packetlogic product guide 14-1-1.3

Release 14.1PacketLogic Product GuideRevision: 1.3

PacketLogic Product Guide

2

Portions of the documents can be copied and pasted to your electronic mail or word-processing applications foryour personal use only, but cannot be distributed to third parties. In no event may you copy or use this informationfor any commercial purposes except the operation of products from Procera Networks, Inc. and you may nottransmit this information to third parties without the consent of Procera Networks, Inc.

IT IS ILLEGAL TO COPY (FOR OTHER THAN BACK-UP PURPOSES) THE CONTENTS OF THISDOCUMENTATION OR TO POST THE CONTENTS ON THE INTERNET WITHOUT THE EXPRESSPRIOR WRITTEN CONSENT FROM AN AUTHORIZED OFFICER OF PROCERA NETWORKS, INC. ORNETINTACT AB.

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUALARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, ANDRECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTEDWITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULLRESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

Netintact, PacketLogic, the PacketLogic logo, and Netintact logos are registered trademarks of Netintact AB inSweden and certain other countries. Procera Networks and the Procera Networks logo is the registered trademarkof Procera Networks, Inc. All other trademarks mentioned in this document are the property of their respectiveowners.Copyright © 2001-2013 Procera NetworksRevision: 1.3


iii

Table of Contents1. About This Manual ................................................................................................................... 12. Introduction .............................................................................................................................. 3

2.1. About PacketLogic .......................................................................................................... 32.2. Areas of Use .................................................................................................................. 32.3. User Interfaces ............................................................................................................... 4

2.3.1. Integration Capabilities .......................................................................................... 42.4. This Manual .................................................................................................................. 4

2.4.1. TECH: Technical Sections ..................................................................................... 43. New Features ........................................................................................................................... 5

3.1. New Since Release 14.0 ................................................................................................... 53.1.1. Multiple StatisticsObjects in Statistics Rules .............................................................. 53.1.2. Statistics Averages Based on Usage Analysis ............................................................ 53.1.3. Load Balancing over Multiple Divert Systems ........................................................... 53.1.4. Flexible Selection of Monitor Targets ...................................................................... 53.1.5. Dynamic LiveView ............................................................................................... 53.1.6. URL Categorization .............................................................................................. 63.1.7. Improved Host Triggers ......................................................................................... 63.1.8. Connection Protection Triggers ............................................................................... 63.1.9. IPv6 support in BGP ............................................................................................. 63.1.10. System information for appliances ......................................................................... 63.1.11. Rewrite Log for CGN ......................................................................................... 63.1.12. Flexible Syslogging ............................................................................................. 63.1.13. Fair Split Host Fairness in Shaping ........................................................................ 73.1.14. Other Changes ................................................................................................... 7

4. Key Concepts ........................................................................................................................... 94.1. Terminology .................................................................................................................. 94.2. Traffic Analysis .............................................................................................................. 9

4.2.1. Tunneling .......................................................................................................... 104.2.1.1. Tunnel Levels and Types ........................................................................... 10

4.2.2. IPv6 Support ...................................................................................................... 114.2.3. Shunting ........................................................................................................... 11

4.2.3.1. Actions ................................................................................................... 124.2.3.2. Port Filtering ........................................................................................... 13

4.2.4. Packet-Based Information ..................................................................................... 134.2.5. TTL/Hop Limit Tracking ..................................................................................... 134.2.6. Flow Synchronization .......................................................................................... 134.2.7. URL Categorization ............................................................................................ 14

4.2.7.1. Limitations .............................................................................................. 154.2.8. Border Gateway Protocol (BGP) ............................................................................ 15

4.2.8.1. Position Representation in AS Paths ............................................................ 164.2.8.2. BGP Communities .................................................................................... 174.2.8.3. IPv6 support in BGP ................................................................................. 17

4.2.9. Quality Measurement Algorithm ............................................................................ 174.3. Carrier Grade Network Address Translation (NAT) ............................................................. 18

