Cabletron Systems ETWMIM Dokumentacja

Table of ContentsAutomated Security Manager Help...

Search Tab To search for specific instances of a term in all the help topics, click the right tab (magnifying glass) in the leftpanel. In the Find bo

in the Activity Monitor has a status of Search Pending.Search Time (sec)The amount of time in seconds that it took for ASM to search for the source of

Removes the selected entries event/action in the Activity Monitor. When the entry removed is the lastone for a particular incident, the associated Det

Automated Security ManagerConfiguration WindowThis feature lets you configure Automated Security Manager (ASM) to automatically respond to a variety o

Day and Time RangesThis view lets you identify specific time intervals that may be pertinent when applying threat responses.NOTE: The Day and Time Ran

NameThis is a name that you can assign when defining a time interval.TimeThese controls let you select the time interval for this day and time range.D

Add to ListAdds the current Days and Times definition to the Day/Time Ranges list.Remove from ListDeletes a Days and Times definition selected in the

Dragon has four default notification rules: netsight−atlas−asm−attacks, netsight−atlas−asm−compromise,netsight−atlas−asm−informational, and netsight−a

MS−BACKDOOR3 MS−SQL:HAXOR−TABLE MS−SQL:PWDUMPMS−SQL:WORM−SAPPHIRE MS:BACKDOOR−BADCMD MS:BACKDOOR−DIRSMB:SAMBAL−SUCCESS SSH:HIGHPORT SSH:X2−CHRISSSH:X2

number than all the others. If you want ASM to respond to these Event Categories last (since they aredeemed to be the least important), the Precedence

NotificationsThis list shows all of the notifications that have been created.ButtonsCreateOpens the Create Notification window. This window takes one

NOTICEEnterasys Networks reserves the right to make changes in specifications and other information contained inthis document without prior notice. Th

(E−Mail, Syslog, SNMP Trap, Script, Dragon, or Group).Used InSelect a Notification in the list, and click the Used In button to open a window that dis

Policy ListThis list contains the Policies that have been defined for ASM.ButtonsAdd to ListAdds the Policy name, typed into the associated field, to

NOTE: Sender Identifier names are case sensitive.Sender Identifier NameThe name of a Sender Identifier.Sender Identifier ListThis list contains the Se

Select a Sender Identifier in the list, and click the Used In button to open a window that displayswhich ASM rules are using the identifier.Sender Nam

The Sender Name.Sender Name ListThis list contains the Sender Names that have been defined for ASM.ButtonsAdd to ListAdds the Sender Name, typed into

Subnet NameThis is any name that you want to identify this subnet.Threat SubnetEnter the subnet that you want the ASM search scope to use when Dragon

Adds the Threat Subnet and Mask, typed into the associated fields, to the list.Remove from ListRemoves a selected Threat Subnet and Mask from the list

VLAN NameThe VLAN name.VLAN IDThe VLAN ID.VLAN ListThis list contains the VLANs that have been defined for ASM.ButtonsAdd to ListAdds the VLAN Name/VL

ImportOpens a file browser where you can select a .pmd file to role names created in NetSight PolicyManager.Used InSelect a VLAN in the list, and clic

Search Scope DefinitionsThis view lets you select the devices that will be searched when Dragon notifies ASM of a threat. You can setthe search scope

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.(http://www.openssl.org/)BOOTP Server SoftwareThe BOOTP

Basic Search ScopeWith Basic Search Mode selected the Search Scope Definitions view lets you include or exclude selecteddevices/device groups from to

search scope or click Exclude to designate your selection(s) as being specifically excluded in thesearch scope.You can repeatedly select devices/devic

specific location−−for example, all the routers in a particular building. When a device type(Routers) and a location group (Building2) are both select

Search ScopesThis panel lists the Search Scopes that can be associated with Search Scope Rules, which ultimatelydetermine the devices that will be sea

ButtonsCreate (Group)Opens the Create Search Scope Group window where you can create groups of devices that will besearched when Dragon notifies ASM o

Exclude Specific PortsThis view lets you select specific ports that you want to exempt from the actions by ASM to prevent shuttingdown critical ports.

