Cisco Guard Configuration Guide (Software Version 3.1(0)) - Guard Diagnostics and Maintenance [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Guard Diagnostics and Maintenance

Viewing the Zones

Viewing the Guard Logs

Displaying On-line Event Logs

Exporting On-line Event Logs

Displaying the Log-file

Exporting the Log-file

Clearing the Log-file

Managing Disk Space

Configuring Logs and Reports History

Copying Guard Configuration

Exporting Configuration

Importing and Updating Configuration

Guard Diagnostics

Displaying General Diagnostics Data

Displaying the Memory Consumption

Displaying the CPU Utilization

Manipulating the ARP Cache

Netstat

Traceroute

Ping

Obtaining Debug Information

Upgrading the Guard Version

Burning a New Flash Version

Recovering a Lost Password

Guard Diagnostics and Maintenance

This chapter describes how to perform tasks used for general care and upkeep of the Guard and how to display statistics and diagnostics on the Cisco Guard (Guard). It includes the following sections:

•Viewing the Zones

•Managing Disk Space

•Copying Guard Configuration

•Guard Diagnostics

•Upgrading the Guard Version

•Recovering a Lost Password

Viewing the Zones

You can display an overview of the zones in the Guard to see which zones are active and what their current status is. Use the show command at the Global prompt to display a list of zones. Table 10-1 describes the different zone statuses.

Table 10-1 Zone Status

Status

Description

Auto Protection mode

The zones are in automatic protection modes and the dynamic filters are activated without user intervention.

Interactive Protection mode

The zones are in interactive protection modes and the dynamic filters are activated manually.

Threshold Tuning phase

The zones are in the threshold tuning learning phase. The Guard analyses the zone traffic and defines thresholds for the policies constructed during the policy construction phase.

Policy Construction phase

The zones are in the policy construction phase and the zone policies are created.

Standby

The zones are not active.

For example:
admin@GUARD# show
Viewing the Guard Logs

The Guard automatically logs system activity and events. You can display the Guard logs to review and track the Guard activity.

Table 10-2 displays the event log levels.

Table 10-2 Event Log Levels

Event Level

Numeric code

Description

Emergencies

0

System is unusable

Alerts

1

Immediate action required

Critical

2

Critical condition

Errors

3

Error condition

Warnings

4

Warning condition

Notifications

5

Normal but significant condition

Informational

6

Informational messages

Debugging

7

Debugging messages

The log file displays all log levels (emergencies, alerts, critical, errors, warnings, notification, informational, debugging). The Guard log file includes zone events with severity levels: emergencies, alerts, critical, errors, warnings and notification.

You can view the event log locally or from a remote server:

•Real-time logging of events—See the "Displaying On-line Event Logs" section

•The log file—See the "Displaying the Log-file" section

Displaying On-line Event Logs

You can activate the Guard's monitoring mechanism and view a real time event log. This enables you to view the on-line logging of the Guard events. Enter the following command:

event monitor
For example:
admin@GUARD# event monitor
The screen constantly updates with events.

Note To deactivate the monitoring mechanism, use the no event monitor command.

Exporting On-line Event Logs

You can export the Guard on-line event logs to view the Guard operations registered in the Guard log-file. You can view the Guard events from a remote host as they are registered, on-line, in the Guard's log-file. The Guard's log-file is exported using the syslog mechanism and can be exported to several Syslog servers. You can specify additional servers so that should one go offline, another will be available to receive messages.

Note You can only export Guard on-line event logs to a syslog server. If a remote syslog server is not available, use the copy log command to export the Guard's log-file.

The format of the syslog message is as follows:

<event date> <event time> <Guard IP address> <Guard module > <zone name><event severity level> <event type> <event description>

An example of an event log is:

Sep 11 16:34:40 10.4.4.4 cm: scannet, 5 threshold-tuning-start: Zone activation completed successfully.

To export on-line event logs, perform the following steps:

Step 1 (Optional) Configure the logging parameters. Enter the following command:
logging {facility | trap}
Table 10-3 provides the keywords for the logging command.

Table 10-3 Keywords for the logging Command

Parameter

Description

facility

The export syslog facility. The available facilities are local0 through local7. The default is local4.

trap

The severity level of the syslog traps sent to the remote syslog. Trap levels of lower severity include levels of higher severity. For example, if the trap level is set to warning - error, critical, alerts and emergencies will also be sent. The available trap levels from the highest to the lowest severity level are: emergencies, alerts, critical, errors, warnings, notification, informational, debugging. The default is notification.