4.3.1. Limitations and Requirements ............................................................................... 184.3.2. Configuration ..................................................................................................... 184.3.3. Operation .......................................................................................................... 18

4.4. TECH: Software Components .......................................................................................... 194.4.1. Load Balancer (PL10000/PL20000) ....................................................................... 19

4.4.1.1. Buckets .................................................................................................. 194.4.1.2. Load Balancer Blacklisting (PL10000/PL20000) ............................................ 19

4.4.2. Engine .............................................................................................................. 194.4.2.1. Engine in the PL10000/PL20000 ................................................................. 20


iv

4.4.2.2. Reaper in the PL10000/PL20000 ................................................................. 204.4.2.3. Datastream Recognition Definition Language (DRDL) .................................... 20

4.4.2.3.1. Asymmetric Traffic ........................................................................ 204.4.2.4. Virtual Services ....................................................................................... 204.4.2.5. Port Tainting ........................................................................................... 21

4.4.3. PLRCD ............................................................................................................. 214.4.4. PLD ................................................................................................................. 22

4.4.4.1. Hosts ..................................................................................................... 224.4.5. PacketLogic Database Daemon ............................................................................. 22

4.4.5.1. Database Daemon in a Statistics System ....................................................... 234.4.5.2. Resources ............................................................................................... 23

4.4.5.2.1. Proxied resources ........................................................................... 244.4.5.2.2. Locking resources .......................................................................... 24

4.4.5.3. External Authentication Sources .................................................................. 244.4.6. Statistics Daemon ............................................................................................... 244.4.7. Internal Communication ....................................................................................... 254.4.8. Connections ....................................................................................................... 254.4.9. Local, Remote, Incoming, and Outgoing ................................................................. 254.4.10. Client/Server versus Source/Destination ................................................................ 25

4.5. Traffic Identification ...................................................................................................... 254.6. Traffic Management ...................................................................................................... 264.7. Objects and Rules ......................................................................................................... 27

4.7.1. Object Types for Traffic Identification .................................................................... 274.7.1.1. NetObjects .............................................................................................. 27

4.7.1.1.1. Dynamic Objects and Items ............................................................. 284.7.1.1.2. Attributes ..................................................................................... 28

4.7.1.2. PortObjects ............................................................................................. 284.7.1.3. ProtocolObjects ........................................................................................ 284.7.1.4. ServiceObjects ......................................................................................... 284.7.1.5. CategoryObjects ....................................................................................... 294.7.1.6. TimeObjects ............................................................................................ 294.7.1.7. BGPObjects ............................................................................................ 294.7.1.8. VlanObjects ............................................................................................ 304.7.1.9. DSCPObjects ........................................................................................... 304.7.1.10. ChannelObjects ...................................................................................... 304.7.1.11. PropertyObjects ...................................................................................... 304.7.1.12. FlagObjects ........................................................................................... 314.7.1.13. TunnelLevelObjects ................................................................................ 324.7.1.14. TunnelTypeObjects ................................................................................. 324.7.1.15. MPLSObjects ......................................................................................... 324.7.1.16. SystemObjects ........................................................................................ 32

4.7.2. Nesting and Hierarchies ....................................................................................... 324.7.3. Object - Item Relationships (or, and, exclude) .......................................................... 33

4.7.3.1. Exclude .................................................................................................. 334.7.4. Object Types for Traffic Management .................................................................... 35

4.7.4.1. RewriteObjects ........................................................................................ 354.7.4.1.1. Rewriting Source IP ....................................................................... 35

4.7.4.2. ShapingObjects ........................................................................................ 354.7.4.3. StatisticsObjects ....................................................................................... 35

4.7.5. Rules ................................................................................................................ 364.7.5.1. Conditions .............................................................................................. 364.7.5.2. Filtering Rules ......................................................................................... 364.7.5.3. Shaping Rules ......................................................................................... 374.7.5.4. Statistics Rules ........................................................................................ 37

4.8. Network Impact ............................................................................................................ 384.8.1. MTU Restrictions ............................................................................................... 38


v

4.8.2. Connection Protection .......................................................................................... 385. PacketLogic Traffic Shaping ...................................................................................................... 39

