ENT 07 Conditions

Module 7: Conditions
Conditions
ACTE Training (Enterprise Track)
ACTE (Enterprise Track) 1

Analyze
• Why Do We Need To Classify? Business Objectives
• Condition Catalogs
o Host
Monitor
o Service and Analyze
o Time
• Allot Protocol Updates (APU) Define
Conditions
Create
Policies Actions
Catalogs
We will begin by asking why is it important to classify at all?

Why Do We Need To Classify?
• To gain network visibility

• Through a clearer view of object distribution
• To enforce traffic policies
• By applying rules to a group of objects
Why do we need to classify network traffic? The answer is twofold.

Firstly, classifying gives us a better understanding of the traffic. For example, to see
which user is consuming the most bandwidth, we must first classify the network
traffic by user (the user can be identified by the host that initiates the traffic). Once
we have a clear view of the network traffic, we can analyze it over time and spot
trends and new behavior patterns.
Secondly, classifying allows us to apply different QoS to different types of traffic. If
traffic was not classified into identifiable groups, it would be impossible to apply
quality of service for every different traffic instance.

Example – Classifying Road Traffic
?
Manufacturer ?
Color ?
Type of Vehicle
?
Destination ?
Max Speed ?
Size
Themust
Classification method Conclusion
serve business objectives
The need for classifying traffic may be clear, but what methods should we use? To
take the example of street traffic, we can see that there are many different categories
by which we can classify cars. The car manufacturer, its color and its maximum speed
are just a few possibilities. Which one is the best?
How we classify depends on what we want to achieve. Classifying by car color for
example may be suitable if you manufacture paint for cars, but this type of
classification is of little use if your aim is to manage the road system.

How To Use
Define Your Business Objectives:
• What do you want to achieve?

• How should you classify the
traffic in your network to
enable this?
The first step of implementation will therefore be to define your business objectives.
Ask yourself what it is you want to achieve with the Allot solution. How would you
classify your network traffic to meet the desired outcome? For example, if a different
quality of service is to be implemented for different users, we need to classify our
users into categories. If you want to define different service parameters for different
applications, then classification needs to be per application type.
We will now review the different classification condition catalogs available.

Policy Table Example: Classification Conditions
Classification Enforcement
Conditions Actions
Here we see the enforcement policy editor in the NetXplorer, displaying the typical
policy that we saw earlier. Each row of the policy represents one of the rules that
makes up the policy. The highlighted area on the slide shows the conditions which
form a key part of every rule. The conditions determine which traffic is classified into
each rule.
Remember that there are more possible conditions available than those columns
displayed by default in the table. As we saw in an earlier module, the table view can
be configured so that the NetXplorer Administrator can decide which specific
conditions or actions to display in the table.
The conditions displayed for each rule are predetermined by catalogs. Some of these
condition catalogs (e.g: service catalogs) are pre-defined, while others need to be
configured in advance.

Analyze
o Host
Monitor
o Time
Conditions
Create
Policies Actions
Catalogs
Traffic classification is performed by defining condition catalogs in the NetXplorer.

With an understanding of your business aims, you can choose the appropriate type of
condition catalog to define.
We will now examine each of the different types of conditions in turn, beginning with
the Host Catalogs.

Host Catalog
Host
Catalog
• Host Catalog is used to
classify the traffic according
to its Source or Destination
• There are predefined values

such as Any/Any IPv4 and Any IPv6
• More values may be added,

defining Hosts from the
customer’s network
Host Catalog is used to classify the traffic according to its Source or Destination. If, for
example, you would like to identify all the traffic generated by a specific IP address,
you should define this address in a Host Catalog. Then, insert this Host Catalog in the
desired place in the Policy Table.
There are some Host catalog values that are predefined by the system, such as Any,
Any IPv4 and Any IPv6. Those entries cannot be modified or deleted. However, new
values may be created, defining Hosts from the customer’s network.

Host List
• A host list is a list of one or

more hosts
• Hosts can be defined by:

Examples:
• IPv4 address 172.16.1.31
• IPv4 range 10.1.2.3-10.1.3.7
• IPv4 subnet 10.10.10.0/255.255.255.0
• IPv6 prefix 2001:1234::/32
• IPv6 prefix range 2001:1234::-2001:1234::/32

9
A host list is a list of one or more hosts.

Hosts can be network IP addresses, IP address ranges or IP subnet addresses.
Following are examples of host entries:
• IPv4 Address: The IPv4 address of a host. For example, 172.16.1.31.
• IPv4 Range: A range of IPv4 addresses. For example, 10.1.2.3-10.1.3.7 means the
ranges 10.1.2.3-10.1.2.255 and 10.1.3.1-10.1.3.7.
• IPv4 Subnet: For example, 10.10.10.0 with a subnet mask of 255.255.255.0.
• IPv6 Prefix: The IPv6 prefix of a host. For example, 2001:1234::/32.
• IPv6 Prefix Range: A range of IPv6 prefixes. For example, 2001:1234::-
2001:1234::/32.

