Cisco Guard Configuration Guide (Software Version 5.0)
Performing Maintenance Tasks
Download this chapter
Performing Maintenance TasksPerforming Maintenance Tasks
Download the complete book
Cisco Guard Configuration Guide (Software Version 5.0), Book-Length PDFCisco Guard Configuration Guide (Software Version 5.0), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Performing Maintenance Tasks

Exporting Configuration

Importing and Updating Configuration

Managing Disk Space

Configuring Logs and Reports History

Reloading the Guard

Rebooting the Guard and Inactivating Zones

Shutting Down the Guard

Upgrading the Guard Software Version

Burning a New Flash Version

Recovering a Lost Password

Resetting the Configuration to Factory Defaults


Performing Maintenance Tasks

This chapter describes how to perform tasks used for general care and maintenance of the Cisco Guard (Guard) and contains the following sections:

Exporting Configuration

Importing and Updating Configuration

Managing Disk Space

Reloading the Guard

Rebooting the Guard and Inactivating Zones

Shutting Down the Guard

Upgrading the Guard Software Version

Recovering a Lost Password

Exporting Configuration

You can export the Guard configuration file or a zone configuration file (running-config) to an FTP or SFTP server. By exporting the Guard or zone configuration file to a remote server you can do the following:

Implement the Guard configuration parameters on another Guard

Back up the Guard configuration

To export the Guard configuration file, enter one of the following commands in global mode:

copy [zone zone-name] running-config ftp server full-file-name [login [password]]

copy [zone zone-name] running-config sftp server full-file-name login

Note You must configure the SSH key that the Guard uses for SFTP communication before you enter the copy command with the sftp option. See the "Configuring the Key for SFTP Connections" section for more information.

Table 11-1 provides the arguments for the copy running-config ftp command.

Table 11-1 Arguments for the copy running-config ftp
Command 

Parameter
Description
zone-name

(Optional) The zone name. Export the zone configuration file. The default is to export the Guard configuration file.

running-config

Exports the complete Guard configuration, or the configuration of the specified zone.

ftp

Exports the configuration to an FTP server.

sftp

Exports the configuration to an SFTP server.

server

The IP address of the server.

full-file-name

The complete name of the file. If you do not specify a path, the server saves the file in your home directory.

login

The server login name.

The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) The password for the remote FTP server. If you do not insert the password the Guard prompts you for it.


The following example shows how to export the Guard configuration file to an FTP server: 

user@GUARD# copy running-config ftp 10.0.0.191 run-conf.txt <user> 
<password>

Importing and Updating Configuration

You can import a Guard or zone configuration file from an FTP server and reconfigure the Guard according to the newly transferred file. Import the configuration to do one of the following:

Configure the Guard based on an existing Guard configuration file

Restore the Guard configuration

Zone configuration is a partial Guard configuration. To copy both types of configuration files to the Guard and reconfigure it accordingly, use the copy ftp running-config command.

Note The new configuration replaces the existing one. You must reload the Guard for the new configuration to take effect.

We recommend that you deactivate all zones before you initiate the import process. The Guard deactivates a zone before importing the zone configuration.

The Guard, by-default, ignores older versions of self-protection configuration. We recommend that you do not overwrite the self-protection configuration with an older configuration, because the older configuration may not be compatible with the current version.

To import a Guard configuration file, enter one of the following commands in global mode:

copy ftp running-config server full-file-name [login [password]]

copy sftp running-config server full-file-name login

Note You must configure the SSH key that the Guard uses for SFTP communication before you enter the copy sftp command. See the "Configuring the Key for SFTP Connections" section for more information.

Table 11-2 provides the arguments for the copy ftp running-config command.

Table 11-2 Arguments for the copy ftp running-config
Command 

Parameter
Description

ftp

Import the configuration from an FTP server.

sftp

Import the configuration from an SFTP server.

server

The IP address of the server.

remote-path

The complete name of the file. If you do not specify a path, the server searches for the file in your home directory.

login

The server login name.

The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) The password for the remote FTP server. If you do not insert the password the Guard prompts you for it.


The following example shows how to import the Guard configuration file from an FTP server: 

user@GUARD# copy ftp running-config 10.0.0.191 scannet-conf <user> 
<password>

When you import a configuration that was exported from an older version, the Guard displays the following message: 

WARNING: The configuration file includes a self-protection definition 
that is incompatible with the current version and will be ignored. 