5.1. Installation ................................................................................................................... 395.2. How Traffic Shaping Works: An Overview ....................................................................... 39

5.2.1. What PacketLogic Does ....................................................................................... 405.2.2. Priority ............................................................................................................. 42

5.2.2.1. Priority 0 Fast Lane .................................................................................. 435.2.2.2. Weighted Fair Queueing ............................................................................ 43

5.2.3. Borrowing ......................................................................................................... 445.2.4. Split By ............................................................................................................ 44

5.2.4.1. Split by Considerations ............................................................................. 455.2.5. Shaping Bits, Packets, or Connections .................................................................... 465.2.6. Limiting Concurrent Connections .......................................................................... 46

5.3. Monitoring the Shaping System ....................................................................................... 465.4. Configuration Examples ................................................................................................. 46

5.4.1. Limiting a Network ............................................................................................. 465.4.2. Limiting Each Host on a Network ......................................................................... 475.4.3. Limiting Overall FTP to 2 Mbps ........................................................................... 47

5.5. Shaping Counters .......................................................................................................... 475.5.1. Volume Based Shaping ........................................................................................ 47

5.5.1.1. Implementation and Configuration ............................................................... 475.5.1.2. Example ................................................................................................. 48

5.5.1.2.1. Sliding Window ............................................................................. 495.5.1.2.1.1. Time t2 ............................................................................. 495.5.1.2.1.2. Time t3 ............................................................................. 505.5.1.2.1.3. Time t4 ............................................................................. 515.5.1.2.1.4. Time t5 ............................................................................. 52

5.6. TECH: Queueing Engine ................................................................................................ 535.6.1. Packet Queueing ................................................................................................. 53

5.6.1.1. Priority handling ...................................................................................... 545.6.1.2. BROWN ................................................................................................. 54

5.6.2. Queue Synchronization ........................................................................................ 545.6.2.1. Tuning the Queue Synchronization Algorithm ............................................... 555.6.2.2. Parallel Queueing Structure ........................................................................ 555.6.2.3. Queueing Versus Window Scaling ............................................................... 555.6.2.4. Latency .................................................................................................. 55

5.6.3. Explicit Congestion Notification (ECN) .................................................................. 565.6.4. Using Differentiated Services Code Point (DSCP) Marking in Shaping .......................... 565.6.5. Fairness ............................................................................................................ 56

5.6.5.1. Connection Fairness .................................................................................. 565.6.5.2. Host Fairness ........................................................................................... 56

5.6.5.2.1. Local Host Fairness ........................................................................ 565.6.5.2.2. Fair Split Host Fairness ................................................................... 575.6.5.2.3. Host Fairness in the PL10000/PL20000 .............................................. 57

5.6.5.3. Weighted Fair Queueing ............................................................................ 575.6.6. Fine-tuning the Shaping System ............................................................................ 57

5.6.6.1. High-RTT Networks ................................................................................. 595.6.6.2. CoDel .................................................................................................... 59

6. Filtering ................................................................................................................................. 616.1. Maintaining Filtering Rules ............................................................................................. 616.2. Understanding a Rule Set ............................................................................................... 61

6.2.1. Allowing Multiple Filtering Rules to Apply ............................................................. 626.2.1.1. TECH: Ruleset Execution Order for Alternative Evaluation .............................. 63

6.3. Actions ........................................................................................................................ 636.3.1. Accept .............................................................................................................. 646.3.2. Reject ............................................................................................................... 64


vi

6.3.3. Drop ................................................................................................................. 646.3.4. Rewrite ............................................................................................................. 646.3.5. Divert ............................................................................................................... 646.3.6. Inject ................................................................................................................ 64

6.4. Monitor ....................................................................................................................... 656.4.1. Custom Snooper ................................................................................................. 666.4.2. DHCP Snooper .................................................................................................. 666.4.3. Label ................................................................................................................ 676.4.4. PCAP/PCAP-2 Writer .......................................................................................... 676.4.5. RADIUS Snooper ............................................................................................... 676.4.6. SIP Snooper ...................................................................................................... 67