MAC Address CountThis feature lets you distinguish between single−user ports and multi−user ports (routers). Whenchecked ASM will expand its query to

Get Port InfoQueries the Port Elements and device(s) selected in the tree to obtain a list of available ports.ImportOpens a file browser to allow impo

EnabledWhen checked, the action associated with the rule will be executed in response to an intrusion threat.Rule NameThis is the name assigned to the

The event categories defined for the rule.Sender IdentifiersThe sender identifiers defined for the rule.PoliciesPort policies defined for this rule. D

Modified, adapted, or combined with other computer software, provided that the modified,combined, or adapted portions of the derivative software incor

Select Statistics WindowThis window lets you select the data elements that will appear in the Statistics area of the ASM ActivityMonitor window. It co

Action Undo FailedThe number of entries in the table where a standard or custom undo has failed.Action Taken and UndoneThe number of entries in the ta

Authorization/Device AccessUsers/Groups TabUse this tab to specify users who are authorized to access the NetSight database, and assign those users to

Automatic User MembershipThe Automatic User Membership feature lets you specify an authorization group for users that login without having been previo

Authorization GroupThe authorization group where the user is a member.Automatic MemberYes indicates that the associated user was not a previously auth

User nameThe name used for this authorized user.Domain/Host nameThe user's domain/hostname that will be used to authenticate to the NetSight data

Group NameThis is the name given to the group. When adding a group, you can enter any text string that isdescriptive of the members of this group.Capa

Settings TabThe Settings tab configures how SNMP requests will be handled for users that are members of thisgroup.Allow Users to Configure SNMP Redire

Authorization/Device AccessProfiles/Credentials TabNetSight applications access devices to control certain device functions (SNMP sets) and retrieve i

Default Profile:This drop−down list lets you specify a profile that will be used by default to access a device.Profiles TableThis table lists all of t

CUSTOMER RELEASE NOTESEnterasys NetSightTMAutomated Security ManagerVersion 2.2June, 2006INTRODUCTION:Refer to the Addendum section at the end of this

This table lists all of the credentials that have been created in the NetSight database. The public_v1credential is automatically created during Conso

Click areas in the windows for more information.Profile NameA unique name (up to 32 characters) that you assign to this profile.When editing an existi

Max Access − used for write operations (set ) that require administrativeaccess.• Security LevelEach access level can be assigned a security level:Aut

Credential NameA unique name (up to 32 characters) that you assign to this access credential. You can definea new credential or select a name from the

Automated Security Manager HelpAdd/Edit Credential Window 136

Authorization/Device AccessProfile/Device Mapping TabThis tab lets you define the specific Profiles to be used by users in each Authorization Group wh

the profile used by the NetSight Administrator group. The Profile listed/selected for eachAuthorization Group column will be used by that group when c

Authorization/Device AccessManage SNMP Passwords TabThis tab lets you collectively manage the credentials that have been set on your network's de

Authentication/PrivacyThe new SNMPv3 passwords that will be used for access to the associated device(s).Show Passwords in Clear TextWhen checked, the

Backup Database WindowUse the Backup Database window to save the currently active database to a file on the NetSight Serverworkstation. If the NetSigh

NetSight Automated Security ManagerNetSight Automated Security Manager combines the features of a comprehensive intrusion detection system,such as Ent

Clean Up Incidents WindowThe Clean Up Incidents window lets you delete incidents from the Activity Monitor table based on incidentstatus. Use the chec

Configure Server WindowThe Configure Server window allows you to configure various NetSight Server parameters. The window has aright−panel view that c

Total AllowedThe maximum number of client connections allowed for this plugin application. Select this field anduse the arrows to change the number, i

Create/Edit Notification WindowThis window lets you create or edit notifications that are activated with your response to network threats. Thewindow t

Specify information to include in E−Mail messageThese check boxes let you select elements of the event information to be added to your E−Mailnotificat

ButtonsTestThis button allows sending a test syslog message to simulate a notification sent in response to anetwork threat.SNMP TrapThis window lets y

This is the password (between 1 and 64 characters in length) that will be used to determine Privacy.This field is disabled for Privacy Type, None.Trap

The Program to run field does not allow using options. For example, you cannot entermyscript.bat –i <IP Address> −m <MAC Address> in the P

