Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0)
Initializing the Guard Module
Download this chapter
Initializing the Guard ModuleInitializing the Guard Module
Download the complete book
Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0) Book-Length PDFCisco Anomaly Guard Module Configuration Guide (Software Version 4.0) Book-Length PDF (PDF - 2 MB)
give_us_feedback

Table Of Contents

Initializing the Guard Module

Using the Command Line Interface

Issuing Commands in the CLI

Using the No Form of a Command

Show Command Syntax

CLI Error Messages

Tips for Using the CLI

Help

Tab Completion

Operation Direction Conventions

Abbreviating a Command

Wildcard Characters

Configuring the Guard Module Interfaces

Configuring a Physical Interface

Configuring a VLAN

Configuring a Loopback Interface

Configuring the Default Gateway

Adding a Static Route to the Routing Table

Configuring the Proxy IP Address

Managing the Guard Module

Managing the Guard Module with Web Based Management

Accessing the Guard Module with SSH

Reloading the Guard Module

Rebooting the Guard module


Initializing the Guard Module

This chapter describes how to use the command line interface (CLI) and basic Guard module configuration procedures.

This chapter includes the following topics:

Using the Command Line Interface

Configuring the Guard Module Interfaces

Configuring the Guard Module Interfaces

Configuring the Default Gateway

Adding a Static Route to the Routing Table

Configuring the Proxy IP Address

Managing the Guard Module

Reloading the Guard Module

Rebooting the Guard module

Using the Command Line Interface

Using the CLI you can control the Guard module functions. The Guard module user interface is divided into many different command modes. The commands available to you at any given time depend on which mode you are currently in. Entering ? at the system prompt allows you to obtain a list of commands available for each command mode.

The access to the CLI is mapped according to user privilege levels. Each privilege level has its own group of commands.

Table 3-1 describes the user privilege levels.

Table 3-1 User Privilege Levels 

User Privilege Level
Description

Administration (admin)

Full access to all commands

Configuration (config)

Full access to all commands except the commands relating to user definition, deletion, and modification

Dynamic (dynamic)

Access to show commands, protect and learning related commands and Flex and Dynamic filter configuration (see the note below)

Show (show)

All the Global commands and show commands


Note We recommend that users with Administration and Configuration privilege levels configure all filters. Users with lower privilege levels can add and remove Dynamic filters.

Issuing Commands in the CLI

Table 3-2 summarizes the rules for entering CLI commands.

Table 3-2 CLI Rules 

To
Keyboard Sequence

Scroll through and modify the command history

Use the arrow keys

Display commands available in a specific command mode

Shift + ?

Display a command completion

Type the beginning of the command and press TAB

Display a command syntax completion(s)

Type the command and press TAB twice

Scrolling using the more command

more number-of-lines

The more command configures number of additional lines displayed in the window once you press the SPACE bar. The default is two lines less than the terminal is capable of.

The number-of-lines argument configures the number of additional lines to be displayed once you press the SPACE bar.

Scrolling on a single screen (within a command output)

SPACE bar

Scrolling back a single screen (within a command output)

b

Stop scrolling movement

q

Search forward for a string

/ string

Search backward for a string

? string

Cancel the action or delete a parameter

Use the no form of a specific command

Display information relating to a current operation

show

To exit from a current command group level to a higher group level

exit

To exit all command group levels and return to the root level

end

Display command output from and including the first line that contains a string.

| begin string

To display command output lines that include a string

| include string

To display command output lines that do not include a string

| exclude string


Note If you issue the exit command at the root level, you will exit the CLI environment to the operating system login screen.

Using the No Form of a Command

Almost every configuration command also has a no form. In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the event monitor command turns on the event monitor, the no event monitor command turns it off.

Show Command Syntax

You can execute zone related show commands from the zone configuration mode. Alternatively, you can execute these commands from the global or configuration modes.

The syntax for the show command in the global or configuration modes is:

show zone zone-name parameters...


The syntax for the show command in the zone configuration mode is:

show parameters...