6.5. Rule List Evaluation ...................................................................................................... 696.6. Using the Log Attribute ................................................................................................. 696.7. Monitoring the Filtering ................................................................................................. 69

6.7.1. Filtering Log View ............................................................................................. 706.7.2. Sending the Filtering Log to Syslog ....................................................................... 70

6.8. Filtering default behavior ................................................................................................ 706.8.1. Using the "Accept All Except These" Approach ....................................................... 706.8.2. Using the "Reject All Except These" Approach ........................................................ 70

6.9. TECH: Divert ............................................................................................................... 716.9.1. Installation ......................................................................................................... 726.9.2. Configuration ..................................................................................................... 726.9.3. Divert Labels ..................................................................................................... 73

6.9.3.1. Divert Channel ........................................................................................ 736.9.3.2. Divert VLAN .......................................................................................... 73

6.9.3.2.1. Asymmetric VLAN ........................................................................ 736.9.3.2.2. Load Balancing ............................................................................. 74

6.9.3.3. Use Cases ............................................................................................... 746.9.3.3.1. Diverting to Multiple Units on one Channel ........................................ 746.9.3.3.2. Load Balancing over Multiple Systems on one Channel ......................... 75

6.9.4. Chained Divert ................................................................................................... 776.9.5. Heartbeats ......................................................................................................... 786.9.6. Diverting to Layer 3 Routing Devices .................................................................... 78

6.9.6.1. Routing Examples for L3 Divert Units ......................................................... 796.9.7. Diverting Mid-Session ......................................................................................... 79

6.9.7.1. Limitations .............................................................................................. 806.9.7.2. Configuration .......................................................................................... 80

7. PacketLogic Statistics ............................................................................................................... 837.1. Description .................................................................................................................. 83

7.1.1. Charts and graphs ............................................................................................... 837.1.2. Values .............................................................................................................. 837.1.3. Distribution ....................................................................................................... 857.1.4. Depth and Object Root ........................................................................................ 867.1.5. Depth in AS Paths .............................................................................................. 897.1.6. Aggregation and Linking ..................................................................................... 897.1.7. Graphing ........................................................................................................... 917.1.8. Averages Based on Usage Analysis ........................................................................ 917.1.9. Peak Analysis .................................................................................................... 937.1.10. Listing Durations for Thresholds .......................................................................... 937.1.11. Priority ............................................................................................................ 93

7.2. Installation ................................................................................................................... 947.3. Configuration ............................................................................................................... 94

7.3.1. PRE ................................................................................................................. 947.3.1.1. PRE with Local Statistics Storage ............................................................... 947.3.1.2. PRE with Separate PIC ............................................................................. 94

7.3.2. PIC .................................................................................................................. 94


vii

7.3.2.1. Aggregation ............................................................................................ 947.4. TECH: Performance Considerations .................................................................................. 94

7.4.1. Number of Values .............................................................................................. 947.4.2. Connection Logging ............................................................................................ 957.4.3. Distribution by Property ....................................................................................... 95

7.5. TECH: Architecture ....................................................................................................... 957.5.1. Overview .......................................................................................................... 957.5.2. Statistical Data Flow ........................................................................................... 957.5.3. Statistical Data Storage ........................................................................................ 96

7.5.3.1. Values .................................................................................................... 967.5.3.2. Storage Layout ........................................................................................ 967.5.3.3. Reading .................................................................................................. 96

7.5.3.3.1. Statistics Reader Peering ................................................................. 977.5.3.4. Backup, Restore, and Archiving .................................................................. 97

7.6. TECH: Comparison to Alternative Storage Architectures ...................................................... 977.7. Connection Logging ...................................................................................................... 987.8. Connection Search ......................................................................................................... 98

7.8.1. Description ........................................................................................................ 987.8.2. Usage overview .................................................................................................. 997.8.3. Available criteria ................................................................................................ 997.8.4. Stored details ..................................................................................................... 997.8.5. Storage considerations ........................................................................................ 100