Continue? [yes|no]

Enter one of the following options:

yes—Ignores the old self-protection configuration. The Guard performs the following:

Ignores the old self-protection configuration and does not import it

Imports all other configuration, such as zone, interface, and services configuration

no—Enables you to import the old self-protection configuration. The Guard displays the following message: 

You can abort the import process or import the old self-protection 
definition as-is. 

WARNING: The self-protection definitions are incompatible with the 
current version.

Abort? [yes|no]

Caution We recommend that you do not overwrite the self-protection configuration with an older configuration because the older configuration may not be compatible with the current software version.

To import the older self-protection configuration, enter no.

To abort the import process, enter yes.

Managing Disk Space

The Guard maintains activity logs and zone attack reports. If the disk usage is over 75 percent, or if a large number of zones is defined on the Guard (over 500), we recommend that you decrease the file history parameters. When the used disk space reaches about 80 percent of the disk maximum capacity, the Guard enters a warning message in its syslog. If this happens, you can perform one of the following tasks:

Export the Guard or zone log to an FTP server—See the "Exporting the Log File" section.

Export the Guard report list to an FTP server—See the "Exporting Attack Reports" section.

Export the zone attack reports to an FTP server—See the "Exporting Attack Reports" section.

Clear the log file—See the "Clearing the Log File" section.

Decrease log file and attack reports history size—See the "Configuring Logs and Reports History" section.

We recommend that you periodically store the Guard records on an FTP server, and then clear the logs.

Note When disk usage reaches 80 percent of the disk maximum capacity the Guard erases information to reduce used disk space to about 75 percent.

To display the disk used space, enter the following command:

show disk-usage

The following example shows how to display the disk used space: 

user@GUARD# show disk-usage 

2%

Configuring Logs and Reports History

You can configure the length of time that the Guard records the logs and the attack reports of both the Guard and its zones.

To configure the report and log history, enter the following command:

history {logs | reports} days [enforce-now]

Table 11-3 provides the arguments and keywords for the history command.

Table 11-3 Arguments and Keywords for the history Command 

Parameter
Description
logs

Sets the history parameters for Guard and zone logs.

reports

Sets the history parameters for zone attack reports.

days

The length of history time. The logs history time range is 1 to 7 days. The report history time range is 1 to 60 days.

The default history time is 7 days for the logs and 30 days for the reports.

enforce-now

(Optional) Immediately adopts, and if necessary erases, the recorded log and report history recording capacity to the current command parameters.


If you configure the history reporting to a shorter period, reduce the log file size and the report file size to the newly configured size. To reduce the size, you can use one of the following:

enforce-now option in the history command

OR

disk-clean command, which erases the stored logs and reports to match the newly configured size at a later time

Reloading the Guard

You can reload the Guard configuration without rebooting the machine by using the reload command.

For the following changes to take effect, you must reload the Guard:

Synchronizing the Guard with an NTP server

Deactivating or activating a physical interface by using the shutdown command

Enabling the giga0 interface by using the no shutdown command

Burning a new flash

Rebooting the Guard and Inactivating Zones

To reboot the Guard, enter the following command:

reboot

The default behavior of the Guard is to load all zones in an inactive operation state. Therefore, the Guard does not enable zone protection or the learning process after reboot, regardless of the zone operation state prior to the reboot.

To change the default behavior so that the Guard automatically activates zones that were active prior to the reboot process, enter the following command in configuration mode:

boot reactivate-zones

Caution The zone learning phase is restarted after reboot.

Shutting Down the Guard

A clean shutdown enables the Guard to save vital information.

To shut down the Guard, perform the following steps:

Step 1 Enter the following command: 

poweroff

Step 2 Type yes at the command prompt to verify the process.

Step 3 Push the Guard ON/OFF button to turn the Guard power off.

The green power LED turns off.

Caution Pushing the OFF button without entering the poweroff command may result in critical data loss.

Upgrading the Guard Software Version

To upgrade the Guard software version, perform the following steps:

Step 1 Back up the Guard configuration before initiating the upgrade process using the copy running-config command.

See the "Exporting Configuration" section for more information.

Step 2 Download an updated version of the Guard software from an FTP or an SFTP server by entering one of the following commands in global mode:

copy ftp new-version server full-file-name [login [password]]

copy sftp new-version server full-file-name login

Note You must configure the SSH key that the Guard uses for SFTP communication before you enter the copy sftp command. See the "Configuring the Key for SFTP Connections" section for more information.


Table 11-4 provides arguments for the copy ftp new-version command.