Device IP devDevice Port portRule Name rnameAction actionDetails dtlsSNMP Parameters (note 1)SNMPv1, SNMPv2 SNMPv3Parameter Keyword Parameter KeywordS

Example:Sender Name, Sender ID, Threat MAC, and SNMP Write are selected and the device isconfigured for SNMPv1 credentials, the information passed to

PRODUCT DEVICE/FIRMWARE SUPPORT:Static PoliciesDevices that support Static Policies must be able to discard traffic at the role level and apply a Quar

Privacy TypeDES or None, selected from this drop−down list. These settings are disabled if Authentication TypeNone is selected.Privacy PasswordThis is

Automated Security Manager HelpGroup 153

Create/Edit Rule WindowThe features and fields in the Create Rule and Edit Rule windows are identical, except for their title. Thesewindows are used t

NameThe name given to this rule. The name can be any character string, excluding spaces, up to 64characters.Rule ConditionsThe following attributes ar

different actions based on the device/device group selected here. For example, if you are creating arule with an action that applies a policy, you do

Match Selected − The event category is compared against one or more categoriesselected from the list.• Exclude Selected − The event category matches i

Match Any − This is an unconditional match for a currently applied policy.• Match Selected − A match occurs when the currently applied policy is one o

Match Selected − The currently applied VLAN is compared against one or moreVLANs selected from the list.• Exclude Selected − The currently applied VLA

Multi−User AuthenticationWhen the action for a rule is set to Apply Policy and the threat is located on a port on adevice that supports Multi−User Aut

NOTE: When a custom action script does not specify the path for its output, the output is placedin the <install area>\Enterasys Networks\NetSigh

FirmwareVersionMatrix E5 3.00.xxMatrix V22.03.xx2.04.xxVertical Horizon VH−2402S VH−2402−L3 VH−4802 VH−8TX1UM/MF2.05.191.00.162.05.052.04.07.08Roa

notifications. In this window, you can select a Notification to edit, or click Create to open the CreateNotification window.Automated Security Manager

Create/Edit Search ScopeThis window lets you create and name groups of devices that will be searched when Dragon notifies ASM ofa threat. It operates

Groups &DevicesThis panel shows the device tree for devices modeled in the Console database. You can expandbranches of the tree to select Devices/

in both groups (Routers in Building2) will be included in the search scope.Resulting DevicesThe resulting list of devices that will be searched when D

Create/Edit Search Scope RuleThis view lets you create rules that determine which search scope will be used when a specific threat arrives. Each searc

Match Selected − The Sender ID is compared against one or more Sender Identifiers selectedfrom the list.• Exclude Selected − The Sender ID matches if

Edit Notifications WindowThis window lists all the notifications you have created, and lets you edit or remove a notification, or create anew one.Clic

Edit EntryOpens the Edit Notification window for the notification selected in the list.Used InSelect a notification in the list, and click the Used In

E−Mail Configuration WindowThe E−Mail Configuration window lets you create an E−Mail recipient list to use when configuring E−Mailnotification setting

Automated Security Manager HelpE−Mail Configuration Window 171

Optimized Node/Alias ImplementationAutomated Security Manager processes Dragon events by locating the intruder IP address stored in the eventand then

Error removing Notification(s) WindowThis window automatically opens if you attempt to remove one or more notifications that are currently in useby AS

Event ViewNetSight's Event View lets you view alarm, event, and trap information for the NetSight Console, networkdevices, and other NetSight app

application (HPOV, NetSight Element Manager, etc.), you must shut it downbefore launching Console.Syslog TabThis tab maintains a record of all the BOO

selected event or trap.ButtonsShow/Hide Acknowledged EventsThis button hides or shows items in the table that have been acknowledged by a check in the

Event Details WindowThe Event Details window shows additional information about an event or trap selected in the Event View. Itcombines information ab

ClientOnly applicable to Console events and shows the hostname of the source of the event.SeverityIndicates the potential impact of the event or trap.