Note This guide uses the show command syntax from the zone configuration mode as its writing convention unless explicitly specified.

CLI Error Messages

The Guard module CLI displays error messages in the following cases:

The syntax of the command is incomplete or incorrect.

The command does not match the system configuration.

The operation could not be performed due to a system failure. In this case, an entry is created in the system log.

Tips for Using the CLI

Help

The CLI provides context-sensitive help at every mode of the command hierarchy. The help information tells you which commands are available at the current command mode and provides a brief description of each command.

To get help, type ?.

To display help for a command, type ? after the command.

Typing ? at the command prompt displays all commands available in that mode along with a short description.

The help displays only commands available in the current mode.

Tab Completion

You can type a portion of a command and press Tab to complete the command.

After entering a command that has a value with multiple options, press Tab twice to display a list of possible input parameters. This is true for system-defined parameters and user defined parameters.
For example, pressing Tab twice after entering the policy-template command in zone configuration mode displays the list of policy template names. Pressing Tab twice after entering the zone command in configuration mode displays zones that are already defined.

If multiple commands match for a Tab completion, nothing is displayed; the terminal repeats the current line you entered.

Tab completion and help display only commands available for the current mode.

Operation Direction Conventions

In general, when FTP comes before the command name, the direction of the command is to copy from the Guard module to the FTP server. When the command comes before the FTP, the direction of the command is to copy from the FTP server to the Guard module. For example, the copy log ftp command copies the log file to the FTP server. The copy ftp new-version command copies the new version from the FTP server to the Guard module.

Abbreviating a Command

You can abbreviate commands and keywords to the number of characters that allow a unique abbreviation.

For example, you can abbreviate the show command to sh.

Wildcard Characters

You can use an asterisk (*) as a wildcard.

For example:

If you issue the learning policy-construction * command, the policy construction phase is activated for all the zones that are configured on the Guard module.

If you issue the learning policy-construction scan* command, the policy construction phase is activated for all the zones that are configured on the Guard module with names that begin with scan (such as scannet, scanserver and so on).

If you issue the no zone * command, all zones are removed.

Configuring the Guard Module Interfaces

This section describes the procedures to configure the Guard module interfaces. The Guard module has one management port and two data ports on the supervisor.

In the current version, only one data port is utilized.

You must enter configuration mode to configure the Guard module.

Enter the following command:

configure [terminal]

For example: 

admin@GUARD# configure 

admin@GUARD-conf#

You must configure Guard module interfaces for proper Guard module functioning. Interface characteristics include, but are not limited to, IP address and interface MTU.

Caution You must not configure two physical interfaces on the same subnet.

Many features are enabled on a per-interface basis. When you enter the interface command, you must specify the interface type and number.

The following general guidelines apply to all physical and virtual interface configuration processes:

Each interface must be configured with an IP address and an IP subnet mask.

You must activate each interface using the no shutdown command.

After every interface major configuration change, you must reload the Guard module.

To display the configuration of an interface, use the show or show running-config commands.

Configuring a Physical Interface

To configure a physical interface, perform the following steps:

Step 1 Enter interface configuration mode. Enter the following command in configuration mode: 

interface if-name

The if-name argument specifies the interface name.

The Guard module supports the following interfaces:

eth1—Management port

giga2—Data port

Step 2 Set the interface IP address. Enter the following command: 

ip address ip-addr ip-mask

The ip-addr and ip-mask arguments define the interface IP address.

Step 3 (Optional) Define the interface MTU. Enter the following command: 

mtu integer

The integer argument is an integer between 576 and 16384 bytes for eth1 interface and an integer between 576 and 1824 for giga2 interface.

The default MTU value is 1500 bytes.

Step 4 Activate the interface. Enter the following command: 

no shutdown

You must reload the Guard module configuration if you have made major changes.

Note If you do not reload the Guard module configuration, the configuration is modified, but the change does not take effect until the configuration is reloaded.