Defining Host List
• To define Host List:
1. Right Click on Hosts → New Host List Host List

Name
2. Enter the Host entry name
3. Click “Add” button
4. Select the type of the Host Item
5. Define the required parameters for
the chosen Host Type
6. Click “Save”
• New Host item will be added to the Main Hosts window
10
To define a host list:

1. Select and right-click Host in the Navigation pane under Catalogs and select New
Host List from the popup menu.
2. On the Host List Entry Properties dialog enter the name of the host entry in the
Name field.
3. Click Add to add items to the Host List.
4. From the Host Item Type dropdown list, select the type of item to be included in
the host list (Host Name, IPv4 Address, IPv4 Range, IPv4 Subnet, IPv6 Prefix or
IPv6 Prefix Range).
5. Define the additional parameters in the dialog. The parameters change according
to the selected Item Type. For example, if you are configuring the IPv4 Address,
the one additional parameter is defined in the dialog - the IP Address; if you are
configuring the IPv6 Prefix Range, two parameters are defined – the From and To
IPv6 prefixes.
6. Click Apply and Save. The item is added to the Main Hosts window.

Host Lists and Host Groups

Host Group Host List One or more hosts defined by:
• IPv4 subnet
• IPv4 address
• IPv4 range
• IPv6 prefix
• IPv6 prefix range
11
There are several types of Host catalog entries, and it is important to understand the
hierarchical relationship between them – in particular between a host list and a host
group.
A Host List is a list of hosts defined by IPv4 Address, IPv4 Subnet, IPv4 Range, IPv6
Prefix or IPv6 Prefix Range, or any combination of these attributes. (Note: A Host List
can represent an individual subscriber, a corporate branch or a network subnet. How
you use a Host List depends on the policies you define to implement the relevant
network business objective.
Once you have defined Host Lists, you can group several of them into a Host Group.
Here is an example of using hosts to represent different locations. One Host Group
will represent North America. Inside this Host Group we can have multiple Host Lists,
each one representing a major city.
The city Host List represents the actual IP addresses, subnets and ranges used in the
specific city. Chicago is a Host List consisting of a simple IP subnet. New York is a Host
List made up of an IP range and an additional IP address outside of that range.

Internal / External Hosts

Bypass Unit
• Hosts are defined as
internal or external
on the basis of which
interface they are
connected to on the
bypass
Internal Hosts External Hosts
12
Hosts may be internal or external. Whether a host will be recognized by the Service
Gateway as internal or external depends on the interface of the bypass unit to which
that host is connected.

Assign Host Catalogs to Policy
• After Host catalogs are

defined, you may use them
within the Policy Table as
internal or external host
conditions
13
Host catalog entries are defined in the NetXplorer interface, irrespective of whether
they are to be used as internal or external host conditions. The decision to define a
host catalog as an internal host condition or an external one, is made at a later stage,
when you build your policy in the NetXplorer policy editor.

Defining Host Lists and Groups

1. Define Host Lists 2. Define Host Group
• Define new Host Lists • Define Host Group and
assign Host Lists to it
using different types:
• In the example
• IPv4 Address
3 Host Lists are created:
• IPv4 Range
• London
• IPv4 Subnet
• Paris
• IPv6 Prefix
• Madrid
• IPv6 Prefix Range
• They are assigned to
the Host Group named
“Europe”
14
First, you should define a Host List:

1. In the Navigation pane, right-click Hosts and select New Host List from the
shortcut menu.
2. Enter a name and description in the Host List Entry Properties dialog box.
3. To add items to the host list, click Add. From the Host Item Type drop-down list,
select the type of item to be included in the host list (IPv4 Address, IPv4 Subnet,
IPv4 Range, IPv6 Prefix or IPv6 Prefix Range).
4. Define the additional parameters if you like to do so.
5. Click Apply. The item is added to the host list.
Repeat steps 3-5 to add more hosts to the list. Create more Host Lists if needed.
To join existing host lists into a single host group:
1. In the Navigation pane, right-click Hosts and select New Host Group from the
shortcut menu.
2. Enter the name of the host group, together with a description if required.
3. To add host lists to the host group, click Add. From “Add Group Items” dialog box
choose available Host lists that can be added to the host group.
The “Scope” of a Host List, as well as Host Group, can be either Global or specific to a
particular Service Gateway. We will discuss it in the next slide.