Note To receive events on Dynamic filters addition and removal, change the trap level to informational.

Step 2 Configure the remote syslog server's IP address. Enter the following command:
logging host remote-syslog-server-ip
OR
export log remote-syslog-server-ip
The argument remote-syslog-server-ip specifies the remote Syslog server's IP address.

Note To build a list of syslog servers that receive logging messages, enter this command more than once.

For example:
admin@GUARD-conf# logging facility local3
admin@GUARD-conf# logging trap notifications
admin@GUARD-conf# logging host 10.0.0.191
To view the export on-line event logs configuration, use the show logging command or the show log export-ip command.

Displaying the Log-file

You can display the Guard log for diagnostic or monitoring purposes. The Guard log file includes zone events with severity levels: emergencies, alerts, critical, errors, warnings and notification.

To display the Guard log, enter the following command:

show log
You can display a zone log to view events that relate only to the specified zone.

For example:
admin@GUARD# show log
Exporting the Log-file

You can export the Guard log-file to an FTP server for monitoring or diagnostic purposes. Enter the following command:

copy [zone zone-name] log ftp server full-file-name [login] [password]
Table 10-4 provides arguments and keywords for the copy log ftp command.

Table 10-4 Arguments for the copy log ftp Command

Parameter

Description

zone-name

(Optional) The zone name. Export the zone's log-file. The default is to export the Guard's log-file.

server

The IP address of the FTP server.

full-file-name

The full name of the file. If you do not specify a path the server will save the file in your home directory.

login

(Optional) The FTP server login name.

The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The password for the remote FTP server.

If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD# copy log ftp 10.0.0.191 log.txt user <password>
Clearing the Log-file

You can clear the Guard or zone log file of all entries.

Tip Clear the Guard or zone log file if it is large, or if you are going to perform testing and want to be sure the log file only reflects information from the testing session.

Enter the following command:

clear [zone zone-name] log
The argument zone-name specifies the zone name. The default clears the Guard's log.

Managing Disk Space

The Guard maintains activity logs and zone attack reports. If the disk usage is over 75%, or if a large number of zones is defined on the Guard (over 500), we recommend that you decrease the file history parameters. When the used disk space reaches about 80% of the disk maximum capacity, the Guard enters a warning message in its syslog. If this happens you can perform one of the following:

1. Export the Guard or zone log to an FTP server—See the "Exporting the Log-file" section

Export the Guard report list to an FTP server—See the "Exporting Attack Reports" section

Export the zone attack reports to an FTP server—See the "Exporting Attack Reports" section

2. Clear the log-file—See the "Clearing the Log-file" section

3. Decrease file history size—See the "Configuring Logs and Reports History" section

We recommend that you periodically store the Guard records on an FTP server and then clear the logs.

Note When disk usage reaches 80% of the disk maximum capacity the Guard erases information to reduce used disk space to about 75%.

To display the disk used space, enter the following:

show disk-usage
For example:
admin@GUARD# show disk-usage 
2% 
Configuring Logs and Reports History

You can configure how far back the Guard records the logs and the attack reports of both the Guard and its zones.

To configure report and log history, enter the following:

history {logs|reports} days [enforce-now]
Table 10-5 provides arguments and keywords for the history command.

Table 10-5 Arguments and Keywords for the history Command

Parameter

Description

logs

Sets the history parameters for Guard and zone logs.

reports

Sets the history parameters for zone attack reports.

days

The length of history time. The logs' history time range is 1-7 days. The reports' history time range is 1-60 days.

The default history time is 7 days for the logs and 30 days for the reports.

enforce-now

(Optional) Adopts, and if necessary erases, the recorded logs and reports history capacity to the current command parameters immediately.

If the history is set to a shorter period, reduce the log file size and the report file size to the newly configured size. You can perform one of the following:

•Use the enforce-now option

OR

•Erase the stored logs and reports to match the newly configured size at a later time. Use the command disk-clean.