Event Log ViewerNetSight Options set limits on the size of log files that record events on your network. When the limit isreached, the information is

UserAssociates an event with the user that performed the action that triggered the event.TypeIdentifies the type of information for this row (event, o

Event View Manager WindowThe Event View Manager window lets you add your own tabs to the Event View panel to create custom tablesthat provide the info

Title − The name that appears on the tab in the Event panel.• Log Managers − A comma−separated list of the Log Managers that contribute entries to the

MIB Selection panel.Disable Node/Alias Learning −− It's important to make sure that inter−switch links are notlearning Node/Alias information, as

This button applies the current Event Configurations, but leaves the Event View Manager windowopen to allow additional configuration.Automated Securit

New Log Manager WindowThe New Log Manager window lets you create local log managers to use when configuring Event Views. It isopened from the New butt

Log Manager Parameters WindowThis window displays parameters for a selected log manager. It is opened from the Edit button when a logmanager is select

Poll IntervalThis field is only active when the Syslog or Traps Log Manager is selected. This is the time interval(in seconds) between retrieving info

Custom Pattern Configuration WindowThis window lets you create a pattern that will be used to interpret information from a non−standard syslogfile. A

Console 1.x Pattern − Parses files generated by Console 1.x• Console 2.0 Pattern − Parses files generated by Console, and its current plugins.• Fields

Displays the the selected Fields and Delimiters that determine how each data element in the sampleline will be parsed and placed in a column in the Ev

New/Edit (Event) View WindowThis window lets you define the name and any columns that you want to add to a new or existing Event View.It is opened fro

Automated Security Manager HelpNew/Edit (Event) View Window 190

Open Log File WindowThis window lets you select a log file from either the client or server for viewing in the Event Log Viewerwindow. It also lets yo

Table of ContentsNetSight Automated Security Manager InstallationSolaris Installation...

instructions included with the Entitlement that was sent to you. (For more information, see http://www.enterasys.com/products/management/.)Evaluation

Open Event Log on ServerThis browser opens with the default path set to the <install area>\Enterasys Networks\NetSightConsole\server\logs direct

Automated Security Manager HelpOpen Event Log on Server 193

Incident Test ToolThis tool lets you test and debug the search scopes and actions to verify ASM's response to an event.Click areas in the window

Test response by directly invoking ASM − this level bypasses the SNMP trap mechanism, sendingthe trap directly to ASM. ASM processes the threat as if

ButtonsSend Incident to ASMSends the test (inform) message that you've configured to ASM. If you've configured your ASMRules correctly, the

ASM Log Entry Details WindowThis window displays detailed information about a specific trap/action entry selected in the AutomatedSecurity Manager Act

TimestampShows the date and time when the event occurred.SourceShows the IP address of the host that was the source of the event.ClientShows the hostn

Menu BarThe ASM menu bar provides access to tools and functions that help you maintain the security of yournetwork. ASM menus are available in several

FileDatabase > Import v1.5 ASM DatabaseOpens a file browser where you can select a Netsight Console version 1.5 database and import ASMcomponents i

is dynamically updated as you set or change/define settings, always presenting the appropriate optionsas your configuration progresses. As you move th

condition, possibly compromising the security of your network.Disable Log Entry Details. Under extreme network loads, you can improve ASM performance

Opens your system's Web browser and takes you to the Enterasys Global Support Web page.Check for UpdatesAllows you to update Automated Security M

Open Log File WindowThis window lets you select a log file from either the client or server for viewing in the Event Log Viewerwindow. It also lets yo

Open Event Log on ServerThis browser opens with the default path set to the <install area>\Enterasys Networks\NetSightConsole\server\logs direct

Automated Security Manager HelpOpen Event Log on Server 205

Options WindowThe Options window allows you to set options for NetSight functions on a suite−wide and per−applicationbasis. The Options window has a r

Automated Security Manager OptionsAutomated Security Manager Options (Tools > Options) lets you define your preferences for ASMoperations. The righ

ApplySets the currently defined settings and keeps the Options window open.OKSets the options and closes the window.CancelCancels any changes you have

Max Number of Outstanding ActionsThis parameter limits the number of outstanding (pending execution) actions.Max Number of Action per ThreatThis param

Show Edit Mode Required DialogThe Edit Mode Required dialog appears if you try to make changes in the ASM Configurationwindow without first selecting