Host List and Host Group Scope

NetXplorer
Server
• If the catalogs you have defined are only
relevant to a specific Service Gateway on the SG 1
network, you may limit the scope of the
catalog to the relevant Service Gateway only
SG 2 SG 4
SG 3
In big deployments or long Host lists – Limitation of the

Host Catalog scope will prevent performance degradation 15
By default, host lists and Host Groups which you define are global. This means that
they are sent to each Service Gateway in the network and can be used by them. If you
are working with large numbers of long and detailed host lists though, this might
unnecessarily compromise the performance of your Service Gateway. If you know
therefore that the catalogs you have defined are only relevant to a specific Service
Gateway on the network, it may be worth while limiting the scope of the catalog to
the relevant Service Gateway.
To set the scope of the entry to a specific platform:
1. Click the Scope browse button. The Entry Scope Properties dialog box is displayed.
2. To make the entry available to a selected platform only, select Specific Device and
then select the platform from the drop-down list.
3. Click OK. The Host List Entry Properties dialog box is displayed.
4. Click Save.

Importing Hosts from External Text File
• Large groups or lists of hosts can be

exported from external text files 3 different
methods
• User updates text file
• NX checks for changes every 10 minutes
External Host List files should be located on NX server
16
It is also possible to import large groups of hosts from an external text file. The user
updates this text file and the NetXplorer checks for changes every 10 minutes. As
long as the text file is not updated, no NX resources are used. Note – the default
value of 10 minutes can be changed. Contact Allot Global Support Services to enable
this change if required.
Make sure you have the file on the NX at all times (if you delete it, the host entry
based on this file will have no data in it).
There are 3 different methods for importing external text files. The user can create:
- A new external text file host list
- A new external text file host group
- A new dynamic external text file host group

Which Method to Choose?
Type Of External Text File List or Number of Supported Types of

Group Entries Entries Hosts
External Text File Host LIST List Up to 50,000 list • Address • Internal
entries • Subnet • External
External Text File Host Group Group • Range
DYNAMIC External Text File Host Group Up to 10,000,000 • Address • Internal

GROUP
(10,000 per file, up
to 1000 files
supported per NX)
Host Text File entries (for all types) may be provided in IPv4 or IPv6 format.
17
There are 3 different methods for importing external text files. The user can create:
• A new external text file host list
• A new external text file host group
• A new dynamic external text file host group
The dynamic external text file host group functionality was developed to help
customers who wish regularly to use particularly large text files containing tens of
thousands of entries.
With the regular external text file host group we can only support a few thousand
hosts, but the Dynamic version enables us to support many more. Each NetXplorer
can support up to 1000 Dynamic External Host Files. Each Service Gateway can
support up to 1000 Dynamic External Host Files, up to 50K Hosts within dynamic text
file, 500K Host IPs in total (in all Dynamic External Host files).
There are, however, several restrictions when using the dynamic mechanism:
It can only be used to support internal hosts.
It only supports individual IPs (ranges and subnets will be ignored)
An IP may appear in only ONE Dynamic External Host File.
Note that another side effect of the dynamic system is that the IPs updated with the
Dynamic text file are deleted when the Service Gateway reboots. The NetXplorer
server will update the IPs again after approximately 10 minutes, but until then there
will be no rule matching to the pipes and VCs in the Enforcement Policy that use
those text files in their conditions.

External Text File Format

Type Format Example
IPv4 address Name;IP IP1;1.1.1.1 Identical IPv6
addresses defined in
IPv4 subnet Name;IP/Mask IP1;1.1.1.0/255.255.255.0 two different ways
IPv4 range Name;IP-IP IP2;5.5.5.5-6.6.6.6
IPv6 address prefix Name;IP\<prefix_length> Prefix_name;2001:1234::/32
IPv6 address range Name;IP-IP\<prefix_length> Range_name;2001:1234::-2001:1234::/32
Example:
NOTES:
• Each entry must be on a separate line
• Dynamic External Text file Host Group supports only IPv4 address entry type
18
Using this feature, you can import long lists of hosts from an external text file into a Host
Group or Host List Catalog on the NetXplorer.
There are five types of hosts that can be imported: IP address, IP range, IP subnet, IPv6
address and IPv6 range. When using the dynamic method, IP address is the only type of
field that can be imported.
Create a text file according to the guidelines defined below, making sure that you enter
each host entry on a separate line. The text file format for each type of hosts is as follows:
IPv4 address: Name;IP
IPv4 subnet: Name;IP/Mask
IPv4 range: Name;IP-IP
IPv6 address prefix: Name;IP\prefix length
IPv6 address range: Name;IP-IP\prefix length
NOTE: This method creates individual hosts with corresponding names but they are all
added to a single group. They cannot be separated.
NOTE: There should be no space between the name and the IP itself. The semi colon sign
is the separator.