Table 11-4 Arguments for the copy ftp new-version Command 

Parameter
Description

ftp

Download the version file from an FTP server.

sftp

Download the version file from an SFTP server.

server

The IP address of the server.

full-file-name

The complete name of the file. If you do not specify a path, the server copies the file from your home directory.

login

The server login name.

The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) The password for the remote FTP server. If you do not insert the password the Guard prompts you for it.


Step 3 Install the downloaded version by entering the following command: 

install new-version

When you enter the install new-version command, the learning and the protection processes are deactivated.

Caution You must be sure that there is a stable power supply to the Guard, and refrain from performing any Guard operations while you upgrade the version. After the upgrade process completes, the Guard displays the following message:

Press Enter to close this CLI session.

If you fail to adhere to these restrictions, the upgrade may fail and cause the Guard to become inaccessible.

Step 4 Establish a new session with the Guard and check the software version by entering the show version command.

The following example shows how to copy a new software version file to the Guard, and then to upgrade the software version: 

user@GUARD# copy ftp new-version 10.0.0.191 /home/Versions/R3.i386.rpm 
user <password>

FTP in progress...

user@GUARD# install new-version

.

.

. 

Press Enter to close this CLI session.

When you upgrade the software version, the Guard updates the self-protection configuration with a new one. We recommend that you do not overwrite the self-protection configuration with an older configuration, because the older configuration may not be compatible with the current version.

Burning a New Flash Version

You can burn a new flash version only when there is a mismatch between the current Common Firmware Environment (CFE) and the software release. A mismatch condition can occur when you update the Guard software.

When a CFE mismatch is detected, the Guard displays the following message when you enter the install new-version command (X denotes the old flash version and Y denotes the new flash version): 

Bad CFE version (X). This version requires version Y

Caution You must be sure that there is a stable power supply to the Guard and refrain from performing any Guard operations while you burn a new flash version. If you fail to adhere to these restrictions, the upgrade may fail and cause the Guard to become inaccessible.

To burn a new flash version, perform the following steps:

Step 1 Enter the following command in configuration mode: 

flash-burn

If you try to burn a new flash version when the CFE and the Guard software versions match, the operation fails.

Step 2 Reload the Guard by entering the following command: 

reload

You must enter the reload command after burning a new flash version. The Guard is not fully functional until you enter the reload command.

The following example shows how to burn a new flash version: 

user@GUARD-conf# flash-burn 

Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS! 

. . .

Burned firmware successfully 

SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the system

Recovering a Lost Password

The Guard uses the root password to control root access. The root password is encrypted and can be only replaced by a new password.

To perform this procedure you must be connected to the Guard console.

To recover the root password, perform the following steps:

Step 1 Attach a keyboard and a monitor to the Guard.

Step 2 Log in and enter the reboot command.

Step 3 Press down and hold the Shift key while the Guard is powering up.

The Guard displays the following prompt: 

Lilo:

Step 4 Enter the following command to load a single user image: 

Cisco 1

Note If you are running a version previous to 3.0.8, enter Riverhead 1. If you do not know which version you are running, press TAB to see the list of images.

Step 5 Press Enter at the password prompt to enter a null password.

The Guard enters the root prompt.

Step 6 Use the passwd command to change the root password. Enter a new password at the New password prompt. Re-enter the new password at the Retype new password prompt to verify your choice.

The following example shows how to change the root password: 

[root@GUARD root]# passwd

    Changing password for user root.

    New password: <new password typed in here>

    Retype new password: <new password typed in here>

    passwd: all authentication tokens updated successfully.

Step 7 Restart the Guard in normal operational mode by using the reboot command.

Resetting the Configuration to Factory Defaults

In certain situations, you may want to restore the Guard configuration to the original default factory settings, Resetting the configuration to factory defaults is useful when you want to remove an undesirable configuration in the Guard, if the configuration has become complex, or if you want to move the Guard from one network to another network. You can reset the Guard to the factory defaults and configure it as a new Guard.

We recommend that you back up the Guard configuration by using the copy running-config command before you reset it to the default factory settings. See the "Exporting Configuration" section.

The inband interface configuration (eth0) is available until you reload the Guard.

To reset the Guard to the factory defaults settings, enter the following command in configuration mode:

clear config all

The configuration change takes effect only after a reset.

Caution If you reset the Guard configuration to the factory defaults, and then reload the Guard while you are not connected from a console, you will lose connectivity to the Guard.

The following example shows how to reset the Guard to the factory defaults settings: 

user@GUARD-conf# clear config all