NOTE: Dragon EMS host names are casesensitive.Dragon EMS Host/IPThe Dragon EMS hostname or IP address.Dragon EMS ListThis list contains the Dragon EMS

KNOWN RESTRICTIONS AND LIMITATIONSThe known restrictions and limitations for this release of NetSight Automated Security Manager are listedbelow. Solu

SNMPThe SNMP view lets you specify options that define the ASM's SNMP polling parameters.Click areas of the window for more information.Number of

Restore Database WindowUse the Restore Database window to restore the initial database or restore a saved database. Both functionswill cause all curre

Server InformationWindowThe Server Information window lets you view and configure certain NetSight Server functions, includingmanagement of client con

Current Client ConnectionsThis table lists all of the currently connected clients for this server, with the most recent connection at the top.The list

Disconnects the selected client. The client being disconnected receives a message saying that theirconnection will be terminated in 30 seconds. You mu

Clears the log. If you want to retain a copy of the log that you are clearing, you must manually copythe date−stamped file in the <install area>

you modify that password, and also view and modify the connection URL for the database.PasswordClick Change to display a window where you can enter a

User:The name of the user who initiated the lock.Authorization GroupThe authorization group the user belongs to.Client TypeThe type of client: Console

Server Log TabThe Server Log displays all the events for the server. Server Log entries are listed by date and time, withnewer entries listed at the b

Use the drop−down list to select the number of lines you would like displayed in the log.Find:Enter the text or numeric value you want to find.Case Se

GeneralProblem1:(Linux and UNIX only) You cannot specify a range of pages when printing from tables onUNIX or Linux systems. If you select Print from

Display:Use the drop−down list to select the number of lines you would like displayed in the log.Filter:Enter the text or numeric value you want to us

above the entries you can see the status of whether the entries are filtered or not filtered.Filter ButtonPerforms the filter and displays the results

Select this button to view the current day's log. The name of the log and the path to where it is locatedis displayed in the field to the right.P

Server License LimitationsInformation on the selected server license:whether the server accepts connections from remote clients.• the maximum number o

generate a product license. Refer to the instructions included with the License Entitlement ID that wassent to you.) Click Update. The license file wi

NetSight Server Statistics WindowUse this window to view NetSight Server statistics. You can access the window by clicking the Server Statsbutton in t

snmptrapd.conf Text Editor WindowThis window lets you edit the content of the snmptrapd.conf file to define credentials that will be used byConsole wh

myauthpasswordMD5 or SHA − authentication type and authentication password(optional parameter − do not use when authentication is notused)myprivpasswo

either Remote Desktop or athird−party program, you can restartsnmptrapd as follows:Go to the Taskbar NotificationArea of the remote desktop.a. Locate

Specify Program for Action/Undo WindowWhen creating a rule, this window lets you:customize the response to an event by selecting a program to be execu

Return to the Search tab, clear the entry and click Search. Go back to theContents and the navigation will work correctly.Problem 3: Help does not lau

myscript.bat such as:C:\Program Files\My Custom Files\myscript.bat –i %1 −m %2".Uncheck all but the Threat IP and Threat MAC checkboxes and selec

Action actionDetails dtlsSNMP Parameters (note 1)SNMPv1, SNMPv2 SNMPv3Parameter Keyword Parameter KeywordSNMPReadsnmp="v1"roSNMPRead,SNMPWri

And, for a script named myscript.bat, the resulting script command would be executed as:C:\Program Files\Enterasys Networks\NetSightConsole\server\plu

ToolbarThe ASM toolbar provides easy access to some of the more commonly used Automated Security Managermenu functions. Some Toolbar buttons may not b

Automated Security Manager HelpToolbar 236

Updates Available WindowNetSight applications provide an easy way to download product updates using a web update operationaccessed from Help > Che

DetailsOpens the NetSight Updates Details window where you can see details on what each update includes.Automated Security Manager HelpUpdates Availab

Usage WindowThis window lets you view where rule variables are in use by ASM rules. The title of the window changesdepending on the rule variable you

Reference InformationThe References help folder contains information that is referenced by other help topics.Double−click the References help folder i

Disable Log Entry DetailsIf you experience ASM performance problems while under extreme network load, you can improveperformance by disabling Log Entr