Copying Guard Configuration

You can export the Guard configuration file to an FTP server. Exporting the Guard or zone configuration file (running-config) to a remote FTP server enables you to:

•Implement the Guard configuration parameters on another Guard

•Back up the Guard configuration

Exporting Configuration

To export the Guard configuration file, enter the following command:

copy [zone zone-name] running-config ftp server full-file-name [login] [password]
Table 10-6 provides arguments for the copy running-config ftp command.

Table 10-6 Arguments for the copy running-config ftp Command

Parameter

Description

zone-name

(Optional) The zone name. Export the zone's configuration file. The default is to export the Guard's configuration file.

server

The IP address of the FTP server.

full-file-name

The full name of the file. If you do not specify a path the server will save the file in your home directory.

login

(Optional) The FTP server login name.

The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The password for the remote FTP server.

If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD# copy running-config ftp 10.0.0.191 run-conf.txt user 
<password>
Importing and Updating Configuration

You can import a Guard or zone configuration file from an FTP server and reconfigure the Guard according to the newly transferred file. Import configuration to:

•Configure the Guard based on an existing Guard configuration file

•Restore Guard configuration

The new configuration overrides the existing one. For the new configuration to take effect, you must reload the Guard.

Note Zone configuration is a partial Guard configuration. The copy ftp running-config command is used to copy both types of configuration files to the Guard and reconfigure it accordingly.

To import a Guard configuration file, enter the following command:

copy ftp running-config server full-file-name [login] [password]
Table 10-7 provides arguments for the copy ftp running-config command.

Table 10-7 Arguments for the copy ftp running-config Command

Parameter

Description

zone-name

(Optional) The zone name. Export the zone's configuration file. The default is to export the Guard's configuration file.

server

The IP address of the FTP server.

full-file-name

The full name of the file. If you do not specify a path the server will save the file in your home directory.

login

(Optional) The FTP server login name.

The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The password for the remote FTP server.

If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD# copy ftp running-config 10.0.0.191 scannet-conf 
Guard Diagnostics

This section describes a group of commands designed to help in Guard diagnostics. These commands consist of the following:

•Displaying General Diagnostics Data

•Displaying the Memory Consumption

•Displaying the CPU Utilization

•Manipulating the ARP Cache

•Netstat

•Traceroute

•Ping

•Obtaining Debug Information

Displaying General Diagnostics Data

You can view general Guard diagnostics data.

To view a general display of the diagnostics data, enter the following command:

show diagnostic-info
The diagnostics data consists of the following:

•Accelerator card CPU speed—Indicates the accelerator cards CPU speed

•Accelerator card revision—Indicates the accelerator card revision number

•Accelerator card serial—Indicates the accelerator card serial number

•CFE version— CFE version number

Note To change the CFE version you must install a new flash version. Use the flash-burn command to burn a new CFE version.

•Recognition Average Sample Loss— calculated Recognition module packet sample loss

•Forward failures (no resources)— number of packets that were not forwarded due to lack of system recourses

Note In cases of a high Recognition Average Sample Loss or a large number of Forward failures, contact technical support.

•Fan Speeds—The speed for each fan installed. The values are a percentage of maximum RPM.

•Maximum Fans—The maximum number of fans the system supports.

•Installed Fans—The number of fans currently installed in the system.

•Running Fans—The list of operational fans.

•System uptime—The number of hours that the system has been powered on.

•The number of system restarts—The number of times the system has been restarted.

•Blue Light state—The blue LED state.

•System UUID—The system Universal Unique ID (UUID).

•CPU Temperature—The current CPU temperature in Celsius, for each installed CPU.

•DASD Temperature—The current hard disk drive temperature in Celsius.

•Ambient Temperature—The ambient system temperature in Celsius.

The Guard has several LEDs indicating inner status. These are normally OFF. When turned ON they indicate hardware failure. In such cases, the Guard issues a syslog message and an SNMP trap to inform of the problem.

Displaying the Memory Consumption

You can view the Guard memory consumption. The Guard displays the memory usage in kilobytes. In addition, the Guard displays the percentage of memory that the Recognition module uses. The Recognition module memory usage is affected by the number of active zones and the number of services each of the zones monitor.

Note If the Recognition module memory usage is higher than 90%, we highly recommend that you lower the number of active zones.