Defining External Text File Host List
File Location on
NX Server
19
Let's see how to create a new external text file host list. From the Hosts item in the
catalogs pane, choose “New External Text File Host List”. The External Text File Host
Entry Properties dialog is opened, and the path of the text file is entered. Locate the
file on the NetXplorer Server.

How Does System Handle the Text File?

Host List:
All IPs from both Hosts are
presented in the same list.
Used with Host List No Host related
Host: “IP1” Host Text File
2 Groups are
created – 1 per
each host
Host: “IP2”
Used with Host Group
20
Here we see how the system would handle the same text file, when the administrator
creates an external text file host list and an external text file host group.
A text file is created which includes two host names: IP1 and IP2. IP1 contains two IP
addresses and one IP subnet, and IP2 contains one IP and one IP range. Here we see
an imported host list, which simply extract all instances of the file to be host items in
this host list.
Below we see an imported host group, consisting of 2 host entries. Clicking each host
entry will show us what it contains.
This difference has important implications later when we come to work with
templates (in Module 9).

Host Search
In which Host LIST is a host defined?
Search for this Host IP:
Host list that includes the

desired Host IP
21
When you are working with long lists of hosts, you might lose track of individual host
entries. The host search is used to find a host definition from within a host list.
1. Select Catalogs and right-click Hosts in the Navigation pane and select Host Search
from the popup menu.
OR
In the Application Details pane, right-click an entry in the Host Catalog and select
Host Search from the popup menu.
The Host Search Properties dialog is displayed.
2. A Host Entry can be searched for by Host Name, IP or MAC address. Enter the
details of the host which you are looking for.
3. Click Search. Results are shown in the Search Results list.
4. Click Close to close the dialog.
Note that the search does not search within host groups.
Please keep in mind that Host Name (here it is called “Host”) and MAC Address
options are available only in the legacy product, AC-400, which is no longer sold.

How To Use – Host catalog
Group Users Identify Specific Objects
• Per Location • Mission Critical Server

• Per Importance • Company Management
• Per Department Team
What other uses can you think of?
22
Knowing your business objectives, you can use the host catalog to group different
users' groups. For example: per geographical location, per importance to the
organization, per department, etc.
On the other hand, you can use host catalog to identify crucial network elements.
Later, you can build your policy to ensure that enough bandwidth is allocated to each
of these network elements.
Can you think of other uses for host catalogs? Share your thoughts with your trainer
and the training class.

Policy Table Example: Host Catalogs
Host Catalogs used

in the Policy Table
23
Returning to the enforcement policy editor in the NetXplorer, we see again the typical
policy that we saw earlier.
The highlighted area on the slide shows the internal host conditions defined for every
rule in the policy.

Analyze
o Host
Monitor
o Time
Conditions
Create
Policies Actions
Catalogs
24
Service catalog entries are used to classify traffic by application or protocol.

Applications may be anything from an instant messaging application to a business
ERP application. Protocol entries include network protocols, transport protocols and
application protocols.

How are Services Identified?
• Layer 4 classification: By source & destination IP & port

• Layer 7 classification: By application signature
− Which strings appear in the contents of the payload?
− Do the packets have particular numerical properties? At the heart of Allot’s
− Does the protocol behave and operate in a particular solutions is a DART engine
manner? which feeds off a
comprehensive library of
• Additional Challenges: signatures and behavior
− Protocol Encryption and Concealment
− Protocol Tagging and Encapsulation
25
The standard packet inspection process (shallow packet inspection) extracts basic
protocol information such as IP addresses (source, destination) and other low-level
connection states. This information typically resides in the packet header itself and
reveals the principal communication intent. The inspection level in the shallow
inspection process is insufficient to reach any application-related conclusions. For
example, if a packet is the result of an application trying to set up additional
connections for its core operation, an examination of the source or destination
addresses as they appear within the packet header itself will not reveal any useful
information regarding the connections to be used in the future, as requested by the
application.
Furthermore, it is very common that the necessary information is spread over several
packet transactions; and once again, examination of the header information alone
overlooks the complete transaction perspective.
DART, on the other hand, provides application awareness. This is achieved by
analyzing the content in both the packet header and the payload over a series of
packet transactions. At the heart of Allot’s solutions is a DPI engine which feeds off a
comprehensive library of signatures and behavior.