For information regarding the latest software available, recent release note revisions, or if you requireadditional assistance, please visit the Enter

802.1x Authentication (PAE)Port Access Entity module for managing IEEE 802.1X.Check this MIB to find other occurrences of an IP address or MAC address

the Node/Alias (ctAlias) MIB.IGMP StandardMIB module for IGMP Management, it contains an IGMP Interface Table, having one row for eachinterface on whi

Check this MIB to find other occurrences of an IP address or MAC address within your search scope.The values returned by searching this MIB are often

NetSight − Supported MIBsA B C D E F G H I J L M N O P Q R S T U V W ZAACCOUNTING−CONTROL−MIB ADSL−LINE−MIB ADSL−TC−MIBAGENTX−MI

ctron−dcm−mib ctron−deciv−router−mib ctron−device−mibctron−dhcp−mib ctron−dlsw−mib ctron−download−mibctron−elan−mib ctron−environment−mib ctron−ethern

DDECNET−PHIV−MIB DIAL−CONTROL−MIB DIRECTORY−SERVER−MIBDISMAN−EVENT−MIB DISMAN−EXPRESSION−MIB DISMAN−NSLOOKUP−MIBDISMAN−PING−MIB DISMAN−SCHEDULE−MIB DI

Ffast−ethernet−mib FLOW−METER−MIB FRAME−RELAY−DTE−MIBFDDI−SMT73−MIB FR−ATM−PVC−SERVICE−IWF−MIB FRNETSERV−MIBFIBRE−CHANNEL−FE−MIB FR−MFR−MIBGgarp−mibHH

Llan−emulation−client−mibMMAU−MIB MIP−MIB MIOX25−MIBModem−MIB MTA−MIBNnetlink−specific−mib NETWORK−SERVICES−MIB NOTIFICATION−LOG−MIBnetwork−diags−mib

RRADIUS−ACC−CLIENT−MIB RADIUS−ACC−SERVER−MIB RADIUS−AUTH−CLIENT−MIBRADIUS−AUTH−SERVER−MIB RDBMS−MIB repeater−mib−2repeater−rev4−mib RFC1065−SMI RFC115

UUDP−MIB UPS−MIB ups2−mibusm−target−tag−mibVVRRP−MIB v2h124−24−mib.txtWwrs−master−mib WWW−MIBZziplock−mibAutomated Security Manager HelpU 251

NetSight Automated Security Manager InstallationNOTE: When this topic is opened from the CD−ROM, the links from this topic to other help topics willno

Traps and InformsSNMP Notification messages (Traps and Informs) provide the mechanism for one SNMP application to notifyanother SNMP application that

myUser security user namemyauthpasswordMD5 or SHA − authentication type and authentication password(optional parameter − do not use when authenticatio

myauthpasswordMD5 or SHA − authentication type and authentication password(optional parameter − do not use when authentication is notused)myprivpasswo

Before you install Automated Security Manager, it is recommended that you read the NetSight AutomatedSecurity Manager Release Notes. You can also acce

In the Automated Security Manager main window, select Tools > Server Information.1. In the Server Information window, click the License tab.2. Sel

a Windows platform system, you need to:Configure the Environment• Stop the NetSight Server and Database (Windows)• Once your system is properly config

Table of ContentsHow to Configure and Manage the NetSight ServerChanging the Database Password...

Select the Advanced tab and click the Settings button in the "Performance" section. The PerformanceOptions window opens.2. Select the Advanc

No server or database components will be installed. This requires that an AutomatedSecurity Manager Client and Server has been installed on another sy

NOTE: You may encounter a Java exception during the install whenbecoming the root user with the su − command. Be sure thatyour system's root envi

The NetSight Automated Security Manager Installer leads you through a series of windows that askyou for all the information required in order to insta

following procedures assume that the CD drive from which you are installing is physically attached to thesystem where ASM is being installed. The user

License Text −− You will need to enter the license text that you received when you generatedthe Automated Security Manager license. (When you purchase

Go to the Taskbar Notification Area of your desktop (on the lower right of your screen, unless you'verelocated your Taskbar).1. Right−click the S

Start the Uninstaller by issuing the command:./UninstallAutoSecMgr.sh2. SupportTo locate product specific information, refer to the Enterasys website:

Getting Started withAutomated Security ManagerAutomated Security Manager (ASM) can help you manage responses to serious network security threats. This

There are two ways to configure SNMPTrap information: Using the Trap Receiver Configuration View or bymanually adding user information to the snmptrap

Table of ContentsHow To Send a Test Incident to ASM...