Enter the following command:

show memory
For example:
admin@GUARD# show memory
              total    used    free    shared   buffers   cached
  In KBytes:  2065188  146260  1918928    0     2360      69232
  Recognition Used Memory: 0.3%
Note The total amount of free memory the Guard has, is a sum of the free memory and the cached memory.

Displaying the CPU Utilization

You can display the current percentage of CPU utilization. The Guard displays the percentage of CPU time in user mode, system mode, niced tasks, and idle. Niced tasks are also counted in system and user time, thus the total CPU utilization can be more than 100%.

Enter the following command:

show cpu
For example:
admin@GUARD# show cpu
Host CPU:  0.0% user,  0.1% system,  0.0% nice, 99.0% idle
Manipulating the ARP Cache

You can view or manipulate the ARP cache to clear an address mapping entry or to manually define one. Enter one of the following:

arp [-evn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
Table 10-8 provides arguments and keywords for the arp command.

Table 10-8 Arguments and Keywords for the arp Command

Parameter

Description

-v, --verbose

Displays the output in verbose.

-n, --numeric

Displays numerical addresses.

-H type, --hw-type type, -t type

Specifies which class of entries the Guard checks for. The default value of this parameter is ether (hardware code 0x01 for IEEE 802.3 10Mbps Ethernet).

-a [hostname], --display [hostname]

Displays the entries of the specified hosts in alternate (BSD) style. The default is to display all entries.

-d hostname, --delete hostname

Remove any entry for the specified host.

-D, --use-device

Use the interface ifa's hardware address.

-e

Displays the entries in default style.

-i If, --device If

Specifies an interface. When dumping the ARP cache only entries that match the specified interface are printed. If you set a permanent or temporary ARP entry this interface is associated with the entry. If you do not use this option, the Guard guesses based on the routing table. For pub entries this is the interface on which ARP requests are answered. This has to be different from the interface to which the IP datagrams will be routed.

-s hostname hw_addr, --set hostname

Creates an ARP address mapping entry for host hostname with hardware address set to hw_addr class. For most classes you can use the usual presentation.

-f filename, --file filename

Creates an ARP address mapping entry. The information is taken from the file filename. The file format is ASCII text lines with a hostname, and a hardware address separated by white space. You can also use the pub, temp and netmask flags. In all places where a hostname is expected, you can also enter an IP address in dotted-decimal notation.

Caution To configure the Guard ARP cache, you need knowledge of the Guard system and the network.

For example:
admin@GUARD# arp -e
Address        HWtype  HWaddress           Flags Mask  Iface
10.10.1.254    ether   00:02:B3:C0:61:67   C           eth1
10.10.8.11     ether   00:02:B3:45:B9:F1   C           eth1
10.10.8.253    ether   00:D0:B7:46:72:37   C           eth1
10.10.10.54    ether   00:03:47:A6:44:CA   C           eth1
Netstat

You can display the network connections, routing tables, interface statistics, masquerade connections and multicast memberships. Enter one the following:

netstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--symbolic|-N] [--extend|-e[--extend|-e]][--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c] [delay]
netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--interfaces|-i} [iface] [--all|-a] [--extend|-e[--extend|-e]] [--verbose|-v] [--program|-p] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--groups|-g} [--numeric|-n] [--numeric-hosts][--numeric- ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--masquerade|-M} [--extend|-e] [--numeric|-n] [--numeric- hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] [delay]
netstat {--version|-V}
netstat {--help|-h}

Note If you do not specify any address families, the Guard displays the active sockets of all configured address families.

Table 10-9 provides arguments and keywords for the netstat command

Table 10-9 Arguments and Keywords for the netstat Command

Parameter

Description

address_family_options

[--protocol={inet,unix,ipx,ax25,netrom,ddp}[,...]] [--unix|-x][--inet|--ip] [--ax25] [--ipx] [--netrom] [--ddp]

--route, -r

Displays the Guard routing tables.

--groups, -g

Displays multicast group membership information for IPv4 and IPv6.

--interface, -i iface

Displays a table of all network interfaces, or of the interface iface.

--masquerade, -M

Displays a list of masqueraded connections.

--statistics, -s

Displays summary statistics for each protocol.

-v, --verbose

Displays the output in verbose.

-n, --numeric

Dispalys numerical addresses.

--numeric-hosts

Displays numerical host addresses. This does not affect the resolution of port or user names.