7.9. IPFIX Export .............................................................................................................. 1007.10. PythonAPI ................................................................................................................ 101

8. The PacketLogic Client Interface .............................................................................................. 1038.1. Command Line Mode .................................................................................................. 1038.2. System Manager .......................................................................................................... 104

8.2.1. Advanced Options ............................................................................................. 1048.2.1.1. Use Compression .................................................................................... 1048.2.1.2. Connecting to multiple PacketLogic systems ................................................ 1048.2.1.3. Use different password for LiveView login .................................................. 1058.2.1.4. Use proxy if available ............................................................................. 105

8.3. Status Bar .................................................................................................................. 1058.4. Drop-Down Menus ...................................................................................................... 105

8.4.1. File Menu ........................................................................................................ 1058.4.2. Edit Menu ....................................................................................................... 106

8.4.2.1. Preferences ............................................................................................ 1068.4.3. View Menu ...................................................................................................... 1078.4.4. Tools menu ...................................................................................................... 1078.4.5. Help Menu ...................................................................................................... 107

8.5. System Overview ........................................................................................................ 1088.5.1. Systems ........................................................................................................... 1088.5.2. Values ............................................................................................................. 1098.5.3. Totals Graphs ................................................................................................... 1098.5.4. System Information ........................................................................................... 1098.5.5. View Menu in System Overview ......................................................................... 109

8.6. LiveView ................................................................................................................... 1098.6.1. Custom Views .................................................................................................. 1138.6.2. Local Hosts ...................................................................................................... 1138.6.3. Service Objects ................................................................................................. 1158.6.4. Services ........................................................................................................... 1178.6.5. Categories ........................................................................................................ 1188.6.6. Shaping Objects ................................................................................................ 1188.6.7. Filtering Rules .................................................................................................. 1198.6.8. Filtering Log .................................................................................................... 1198.6.9. Rewrite Log ..................................................................................................... 119


viii

8.6.10. Channel Statistics ............................................................................................ 1198.6.11. View Menu in LiveView .................................................................................. 120

8.7. System Diagnostics ...................................................................................................... 1208.7.1. Alert Levels Editor ............................................................................................ 1218.7.2. Proxying System Diagnostics .............................................................................. 122

8.8. Statistics .................................................................................................................... 1228.8.1. The Navigation Tab ........................................................................................... 1238.8.2. Tool Buttons .................................................................................................... 1238.8.3. Full Screen Mode .............................................................................................. 1248.8.4. Bar Charts and Percent Bar Charts ....................................................................... 124

8.8.4.1. Tool Tips .............................................................................................. 1248.8.4.2. Include <Others> .................................................................................... 124

8.8.5. Pie Charts ........................................................................................................ 1248.8.5.1. Tool Tips .............................................................................................. 124

8.8.6. Line and Stacked Area Charts ............................................................................. 1248.8.6.1. 95th Percentile ....................................................................................... 1258.8.6.2. Zooming ............................................................................................... 1258.8.6.3. Peak Data .............................................................................................. 125

8.8.7. Location Field .................................................................................................. 1258.8.8. Calendar Tool .................................................................................................. 1258.8.9. Bookmark Manager ........................................................................................... 125

8.8.9.1. Add/Edit Bookmark ................................................................................ 1268.8.10. View Menu in Statistics ................................................................................... 1268.8.11. Bookmarks Menu ............................................................................................ 128

8.9. Main Toolbar .............................................................................................................. 1288.10. Editors and Managers ................................................................................................. 129

8.10.1. Objects & Rules Editor .................................................................................... 1298.10.1.1. Toolbar Buttons .................................................................................... 130

8.10.1.1.1. XML Import/Export .................................................................... 1318.10.1.2. NetObject Editor ................................................................................... 131

8.10.1.2.1. Link Speed Editor ....................................................................... 1318.10.1.2.2. Attribute Editor .......................................................................... 131