Service Object Types

3 level service object hierarchy
Object Example Note
Service Group Monitored Service Web Services Can contain any
Group number of
services and
UDS items
Used in Used in
enforcement policy monitoring graphs
HTTP, HTTPS
Services
www.footlive.com HTTP based
UDS
• We will discuss UDS in details in module 09 26
There are several different types of service objects - Service Groups and Monitored
Service Groups, Services and User Defined Signatures (UDS). The different types are
organized hierarchically.
Service groups enable you to efficiently assign multiple services to policies, instead of
defining separate policies on a service-by-service basis.
Monitored Service Group enables you to efficiently monitor multiple services,
irrespective of their policy assignment. It means that when monitoring groups of
apps, you don’t need to be limited by the groups you created for the purposes of
policy enforcement.
Services are the protocol or application-based criteria for traffic classification.
Services can exist in only one location in the hierarchy at any given time.
UDS objects give huge flexibility to define signatures using any of the HTTP header
fields. We will discuss UDS in details in module 10.

Service Objects Hierarchy

• NetXplorer comes with pre-defined services
organized into several generic service groups and
monitored service groups.
• Default traffic policy is based on the pre-defined

service groups.
• Services can be updated with the latest

applications and protocols, using the APU feature.
• All services outside default groups will join the

monitored service group called “Unclassified”.
27
NetXplorer comes with pre-defined services to incorporate the growing number of

protocols representing the same or similar applications. These services are organized
into several generic service groups and monitored service groups such as Games,
Instant Messaging, Mail, Network Operation etc.
Note that these services can be updated, either manually or automatically, using the
Allot Protocol Update (APU) feature. The procedure for doing this is described fully at
the end of this module.
The default traffic policy classifies traffic into different VCs according to the generic
service groups, and this helps you to get an initial picture of the type of traffic running
through your network when you perform out of the box monitoring.
Note: All services not mapped to one of the default groups will join an extra
monitored service group called “Unclassified”. This will allow monitoring of all the
traffic flowing via the in-line platforms using one of the monitored service groups.

Service Definitions Options: Signature & Port
Service Group
Service defined by
Signature and Port
Service
HTTPS
Service defined by
Port only
28
To better understand services and service groups, let’s look at the Web Applications
Service group.
This group includes several services: HTTP, HTTP Proxy, HTTPS and more. Each service
is defined by its application signature and by its port numbers. HTTP is based on the
HTTP application signature, and it includes both a signature and a port number (80).
HTTPS is based on the Other TCP application and it includes a port only (443).
We will now review the steps to create a new service and explain all the different
options available.

Defining a New Service

• While NetXplorer comes with
an extensive set of common
services, you may want to
define additional services.
The new service created by the user will be marked with a

small blue question mark,
to indicate that this is a user
created service, and not part of the Allot Protocol Pack
29
While NetXplorer comes with an extensive set of common services, you may want to
define additional services. There are two methods for defining additional services:
1. Creating a new service based on an existing application type recognized by
Allot’s DPI engine.
2. Selecting a known service from the protocol library containing over 1000
protocols recognized by IANA (Internet Assigned Names Authority) assigned
ports.
The new service created by the user will be marked with a small blue question mark,
to indicate that this is a user created service, and not part of the Allot Protocol Pack.

How to define a New Service?

1. Based on an Existing Application 2. Based on the IANA Port Assignment
1. On Application Type choose the existing 1. Select one or more entries in the library
application that you want to be based on. and click Commit
2. Assign additional properties to it, such as 2. These library-based services use layer 4
Identification Method and Port Number identification, based on standard port
usage for specific applications.
This can be limited to

a specific Host List
30
To add a new service using the protocol library in the Navigation pane, right-click
Services and select New. The Service Entry Properties dialog box is displayed.
To create a new service based on an existing application from the Application Type
drop-down list, select the basic application type, and choose ADD. Assign additional
properties to it, such as port number and define the entry identification method. We
can also take a recognized application and re-define the way in which it is recognized.
Identification method options:
• Default: The DPI engine identifies the traffic by signature. If the signature is not
recognized, then the traffic is identified according to the port used, regardless of
the application.
• Signature: The DPI engine identifies the traffic according to the signature of origin,
regardless of the port. You can choose to check for this signature on particular
ports or on all ports. By using this method, you can distinguish between
applications which use the same signature on different ports.
• Port/Server based: Traffic on this destination port or server will be identified as
the service you have defined.
To select a publicly recognized port assignment for the application, click Library in the
Service Entry Properties dialog box. The Service Protocols Library dialog box is
displayed. These library-based services use layer 4 identification, based on standard
port usage for specific applications.