--numeric-ports

Displays numerical port numbers. This does not affect the resolution of host or user names.

--numeric-users

Displays numerical user IDs. This does not affect the resolution of host or port names.

--protocol, -A family

A comma separated list that specifies the address low level protocols (family) for which connections are displayed. The address family inet includes raw, udp and tcp protocol sockets.

-c, --continuous

Displays the selected information every second, continuously.

-e, --extend

Displays additional information. Use this option twice for maximum detail.

-o, --timers

Displays information related to networking timers.

-p, --program

Displays the PID and name of the program to which each socket belongs.

-l, --listening

Displays only listening sockets. These are omitted by default.

-a, --all

Displays both listening and non-listening sockets.

-F

Displays routing information from the FIB.

-C

Displays routing information from the route cache.

delay

Netstat will cycle printing through statistics every delay seconds.

For example:
admin@GUARD# netstat -v
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address   Foreign Address         State
tcp        0      0 localhost:1111  localhost:32777    ESTABLISHED
tcp        0      0 localhost:8200  localhost:32772    ESTABLISHED
.
.
.
tcp        0      0 localhost:33464 localhost:8200     TIME_WAIT
tcp        1      0 localhost:1113  localhost:33194    CLOSE_WAIT
.
.
.
Active UNIX domain sockets (w/o servers)
unix  2      [ ]         STREAM     CONNECTED     928
unix  3      [ ]         STREAM     CONNECTED     890  /tmp/.zserv
.
.
.
admin@GUARD#
Traceroute

You can print the route packets take to network host. Enter the following:

traceroute ip-address [-F] [-f first_ttl] [-g gateway] [-i iface]
[-m max_ttl] [-p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime] [packetlen]

Note The traceroute command displays only IP addresses and not names.

Table 10-10 provides arguments and keywords for the traceroute command.

Table 10-10 Arguments and Keywords for the traceroute Command

Parameter

Description

ip-address

The IP address to trace the route to.

-f

Set the initial time-to-live used in the first outgoing probe packet.

-F

Set the don't fragment bit.

-g

Specify a loose source route gateway (8 maximum).

-i

Specify a network interface to obtain the source IP address for outgoing probe packets. This is normally only useful on a multi-homed host.

-m

Set the maximum time-to-live (maximum number of hops) used in outgoing probe packets. The default is 30 hops.

-p

Set the base UDP port number used in probes. The default is 33434.

packetlen

Set the packet length of the probe.

-s

Use the following IP address as the source IP address in outgoing probe packets.

-t

Set the type-of-service in probe packets to the following value. The default is zero.

-w

Set the time (in seconds) to wait for a response to a probe. The default is 5 seconds.

For example:
admin@GUARD# traceroute 10.10.10.34
traceroute to 10.10.10.34 (10.10.10.34), 30 hops max, 38 byte packets
 1 10.10.10.34 (10.10.10.34) 0.577 ms  0.203 ms  0.149 ms
Ping

You can send ICMP ECHO_REQUEST to network hosts and verify connectivity. Enter one the following:

ping ip-address [-c count] [-i interval] [-l preload] [-s packetsize] [-t ttl] [-w deadline] [-F flowlabel] [-I interface]
[-Q tos] [-T timestamp option] [-W timeout]
Table 10-11 provides arguments and keywords for the ping command

Table 10-11 Arguments and Keywords for the ping Command

Parameter

Description

ip-address

The destination IP address.

-c count

Send count ECHO_REQUEST packets. With deadline option, ping waits for count ECHO_REPLY packets, until the timeout expires.

-F flow label

Allocate and set 20 bit flow label on echo request packets. (Only ping6). If the value is zero, a random flow label is used.

-i interval

Wait interval seconds between packets. The default is to wait for one second.

-I interface

Set the source IP address to the specified interface address.

-l preload

Sends preload packets without waiting for a reply.

-Q tos

Set Quality of Service -related bits in ICMP datagrams.

-s packetsize

Specifies the number of data bytes to send. The default is 56.

-t ttl

Set the IP Time to Live.

-T timestamp option

Set special IP timestamp options.

-w deadline

Specify a timeout, in seconds, before ping exits regardless of how many packets have been sent or received.

-W timeout

Time to wait for a response, in seconds.