8.10.1.3. PortObject Editor .................................................................................. 1318.10.1.4. ProtocolObject Editor ............................................................................ 1318.10.1.5. ServiceObject Editor .............................................................................. 1328.10.1.6. TimeObject Editor ................................................................................. 1328.10.1.7. VlanObject Editor ................................................................................. 1328.10.1.8. PropertyObject Editor ............................................................................ 1328.10.1.9. FlagObject Editor .................................................................................. 1328.10.1.10. TunnelLevelObject Editor ..................................................................... 1328.10.1.11. TunnelTypeObject Editor ...................................................................... 1328.10.1.12. MPLSObject Editor ............................................................................. 1338.10.1.13. RewriteObject Editor ........................................................................... 1338.10.1.14. ShapingObject Editor ........................................................................... 1338.10.1.15. StatisticsObject Editor .......................................................................... 134

8.10.1.15.1. Fields ..................................................................................... 1358.10.1.15.2. Distribution .............................................................................. 1358.10.1.15.3. Limits ..................................................................................... 1358.10.1.15.4. Aggregation ............................................................................. 136

8.10.1.16. Filtering Rule Editor ............................................................................ 1378.10.1.17. Shaping Rule Editor ............................................................................. 1388.10.1.18. Statistics Rule Editor ........................................................................... 139

8.10.2. User Editor .................................................................................................... 1408.10.2.1. Database Permissions ............................................................................. 1408.10.2.2. LiveView Permissions ........................................................................... 1418.10.2.3. Host Access List ................................................................................... 142


ix

8.10.2.4. Inactivity ............................................................................................. 1428.10.2.5. Toolbar Buttons .................................................................................... 142

8.10.3. Host Trigger Editor .......................................................................................... 1438.10.3.1. Toolbar Buttons .................................................................................... 144

8.10.4. Connection Protection Trigger Editor .................................................................. 1448.10.5. Backup Manager ............................................................................................. 145

8.10.5.1. Toolbar Buttons .................................................................................... 1458.10.6. File Manager .................................................................................................. 145

8.10.6.1. Toolbar Buttons .................................................................................... 1468.10.7. Log Viewer .................................................................................................... 146

8.10.7.1. Toolbar Buttons .................................................................................... 1478.10.8. Connection Search ........................................................................................... 1478.10.9. Resource Manager ........................................................................................... 1488.10.10. Channel Editor .............................................................................................. 1488.10.11. Log Levels Editor .......................................................................................... 1508.10.12. System Configuration Editor ............................................................................ 1508.10.13. Custom View Editor ....................................................................................... 150

9. CLI Menu ............................................................................................................................ 1539.1. Introduction ................................................................................................................ 153

9.1.1. Using the CLI .................................................................................................. 1539.2. Configuration .............................................................................................................. 153

9.2.1. Signatures ........................................................................................................ 1539.2.1.1. Update signatures ................................................................................... 1539.2.1.2. Virtual Services ...................................................................................... 1539.2.1.3. Clear string table .................................................................................... 153

9.2.2. Network Configuration ....................................................................................... 1539.2.2.1. Show routing and arp table ....................................................................... 1549.2.2.2. Admin interface ..................................................................................... 154

9.2.2.2.1. IP configuration ........................................................................... 1549.2.2.2.2. Admin Bonding ........................................................................... 1549.2.2.2.3. Admin Bonding status ................................................................... 1549.2.2.2.4. Duplex settings ............................................................................ 1549.2.2.2.5. Disable Admin ............................................................................. 154

9.2.2.3. Static routes ........................................................................................... 1549.2.2.4. Ping IP address ...................................................................................... 1549.2.2.5. Traceroute IP address .............................................................................. 1549.2.2.6. Chassis configuration .............................................................................. 1549.2.2.7. SFP status ............................................................................................. 1559.2.2.8. Connection Sync .................................................................................... 1559.2.2.9. Hostname .............................................................................................. 1559.2.2.10. Link status ........................................................................................... 155

9.2.3. NTP Configuration ............................................................................................ 1559.2.4. System Administration ....................................................................................... 156