Service Group / Monitored Service Group

• User-defined
• Several services can
be combined into one
group
• Similar services can
be grouped together
and assigned with the Select service to
same QoS as in be added to a
example: “Business Service Group
Applications”
Services are
added to a new
Service Group
31
You can define your own service groups by combining several services into a single
group. Similar services can be grouped if you want to apply the same QoS policy to
them. An example of this is seen on the screen, where a service group called:
“Business Applications” is created, consisting of Oracle, SAP and Vonage, with a view
to giving this group a guaranteed quality of service.
While Service Groups are defined to classify traffic and then perform different actions
on that traffic as part of the enforcement policy, you can also group services together
into Monitored Service Groups for the purpose of monitoring only.
These two mechanisms work independently of one another, meaning that a
particular service may be included in a particular service group for the purpose of
enforcement, while in a separate monitored service group for the purpose of
monitoring.
Groups combine port recognition and Layer 7 analysis. Within a group, the
identification of one service might be based on Layer 7 analysis, while another might
be identified by port number alone.

Moving an Existing Service to a Group
1. Select service to move

2. Right-click and select Move
3. Select parent group
32
Moving a service to an existing service group is also a simple process. For example, here
we see how to move H.323 to the Business Applications Group that we defined earlier.
To move a service into an existing Service Group:
1. In the Service Catalog, right-click the service that you want to move and select Move
from the shortcut menu. The Move Service - Select Target dialog is displayed.
2. Select the location to which you want to move the selected Service.
3. Click Save.
Note that you cannot move a group into another group. If you wish to classify traffic
from different service groups into a single Pipe or VC, this can be done using the “add
rule” function when building the traffic policy.

How To Use – Service Catalog
Identify: In Order To:

• Critical business application • Ensure high QoE
• Video traffic • Block risky applications
• High BW consuming apps • Ensure high priority
• Non-time sensitive traffic • Throttle at times of congestion
33
Knowing your business objectives, you can use service catalogs to identify services
and applications and control them. For example:
• Identify your critical business applications to ensure high quality of experience for
them at all times.
• Prioritize critical and time sensitive business applications and throttle non-time
sensitive traffic at times of congestion.
• Identify high bandwidth consuming applications, such as P2P and limit the
available bandwidth for them during peak hours.
We will learn more about how to configure such policies in modules 7 & 8 of this
training course.
Can you think of other uses for service catalogs? Share your thoughts with your
trainer and the training class.

Example: Service Catalogs used in the Policy Table
Service Catalogs used

in the Policy Table
34
The highlighted area on the slide shows the service conditions defined for every rule
in the policy.

Analyze
o Host
Monitor
o Time
Conditions
Create
Policies Actions
Catalogs
35
In this section we will examine the time catalog.

Time Catalog
• Defines period of time during which a rule is active

• Example:
Limit P2P during work hours
• When time expires:
Traffic is reclassified
36
The Time Catalog contains entries that are used to define the period of time during
which a particular rule is active.
Time Catalog entries are useful when you want to apply conditions to traffic only on
specific days or at specific times. For example, you might differentiate between work
and non-work hours, or give priority to maintenance jobs run at scheduled times.
NOTE: You can use time catalogs to divide time up as you wish, for example by
defining as many time cycles as you want within a 24 hour period.
If a time catalog has been assigned to a Line, Pipe or Virtual Channel, what happens
when the expiration time is reached?
Both new and existing connections will be reclassified into other Lines, Pipes or
Virtual Channels.

Defining Time Entry
37
To define a time period:

1. In the Navigation pane, right-click Time and select New Time from the shortcut
menu. The Time Entry Properties dialog box is displayed.
2. In the Name field, edit the name of the entry and add a description as required.
3. Click Add. The Add Time Item dialog box is displayed.
4. In the “Frequency” area, select the frequency of the time period. The parameters
available in the “When” area vary according to the frequency selected. Select the
required time period in the When and the Recurrence areas.
5. Click OK and then Save.
Note: time rules must be overlapping in order to allow re-classification of traffic.
Otherwise, traffic will be re-classified to a fallback rule.

Reclassification on Time Expiration

• Classification of the traffic is based on define time hours.
• When the time definition expires, the traffic is reclassified to a different policy rule.
38
Here is an example of using Time Catalog entries to define a time-based policy. In this
example, Peer to Peer traffic is limited to 256kbps during work hours and has a much
more liberal limit outside work hours.

How To Use – Time catalog
Define: In Order To:

• Working hours • Priorities business critical
• Maintenance hours applications
• Steer the access to
servers under maintenance to
secondary servers
39
Knowing your business objectives, you can use time catalogs to define different time
slots and control them. For example:
• Define your organization working hours to ensure high quality of experience for
your business applications.
• Define maintenance hours to Steer the access to servers under maintenance to
secondary servers or Captive portal with a maintenance notice.
We will see more about how to configure such policies in modules 7 & 8 of this
training course.
Can you think of other uses for time catalogs? Share your thoughts with your trainer
and the training class.