You can also type user credentials directly into the snmptrapd.conf Text area to add entries to theconfiguration file. The format for user information

Open a Web browser and navigate to Dragon. The following URL opens the Dragon user interface: https://<Dragon IP address>/dragon1. Enter th

Enter a Name for your new Alarm and click Save.f. Deploy your new trap configuration.Click DEPLOYMENT in the left panel.a. Click Deploy to activate yo

Dragon has four default notification rules: netsight−atlas−asm−attacks, netsight−atlas−asm−compromise,netsight−atlas−asm−informational, and netsight−a

How To Use the Automated Security ManagerThe How To help folder contains help topics that give you instructions for performing tasks in NetSightAutoma

How to Check for UpdatesNetSight applications provide an easy way to access and download product updates using a web updateoperation. You can perform

The Updates Available window opens where you can view the new updates that are available fordownload. Use the checkboxes to select the updates you wis

How to Configure EventsYou can use the Event View Manager window to add your own views (tabs) to the Event View panel. Youcan create custom tables tha

If the Available Log Managers table lists a log that you want to add to this tab, select that log managerfrom the list and click . The selected log m

If the Available Log Managers table lists a log that you want to add to this tab, select that log managerfrom the list and click . The selected log m

Table of ContentsAutomated Security ManagerConfiguration WindowButtons...

How to Configure and Managethe NetSight ServerUse the Server Information window to manage various NetSight Server functions including viewing serverin

Click OK.6. Managing the DatabaseUse the Database tab in the Server Information window to change the database server password andconnection URL, as we

Select the Database tab.2. In the NetSight Data Set Operations section, click Backup. The Backup Database window opens.3. The Database Path field disp

In the Current Client Connections table, select the client that you want to disconnect and click theDisconnect button.3. The client being disconnected

Upgrading a Console LicenseOn UNIX and Linux systems only, you can use the Change License function to upgrade a Console licensefrom a Standalone to a

Revoking a LockUse the following steps to revoke a lock.Select Tools > Server Information from the menu bar. The Server Information window opens.1.

How To Configure Profiles and CredentialsUse this tab to manage credentials that define the access privileges required for SNMPv1, SNMPv2c, andSNMPv3,

Select a Privacy Type (DES or None). Privacy settings are disabled when the AuthenticationType is set to None.d. Type the same password (between 1 and

Managing ProfilesProfiles are assigned to device models in the NetSight database. They identify the credentials that are used forthe various access le

Click Delete. The selected profile is removed from the table.3. Automated Security Manager HelpManaging Profiles 51

Table of ContentsCreate/Edit Rule Window...

How To Configure Profile/Device MappingUse the Profile/Device Mapping tab to specify which profile will be used by each Authorization Group whencommun

How to Configure the SNMPTrap ServiceConsole's SNMPTrap Service (snmptrapd) must know the user credentials of a sending agent (on the device)befo

Restarting snmptrapd ServiceDepending on the system where the NetSight Server is running and your preference, there are several ways torestart the snm

For related information:Traps and Informs• Automated Security Manager HelpRestarting snmptrapd Service 55

How to Manage Users and GroupsUse the Users and Groups tab (via the Authorization/Device Access tool) to specify users who are authorizedto access the

Never Redirect SNMP to the NetSight Server − SNMP requests are always madefrom the client system.• These settings have no effect when both the client

Click or choose Authorization/Device Access from the Tools menu. The Authorization/DeviceAccess window opens with the Users/Groups tab selected.1. C

How to Create and EditAutomated Security Manager RulesAutomated Security Manager Rules serve two distinct functions:Examine the source of the threat (

Select the Event Categories that will result in applying the action for this rule. To berecognized by ASM, the text string in the event message sent b

Match Any − This is an unconditional match for a currently applied VLAN. • Match Selected − The currently applied VLAN is compared against one or more

Table of ContentsMenu BarApplications...