9.2.4.1. Mail ..................................................................................................... 1569.2.4.1.1. Scheduled mail ............................................................................ 1569.2.4.1.2. Configure mailhub ........................................................................ 1569.2.4.1.3. Single mail ................................................................................. 156

9.2.4.2. Change Passwords .................................................................................. 1569.2.4.2.1. Change pladmin password ............................................................. 1569.2.4.2.2. Change admin password ................................................................ 1569.2.4.2.3. Change PSM administration ........................................................... 1569.2.4.2.4. Change gsmafetch password ........................................................... 1569.2.4.2.5. Change ftpaccess password ............................................................ 1569.2.4.2.6. Change enable password ................................................................ 1569.2.4.2.7. Change console password .............................................................. 1579.2.4.2.8. RADIUS authentication ................................................................. 157


x

9.2.4.2.9. TACACS+ authentication .............................................................. 1579.2.4.3. Reload/Reboot ........................................................................................ 157

9.2.4.3.1. Restart system ............................................................................. 1579.2.4.3.2. Reload core services ..................................................................... 1579.2.4.3.3. Reboot/Halt ................................................................................. 1579.2.4.3.4. Reboot at .................................................................................... 1579.2.4.3.5. Reboot chassis components ............................................................ 1579.2.4.3.6. Restart individual services ............................................................. 157

9.2.4.4. Disable/Enable snoopers .......................................................................... 1589.2.4.5. Information ............................................................................................ 158

9.2.4.5.1. Chassis inventory ......................................................................... 1589.2.4.5.2. System information ...................................................................... 1589.2.4.5.3. Top ............................................................................................ 1589.2.4.5.4. Channel statistics ......................................................................... 1589.2.4.5.5. PSM .......................................................................................... 1589.2.4.5.6. Support bundle ............................................................................ 158

9.2.4.6. RAID health information ......................................................................... 1589.2.4.7. Backup ................................................................................................. 158

9.2.4.7.1. Backup PSM ............................................................................... 1589.2.4.7.1.1. Scheduled backup .............................................................. 1589.2.4.7.1.2. Select remote host .............................................................. 1589.2.4.7.1.3. Single backup ................................................................... 1599.2.4.7.1.4. Restore PSM backup .......................................................... 159

9.2.4.7.2. Backup statistics .......................................................................... 1599.2.4.7.2.1. Restore statistics ................................................................ 1599.2.4.7.2.2. Select remote host .............................................................. 1599.2.4.7.2.3. Single backup ................................................................... 1599.2.4.7.2.4. Restore statistics (legacy) .................................................... 159

9.2.4.7.3. Backup connlog ........................................................................... 1599.2.4.7.3.1. Scheduled backup .............................................................. 1599.2.4.7.3.2. Select remote host .............................................................. 1609.2.4.7.3.3. Single backup ................................................................... 1609.2.4.7.3.4. Restore connlog ................................................................. 160

9.2.4.7.4. Backup logs ................................................................................ 1609.2.4.7.4.1. Select remote host .............................................................. 1609.2.4.7.4.2. Single backup ................................................................... 1609.2.4.7.4.3. Scheduled backup .............................................................. 160

9.2.4.8. Activate/Deactivate Channel ..................................................................... 1609.2.4.9. Logs ..................................................................................................... 160

9.2.4.9.1. Syslog ........................................................................................ 1609.2.4.9.2. Log viewer ................................................................................. 1619.2.4.9.3. PLPCAP ..................................................................................... 161

9.2.4.9.3.1. Remote upload .................................................................. 1619.2.4.9.3.2. Size and files .................................................................... 161

9.2.4.9.4. PLPCAP-2 .................................................................................. 1619.2.4.9.4.1. Remote upload .................................................................. 1619.2.4.9.4.2. Size and files .................................................................... 161

9.2.4.10. Timezone ............................................................................................ 1619.2.4.11. Statistics .............................................................................................. 161

9.2.4.11.1. Max allowed statistics buffers ....................................................... 1619.2.4.11.2. Statistics system without Storage Node ........................................... 1619.2.4.11.3. IPFIX deamon ........................................................................... 1629.2.4.11.4. Max allowed connlog .................................................................. 162