For example:
admin@GUARD# ping 10.10.10.30 -n 1
Obtaining Debug Information

In case of an operational problem in the Guard, Cisco Technical Support can require you to send internal debug information.

To extract the debug information to an FTP server, enter the following:

copy debug-core time ftp server full-file-name [login] [password]
Table 10-12 provides arguments and keywords for the copy debug-core command.

Table 10-12 Arguments for the copy debug-core Command

Parameter

Description

time

The time of the event that triggers the need for debug information. The time string uses the format MMDDhhmm[[CC]YY][.ss]

•MM—The month in numeric figures

•DD—The day of the month

•hh—The hour in a 24 hour clock

•mm—The minutes

•CC—The first two digits of the year (Optional)

•YY—The last two digits of the year (Optional)

•.ss—The seconds (Optional). The period must be present

server

The IP address of the FTP server.

full-file-name

The full name of the version file. If you do not specify a path, the server will save the file in your home directory.

login

(Optional) The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The FTP server password. If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD# copy debug-core ftp 10.0.0.191 debug-file user <password>
Upgrading the Guard Version

An administrator can upgrade the Guard software version. To upgrade the Guard version, perform the following steps:

Step 1 Download an updated version of the Guard software from an FTP server. Enter the following:
copy ftp new-version server full-file-name [login] [password]
Table 10-13 provides arguments and keywords for the copy ftp new-version command.

Table 10-13 Arguments for the copy ftp new-version Command

Parameter

Description

server

The IP address of the FTP server.

full-file-name

The full name of the file. If you do not specify a path the server copy the file from your home directory.

login

(Optional) The FTP server login name.

The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The password for the remote FTP server.

If you do not enter a password, you will be prompted for it.

Step 2 Install the downloaded version. Enter the following:
install new-version 
Caution Issuing the install new-version command deactivates the learning and the protection processes.

A new version might require updating the firmware (CFE). See the Release Note accompanying each version release for further details. In case of a CFE mismatch, the Guard displays the following message:
Bad CFE version (X). This version requires version Y
See the "Burning a New Flash Version" section for further details.

Step 3 Reboot the Guard. Enter the following:
reboot
Step 4 You can display the version number to verify the results of the upgrade process. Enter the following:
show version
For example:
admin@GUARD# copy ftp new-version 10.0.0.191 
/home/Versions/R3.i386.rpm user <password>
FTP in progress...
admin@GUARD# install new-version

.

.

.
Press Enter to close this CLI session. 
Burning a New Flash Version

You can burn a new flash version only when there is a mismatch between the current common firmware environment (CFE) and the software version.

In case of a CFE mismatch, the Guard displays the following when you issue the install new-version command:
Bad CFE version (X). This version requires version Y
Caution You must ensure that there is a stable power supply to the Guard and refrain from any Guard operations while burning a new flash version.

To burn a new flash version, perform the following steps:

Step 1 Enter the following command at the prompt:
flash-burn
If you try to burn a new flash when the the CFE and the Guard software versions match, the operation will fail.

Step 2 Reload the Guard. Enter the following command:
reload
For example:
admin@GUARD-conf# flash-burn 
Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS! 
.
.
.
Burned firmware successfully 
SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the system 
Recovering a Lost Password

This section describes how to recover the password of the root user. The Guard uses this password to control root access. The root password is encrypted and can only be replaced by a new password.

To perform this procedure you must be connected to the Guard console.

To recover the root password, perform the following steps:

Step 1 Attach a keyboard and a monitor to the Guard.

Step 2 Login and type reboot.

Step 3 Press down and hold the Shift key while the Guard is powering up. The Guard displays the following prompt:
Lilo: 
Step 4 Enter the following to load a single user image:
Cisco 1
Note If you are running a version previous to 3.0.8, enter Riverhead 1. If you do not know which version you are running, press TAB to see the list of images.

Step 5 Press Enter at the password prompt to enter a null password.

The Guard enters the root prompt.

Step 6 Use the passwd command to change root's password. Enter a new password at the New password prompt. Re-enter the new password at the Retype new password prompt to verify your choice

For example:
[root@GUARD root]# passwd
    Changing password for user root.
    New password: <new password typed in here>
    Retype new password: <new password typed in here>
    passwd: all authentication tokens updated successfully.
Step 7 Use the reboot command to restart the Guard into normal operation mode.