Example: Time Catalogs used in the Policy Table
Time Catalogs used in

the Policy Table
40
The highlighted area on the slide shows the internal time conditions defined for every
rule in the policy.

Analyze
o Host
Monitor
o Time
Conditions
Create
Policies Actions
Catalogs
41
Finally, let’s examine Allot’s Protocol Update capability.

Allot Protocol Pack

Protocol Pack release example:
• PP (Protocol Pack) is a collection of

all services supported by Allot.
• As new apps constantly appear and
existing apps evolve, new versions
of Protocol Pack are released every
few weeks.
• APU – Allot Protocol Updates

is the ability to update the Protocol
Pack in NX and its managed SGs.
APU does not upgrade the AOS

version and no re-boot is required
42
The NetXplorer operates in a constantly evolving Network environment. New

protocols constantly appear, and existing applications evolve.
The Allot Protocol Updates (APU) are designed to update the service catalog, so that
additional protocols can be identified. APU does not upgrade the software, and no re-
boot is required.
Each Protocol Pack is identified by a Protocol Pack number and build number. For
example, PP 3.126.4. The Protocol Pack here is 3.126 and the build number is 4.
Note: After a Protocol Pack Update, Service Assignments to service groups will not
return to default, unless the “Revert service-group assignment to default” is selected

What Do You Need to update PP?

Valid Support
Contract Required!
NX Key
SG Key
SG Key
43
In order to access Web updates, you need a valid support contract as well as an
appropriate key for both the NetXplorer server and all the platforms which it
manages. You obtain these keys by renewing your support contract.
To check that APU is included in your NetXplorer key (and to enter a new one if it is
not), from the “Tools” menu select “NetXplorer Application server registration”
To perform the same check for the SG, from the Network tree select the SG and
choose “Configuration”. Go to the “Identification & Key” tab. Here you can see if APU
is enabled and you can identify the currently installed protocol pack.

Update Stages
1. Download protocol pack to NX server
Manual or automatic
2. Update NetXplorer server
NetXplorer 3. Update SGs

Server
Manual only
SG SG
SG
44
The upgrade process consists of the following 3 steps:

1) Downloading the protocol pack to the NetXplorer server
2) Updating the NetXplorer server
3) Updating the Service Gateways
Note: it is possible to update the NetXplorer or the SG in isolation. If however, a
policy is created based on a service that is only updated in the server, the SG will
ignore it and the user will see mis-classified traffic.
Updating the protocol pack does not require any reboot to the NetXplorer or Service
Gateway.

Protocol Pack Update Wizard

Step1: Update from Web Step2: Install Updates on NX Step3: Install Updates on SG
• Protocol updates wizard
• Leads you through each of 3 steps
Signatures added
in this PP Summary
Signatures
updated in this PP
45
Step1: If your NetXplorer server can access the Allot Website on the internet, the simplest
way to perform manual updates is by using the protocol updates wizard. The wizard is
accessed from the protocol updates item on the Tools menu. Choose “From Allot Web Site”.
Step2: Firstly, the wizard will check for updates. A list of changes to be made to the service
catalog and the protocol pack number will displayed. The pending changes are divided into
applications, services and service groups. Each one is split up into “Create” for new
applications/services and groups and “Update” for updating existing ones. Click on “update
now” to download the protocol pack to the NetXplorer and make changes to all of the
listed changes to the service catalogs of the NetXplorer. When the service catalog has been
successfully updated, the list of changes will be displayed. In addition, the successful
installation will be recorded in the alarms log.
NOTE: Services that have been manually moved, added or deleted from a service group by
the user will not change their location due to a Protocol Pack upgrade or rollback, unless
the service has been deleted from the new Protocol Pack, in which case it will also be
deleted from the service catalog and any groups it is part of.
Step3: The 3rd and final stage of the process is to update the Service Gateways. Select the
Service Gateways that you wish to update. In the example above there is only one SG
available. For each SG you can see the services to be changed by clicking the “Advanced”
button. You can also choose the specific PP version you wish to install from this window.
Clicking Next one more time brings you to the end of the process.

APU Configuration & Alerts

Right Click on Network →
Configuration →
Protocol Updates Tab
1
2
3
SGs must be
updated manually
46
Stages 1 and 2 of the process can be configured to run automatically.

In the Network tree, right-click “Network” and select “Configuration” from the menu.
In the network configuration dialog, select the “Protocol Updates” tab. Note: the
build number is not displayed in this window, only the Protocol Pack version.
Here you can configure the NetXplorer to check for updates periodically (stage 1). If
there is an update, the protocol pack will be downloaded to the NetXplorer server,
and an alarm will be displayed in the alarm log. You can also choose to automatically
install the new update on the NetXplorer server (stage 2).
Note that in any event, the update of the service catalogs on the SGs (stage 3) must
be done manually.
Once a Protocol Pack is updated, an alert will show up in the alarm log indicating a
successful update.