For example: 

admin@GUARD-conf# interface eth1

admin@GUARD-conf-if-eth1# ip address 10.10.10.33 255.255.255.252

admin@GUARD-conf-if-eth1# no shutdown

Configuring a VLAN

You can define VLANs on the data port.

To define a VLAN, perform the following steps:

Step 1 Enter VLAN interface configuration mode, if one exists, or define a new VLAN. Enter the following command in configuration mode: 

interface giga2.vlan-id

The vlan-id argument is an integer that specifies the VLAN ID number. The VLAN ID is a TAG IEEE 802.1Q number.

Step 2 Set the VLAN IP address. Enter the following command: 

ip address ip-addr ip-mask

The ip-addr and ip-mask arguments define the interface IP address.

Step 3 (Optional) Define the interface MTU. Enter the following command: 

mtu integer

The integer argument is an integer between 576 and 1824 bytes.

The default MTU value is 1500 bytes.

Step 4 Activate the interface. Enter the following command: 

no shutdown

You must reload the Guard module configuration if you have made major changes.

Note If you do not reload the Guard module configuration, the configuration is modified but the change does not take effect until the configuration is reloaded. 

For example:

admin@GUARD-conf#interface giga2.2

admin@GUARD-conf-if-giga2.2# ip address 192.168.5.8 255.255.255.0

admin@GUARD-conf-if-giga2.2# no shutdown

Configuring a Loopback Interface

You can configure a loopback interface.

To configure the loopback interface, perform the following steps:

Step 1 Enter the loopback interface configuration mode, if one exists, or define a new loopback interface. Enter the following command in configuration mode: 

interface if-name

The if-name argument specifies the loopback interface name. The interface name is lo:integer where integer is an integer between 0 and 1023.

Step 2 Set the loopback interface IP address. Enter the following command: 

ip address ip-addr ip-mask

The ip-addr and ip-mask arguments define the interface IP address.

Step 3 Exit the loopback interface configuration mode. Enter the following command: 

exit

You must reload the Guard module configuration if you have made major changes. If you do not reload the Guard module configuration, the configuration is modified but the change does not take effect until the configuration is reloaded.

For example: 

admin@GUARD-conf# interface lo:0

admin@GUARD-conf-if-lo:0# ip address 1.1.1.1 255.255.255.255

admin@GUARD-conf-if-lo:0# exit

Configuring the Default Gateway

You can assign a default Gateway to the Guard module. In most cases, the Guard module default gateway IP address is the adjacent router, located between the Guard module and the Internet. The default gateway address must be on the same network as one of the IP addresses of the Guard module network interfaces.

Note Do not assign an IP address to a default Gateway while the Guard module is in protect mode.

Caution Removing a default gateway address may render the Guard module inaccessible.

To assign a default Gateway address, enter the following command:

default-gateway ip-addr

The ip-addr argument specifies the default Gateway IP address. To modify the default Gateway address reissue the command.

For example: 

admin@GUARD-conf# default-gateway 192.168.100.1

Adding a Static Route to the Routing Table

You can add a static route to the Guard module routing table. Add a a static route to specify routes for servers or networks outside the local networks associated with the Guard module IP interfaces.

The static route is added permanently and is not removed after the Guard module is rebooted.

To add a static route to the Guard module routing table, enter the following command:

ip route ip-addr ip-mask nexthop-ip [if-name]

Table 3-3 provides the arguments for the ip route command.

Table 3-3 Arguments for the ip route Command 

Parameter
Description
ip-addr

The network destination of the route. The destination can be an IP network address (where the host bits of the network address are set to 0) or an IP address for a host route.

ip-mask

The subnet mask associated with the network destination.

nexthop-ip

The forwarding or the nexthop-IP address over which the set of addresses defined by the network destination and subnet mask are reachable. The nexthop IP address should be within the interface subnet. For local subnet routes, the nexthop-IP address is the IP address assigned to the interface that is attached to the subnet. For remote routes, available across one or more routers, the nexthop-IP address is a directly reachable IP address that is assigned to a neighboring router.

 

 

if-name

(Optional) The Guard module interface or VLAN over which the destination is reachable.