Custom Action:Check Custom Action and click Edit to open the Specify Program for Action window where you cancustomize the response to an event by sele

Threat MAC thmacDevice IP devDevice Port portRule Name rnameAction actionDetails dtlsSNMP Parameters (note 1)SNMPv1, SNMPv2 SNMPv3Parameter Keyword Pa

When Unformatted without spaces is selected, the parameters will be passed asspace delimited, unformatted text, without keywords. For this option, you

Automated Security Manager HelpHow to Create and Edit Automated Security Manager Rules 65

How to Import a DatabaseYou can import a NetSight database (Console release 1.5) containing previously configured ASM componentsinto the NetSight 2.2

How to Manage SNMP PasswordsUse this tab to collectively manage the credentials that have been set on your network's devices.Instructions for:Set

ButtonsTestThis button lets you test to verify that the credential in the "Use for Set" column can access theapplicable MIBs on the device.A

How To Send a Test Incident to ASMThis tool lets you test and debug the search scopes, and actions to verify ASM's response to an event. You canp

Trap Receiver − This is the system where the SNMPTrap Service is running.• If necessary, edit the SNMPTrapd.conf file to configure user credentials in

Server Configuration ConsiderationsThis Help topic provides configuration information for the NetSight Server, such as running the server in anon−DNS

Table of ContentsNetSight − Supported MIBsC...

Edit the HOSTNAME variable at the top of the file to:HOSTNAME="<server IP address>"For example, HOSTNAME="123.123.123.123"2.

How to Set OptionsUse the Options window to set options for NetSight functions on a suite−wide and per−application basis. TheOptions window has a righ

How to Set Automated Security Manager OptionsAutomated Security Manager Options (Tools > Options) let you define your preferences for ASM operation

Click Apply or OK.5. Dialog BoxesThis view lets you select whether certain dialog boxes are shown or ignored.Select Tools > Options in the menu bar

Using the ASM Activity MonitorThe Activity Monitor opens when you launch Automated Security Manager (ASM). It contains a log of ASMactivities, and pro

Clean Up IncidentsYou can delete incidents from the Activity Monitor based on incident status.Click the Clean Up Incidents button below the Activity M

NetSight Automated Security Manager WindowsThe Windows help folder contains help topics describing NetSight Automated Security Manager windowsand thei

Advanced Statistics WindowThis window provides advanced server statistics that are useful as a troubleshooting tool. You can access thiswindow by clic

Automated Security Manager HelpAdvanced Statistics Window 80

Automated Security Manager Activity MonitorIn addition to the Menu Bar and Toolbar, the Automated Security Manager Activity Monitor window consistsof

Automated Security Manager HelpWelcome to the online help system for Enterasys NetSightTM Automated Security Manager (ASM). All ASMdocumentation is av

The panels in the upper half of the view can be closed by clicking the button. The Operation Mode andStatistics Summary panels are restored by selec

button) to show only the traffic light indicator in the upper right corner. A drop−down menu letsyou make selections as shown here:ASM can be Disable

Device/Port, Rule Name, Action, Details, Last Update and Search Time columns.Show Excluded − when checked, the table contains entries for when an IP a

not been confirmedyet.The status for thisentry was Action inProgress when theASM Operation Modechanged to Disabled,Search Only orConsole was exitedand

Port already disabled,Custom action failed• Policy already appliedto port, Custom actionfailed• PVID already appliedto port, Custom actionfailed• Poli

SNMP Sets fail (Writeparameters do notmatch the device),Custom actionexecuted• Device not in database,Custom actionexecuted• Policy not on device,Cust

not exist on deviceCurrent PVID settingdoes not agree withASM action taken (thisincludes PVID andtagging parameters)• Current port state doesnot agree

Undo Action button;Custom Undo ActionexecutedAction undone byTimer; Custom UndoAction executed• ASM Action was set toNone; Custom Actionwas executed a

Blank Custom Action OnlyASM Action was set toNone; Custom actionexecuted• ASM Action was set toNone; Custom Actionfailed• NOTE: This status onlyappear

Port QueryPending• Blank Search PendingSearch for this entry is in thesearch queue.Blank Action PendingAction for this entry is in theaction queue..Bl