Protocols Library dialog box is
displayed. These library-based services use layer 4 identification, based on standard
port usage for specific applications.
Services are
added to a new
Service Group
31
You can define your own service groups by combining several services into a single
group. Similar services can be grouped if you want to apply the same QoS policy to
them. An example of this is seen on the screen, where a service group called:
“Business Applications” is created, consisting of Oracle, SAP and Vonage, with a view
to giving this group a guaranteed quality of service.
While Service Groups are defined to classify traffic and then perform different actions
on that traffic as part of the enforcement policy, you can also group services together
into Monitored Service Groups for the purpose of monitoring only.
These two mechanisms work independently of one another, meaning that a
particular service may be included in a particular service group for the purpose of
enforcement, while in a separate monitored service group for the purpose of
monitoring.
Groups combine port recognition and Layer 7 analysis. Within a group, the
identification of one service might be based on Layer 7 analysis, while another might
be identified by port number alone.
32
Moving a service to an existing service group is also a simple process. For example, here
we see how to move H.323 to the Business Applications Group that we defined earlier.
To move a service into an existing Service Group:
1. In the Service Catalog, right-click the service that you want to move and select Move
from the shortcut menu. The Move Service - Select Target dialog is displayed.
2. Select the location to which you want to move the selected Service.
3. Click Save.
Note that you cannot move a group into another group. If you wish to classify traffic
from different service groups into a single Pipe or VC, this can be done using the “add
rule” function when building the traffic policy.
33
Knowing your business objectives, you can use service catalogs to identify services
and applications and control them. For example:
• Identify your critical business applications to ensure high quality of experience for
them at all times.
• Prioritize critical and time sensitive business applications and throttle non-time
sensitive traffic at times of congestion.
• Identify high bandwidth consuming applications, such as P2P and limit the
available bandwidth for them during peak hours.
We will learn more about how to configure such policies in modules 7 & 8 of this
training course.
Can you think of other uses for service catalogs? Share your thoughts with your
trainer and the training class.
34
Returning to the enforcement policy editor in the NetXplorer, we see again the typical
policy that we saw earlier.
The highlighted area on the slide shows the service conditions defined for every rule
in the policy.
Analyze
• Why Do We Need To Classify? Business Objectives
• Condition Catalogs
o Host
Monitor
o Service and Analyze
o Time
• Allot Protocol Updates (APU) Define
Conditions
Create
Policies Actions
Catalogs
35
Time Catalog
36
The Time Catalog contains entries that are used to define the period of time during
which a particular rule is active.
Time Catalog entries are useful when you want to apply conditions to traffic only on
specific days or at specific times. For example, you might differentiate between work
and non-work hours, or give priority to maintenance jobs run at scheduled times.
NOTE: You can use time catalogs to divide time up as you wish, for example by
defining as many time cycles as you want within a 24 hour period.
If a time catalog has been assigned to a Line, Pipe or Virtual Channel, what happens
when the expiration time is reached?
Both new and existing connections will be reclassified into other Lines, Pipes or
Virtual Channels.
37
38
Here is an example of using Time Catalog entries to define a time-based policy. In this
example, Peer to Peer traffic is limited to 256kbps during work hours and has a much
more liberal limit outside work hours.
39
Knowing your business objectives, you can use time catalogs to define different time
slots and control them. For example:
• Define your organization working hours to ensure high quality of experience for
your business applications.
• Define maintenance hours to Steer the access to servers under maintenance to
secondary servers or Captive portal with a maintenance notice.
We will see more about how to configure such policies in modules 7 & 8 of this
training course.
Can you think of other uses for time catalogs? Share your thoughts with your trainer
and the training class.
40
Returning to the enforcement policy editor in the NetXplorer, we see again the typical
policy that we saw earlier.
The highlighted area on the slide shows the internal time conditions defined for every
rule in the policy.
Analyze
• Why Do We Need To Classify? Business Objectives
• Condition Catalogs
o Host
Monitor
o Service and Analyze
o Time
• Allot Protocol Updates (APU) Define
Conditions
Create
Policies Actions
Catalogs
41
NX Key
SG Key
SG Key
43
In order to access Web updates, you need a valid support contract as well as an
appropriate key for both the NetXplorer server and all the platforms which it
manages. You obtain these keys by renewing your support contract.
To check that APU is included in your NetXplorer key (and to enter a new one if it is
not), from the “Tools” menu select “NetXplorer Application server registration”
To perform the same check for the SG, from the Network tree select the SG and
choose “Configuration”. Go to the “Identification & Key” tab. Here you can see if APU
is enabled and you can identify the currently installed protocol pack.
Update Stages
Manual or automatic
2. Update NetXplorer server
SG SG
SG
44
Signatures added
in this PP Summary
Signatures
updated in this PP
45
Step1: If your NetXplorer server can access the Allot Website on the internet, the simplest
way to perform manual updates is by using the protocol updates wizard. The wizard is
accessed from the protocol updates item on the Tools menu. Choose “From Allot Web Site”.
Step2: Firstly, the wizard will check for updates. A list of changes to be made to the service
catalog and the protocol pack number will displayed. The pending changes are divided into
applications, services and service groups. Each one is split up into “Create” for new
applications/services and groups and “Update” for updating existing ones. Click on “update
now” to download the protocol pack to the NetXplorer and make changes to all of the
listed changes to the service catalogs of the NetXplorer. When the service catalog has been
successfully updated, the list of changes will be displayed. In addition, the successful
installation will be recorded in the alarms log.
NOTE: Services that have been manually moved, added or deleted from a service group by
the user will not change their location due to a Protocol Pack upgrade or rollback, unless
the service has been deleted from the new Protocol Pack, in which case it will also be
deleted from the service catalog and any groups it is part of.
Step3: The 3rd and final stage of the process is to update the Service Gateways. Select the
Service Gateways that you wish to update. In the example above there is only one SG
available. For each SG you can see the services to be changed by clicking the “Advanced”
button. You can also choose the specific PP version you wish to install from this window.
Clicking Next one more time brings you to the end of the process.
3
SGs must be
updated manually
46
2. Update NX server
NetXplorer
Server
3. Update SGs
SG SG
SG
We have seen how the upgrade package is downloaded using the wizard and how this
process can be configured to run automatically.
There are additional ways to download the update package to the NetXplorer server
which can be particularly useful when the NetXplorer has no direct access to the
internet.
In this case, the package can be downloaded from Allot Support Area and copied to
another server, external hard drive or a Flash Drive.
After you have it, go to the Tools menu in the NetXplorer GUI, and choose Protocol
Updates > From Local Package to update the NetXplorer. Choose Install to Device to
update the Service Gateways.
It is also possible to rollback the NetXplorer and/or the Service Gateways to a
previous version.
Follow the full procedure in the Protocol Pack Release Notes.
Review Question
Which condition catalogs do you need to define
for the rule below?
Service
X
Time Working Hours
Host List
X 48
Which condition catalogs do you need to define in order to create a rule which gives
high priority to Mail applications during working hours?
Review Question
Which condition catalogs do you need to
define for the rule below?
Service Group X
Service eDonkey
Which condition catalogs do you need to define in order to create a rule which limits
eDonkey download traffic for the Engineering Department during peak surfing hours?
Review Question
?
can be matched, but
which is running on
port number 5634 will
be classified as this
particular service
50
Look at the entry identification definitions for the service displayed here. How will the
SG identify this service?
Exercise
Condition Catalogs
51
ACTE (CSP) 51
Module 7: Conditions
52