Note If you do not specify an interface, the Guard module determines the interface for the route from the nexthop IP address according to its routing table.

For example: 

admin@GUARD-conf# ip route 172.16.31.5 255.255.255.255 192.168.100.34

Use the show ip route command to display the routing table.

Configuring the Proxy IP Address

You must assign the Guard module a proxy IP address. The Guard module proxy IP address is required for the proxy mode anti-spoofing protection mechanisms. Do not assign the Guard module with a proxy IP address while the Guard module is in protect mode. See the "Protection Mechanisms" section for further details.

Warning You cannot activate zone protect mode without defining a proxy IP address.

To configure the Guard module anti-spoofing proxy IP address, enter the following command:

proxy ip-addr

The ip-addr argument specifies the proxy IP address.

You must verify the route between every zone and the Guard module proxy IP address. The Guard module does not answer ping requests to its proxy IP address.

To configure additional proxy IP addresses, re-issue the command.

We recommend that you configure three to four proxy IP addresses. The Guard module can have up to ten proxy IP addresses.

You must reload the Guard module configuration for the change to take effect.

Managing the Guard Module

Once you have established a session from the supervisor and configured the Guard module networking (see "Configuring the Guard Module on the Supervisor Engine Module" and the "Configuring the Guard Module Interfaces" section), you can access and manage the Guard module using one of the following methods:

Access using a secured shell (SSH) session. See the "Accessing the Guard Module with SSH" section for further details.

Access the Guard module using web-based management (WBM). See the "Managing the Guard Module with Web Based Management" section for further details.

Access from a DDoS-sensing, network element to establish a connection and form a counter DDoS system. Refer to the appropriate documentation for further details.

Managing the Guard Module with Web Based Management

You can manage the Guard module from the web using a web browser using web based management (WBM).

To enable the Guard module WBM perform the following steps:

Step 1 Enable the WBM service. Enter the following command: 

service wbm

Step 2 Permit access to the Guard module from the remote manager IP address. Enter the following command: 

permit wbm ip-addr [ip-mask]

The ip-addr and ip-mask arguments define the remote manager IP address.

Step 3 Open the browser and enter the following address: 

https://Guard module-ip-address/

The Guard module-ip-address argument is the IP address of the Guard module.

The Guard module WBM window appears.

Note HTTPS (not HTTP) is used to enable web-based management control.

Step 4 Enter your username and password and click OK.

After you enter the user name and password correctly, the Guard home page is displayed.

For example: 

admin@GUARD-conf# service wbm

admin@GUARD-conf# permit wbm 192.168.30.32

Accessing the Guard Module with SSH

You can access the Guard module using a secured shell (SSH) connection. This section describes the Guard module SSH communication configuration.

The SSH service is enabled by default.

To enable SSH connection to the Guard module, perform the following steps:

Step 1 Permit access to the Guard module from the remote network IP address. Enter the following command: 

permit ssh ip-addr [ip-mask]

The ip-addr and ip-mask arguments define the remote network IP address.

Step 2 Establish a connection from the remote network address and enter the login and password. To enable SSH connection without the need to enter a login and password, add the remote connection SSH public key to the Guard module SSH key list. See the "Managing SSH Keys" section for further details.

Reloading the Guard Module

The reload command enables you to reload the Guard module configuration without the need to reboot the machine.

For the following changes to take effect, you must reload the Guard module:

Interface IP address modification

Interface activation and deactivation

VLAN ID number and IP address modification

Modifications in the following tunnel parameters: name, type, source and destination IP addresses and Mask

Default Gateway IP address modification

Guard module TCP Proxy IP address modification

Burning a new flash

Rebooting the Guard module

The default behavior of the Guard module is to load all zones in an inactive mode, thus the Guard module does not reactivate zones that were in protect or learning modes prior to the reboot.

To change the default behavior so that the Guard module automatically activates zones that were active prior to the reboot process, enter the following command:

boot reactivate-zones

Caution The zone learning phase is restarted after reboot.