If no access to Allot Website

1. Download protocol pack to NX server
• From Allot Website (Manually or Automatically)
• From a Server Where NX is not directly
• From a Flash Drive connected to Internet
2. Update NX server
NetXplorer
Server
3. Update SGs
SG SG
SG
Full Procedure in Protocol Pack Release Notes 47
We have seen how the upgrade package is downloaded using the wizard and how this
process can be configured to run automatically.
There are additional ways to download the update package to the NetXplorer server
which can be particularly useful when the NetXplorer has no direct access to the
internet.
In this case, the package can be downloaded from Allot Support Area and copied to
another server, external hard drive or a Flash Drive.
After you have it, go to the Tools menu in the NetXplorer GUI, and choose Protocol
Updates > From Local Package to update the NetXplorer. Choose Install to Device to
update the Service Gateways.
It is also possible to rollback the NetXplorer and/or the Service Gateways to a
previous version.
Follow the full procedure in the Protocol Pack Release Notes.

Review Question
Which condition catalogs do you need to define
for the rule below?
Give high priority to Mail applications

during working hours
Service Group Mail
Service
X
Time Working Hours
Host List
X 48
Which condition catalogs do you need to define in order to create a rule which gives
high priority to Mail applications during working hours?

Review Question
Which condition catalogs do you need to
define for the rule below?
Limit eDonkey downloads for Engineering

Department during peak surfing hours
Service Group X
Service eDonkey
Time Peak Surfing Hours
Host List Engineering Dep.

49
Which condition catalogs do you need to define in order to create a rule which limits
eDonkey download traffic for the Engineering Department during peak surfing hours?

Review Question
Look at the entry identification definitions for

the service below.
How will the SG identify this service?
Any traffic for whom no

application signature
?
can be matched, but
which is running on
port number 5634 will
be classified as this
particular service
50
Look at the entry identification definitions for the service displayed here. How will the
SG identify this service?

Exercise
Condition Catalogs
7.1 Host-Based Classification
7.2 Classifying by Service
7.3 Classifying by Time
51
ACTE (CSP) 51
52

ENT 07 Conditions

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ENT 07 Conditions

Uploaded by

Copyright:

Available Formats

Module 7: Conditions

ACTE (Enterprise Track) 1

We will begin by asking why is it important to classify at all?

ACTE (Enterprise Track) 2

Why Do We Need To Classify?

• To gain network visibility

Why do we need to classify network traffic? The answer is twofold.

ACTE (Enterprise Track) 3

Example – Classifying Road Traffic

ACTE (Enterprise Track) 4

Define Your Business Objectives:

• What do you want to achieve?

ACTE (Enterprise Track) 5

Policy Table Example: Classification Conditions

ACTE (Enterprise Track) 6

Traffic classification is performed by defining condition catalogs in the NetXplorer.

ACTE (Enterprise Track) 7

• There are predefined values

• More values may be added,

ACTE (Enterprise Track) 8

• A host list is a list of one or

• Hosts can be defined by:

• IPv4 range 10.1.2.3-10.1.3.7

• IPv4 subnet 10.10.10.0/255.255.255.0

• IPv6 prefix 2001:1234::/32

• IPv6 prefix range 2001:1234::-2001:1234::/32

A host list is a list of one or more hosts.

ACTE (Enterprise Track) 9

Defining Host List

• To define Host List:

1. Right Click on Hosts → New Host List Host List

• New Host item will be added to the Main Hosts window

To define a host list:

ACTE (Enterprise Track) 10

Host Lists and Host Groups

ACTE (Enterprise Track) 11

Internal / External Hosts

ACTE (Enterprise Track) 12

Assign Host Catalogs to Policy

• After Host catalogs are

ACTE (Enterprise Track) 13

Defining Host Lists and Groups

First, you should define a Host List:

ACTE (Enterprise Track) 14

Host List and Host Group Scope

In big deployments or long Host lists – Limitation of the

ACTE (Enterprise Track) 15

Importing Hosts from External Text File

• Large groups or lists of hosts can be

External Host List files should be located on NX server

ACTE (Enterprise Track) 16

Which Method to Choose?

Type Of External Text File List or Number of Supported Types of

DYNAMIC External Text File Host Group Up to 10,000,000 • Address • Internal

ACTE (Enterprise Track) 17

External Text File Format

ACTE (Enterprise Track) 18

Defining External Text File Host List

ACTE (Enterprise Track) 19

How Does System Handle the Text File?

Host: “IP1” Host Text File

ACTE (Enterprise Track) 20

Host list that includes the