9.2.4.12. Manage software raid ............................................................................ 1629.2.4.13. SSH Banner ......................................................................................... 1629.2.4.14. SSHD Port ........................................................................................... 162


xi

9.2.4.15. SSHD ACL ......................................................................................... 1629.2.4.16. Resource copy ...................................................................................... 1629.2.4.17. SSH key .............................................................................................. 1629.2.4.18. PSM ................................................................................................... 162

9.2.4.18.1. Enable/Disable PSM ................................................................... 1629.2.4.18.2. PSM web interface ACL .............................................................. 1629.2.4.18.3. Wipe PSM data .......................................................................... 1639.2.4.18.4. PSM state change ....................................................................... 1639.2.4.18.5. PSM Extensions ......................................................................... 163

9.2.4.18.5.1. PSM Trigger ................................................................... 1639.2.4.18.5.1.1. Enable/Disable PSM Trigger .................................... 1639.2.4.18.5.1.2. Configure Sources .................................................. 163

9.2.4.18.5.2. CMTS Poller ................................................................... 1639.2.4.18.5.2.1. Enable/Disable CMTS Poller ................................... 1639.2.4.18.5.2.2. Configure CMTSes ................................................ 163

9.2.4.19. Remote Hosts ....................................................................................... 1639.2.4.20. Internal VBS ........................................................................................ 163

9.2.5. License ........................................................................................................... 1639.2.5.1. View license .......................................................................................... 1639.2.5.2. Download license ................................................................................... 163

9.2.6. Updates ........................................................................................................... 1639.2.6.1. Update firmware from own server ............................................................. 1649.2.6.2. Update firmware ..................................................................................... 1649.2.6.3. Update notifications ................................................................................ 1649.2.6.4. Proxy ................................................................................................... 164

9.2.7. Customisations ................................................................................................. 1649.2.7.1. Uninstall Modules ................................................................................... 1649.2.7.2. Install or Update Modules ........................................................................ 1649.2.7.3. List installed Modules ............................................................................. 164

10. Common Procedures in PacketLogic ........................................................................................ 16510.1. Backup and Restore ................................................................................................... 165

10.1.1. Client Backup Versus CLI Backup ..................................................................... 16510.1.2. Taking a Backup in the Client ........................................................................... 16510.1.3. Taking a Backup in the CLI .............................................................................. 16610.1.4. Restoring a Backup in the Client ........................................................................ 16610.1.5. Restoring a Backup in the CLI .......................................................................... 167

10.2. Updating PacketLogic ................................................................................................. 16710.2.1. PL10000/PL20000 Update Measures ................................................................... 16810.2.2. Updating signatures ......................................................................................... 168

10.2.2.1. About Signature updates ......................................................................... 16810.2.2.2. Ways to update the signatures ................................................................. 16810.2.2.3. Signature Update Procedures ................................................................... 169

10.3. Enabling Snooping ..................................................................................................... 17210.4. Capturing Traffic ....................................................................................................... 176

10.4.1. Capturing Traffic for a Specific Application ......................................................... 17610.4.2. Capturing Unknown Traffic in PacketLogic .......................................................... 178

10.5. Configuring BGP Support ........................................................................................... 18010.6. Password Reset ......................................................................................................... 18110.7. Configuring Aux to be bonded with Admin .................................................................... 181

11. Centralized Management ....................................................................................................... 18311.1. Proxy ....................................................................................................................... 183

11.1.1. Proxy Configuration ......................................................................................... 18311.1.2. System Overview ............................................................................................ 184

11.2. System Diagnostics .................................................................................................... 18411.3. Resource Copy .......................................................................................................... 18511.4. Recommended Use ..................................................................................................... 186


xii

12. Monitoring PacketLogic ........................................................................................................ 18712.1. Performance Indicators ............................................................................................... 187

12.1.1. Connection ..................................................................................................... 18712.1.2. Connsync ....................................................................................................... 18812.1.3. DRDL ........................................................................................................... 18912.1.4. Dynamic Ruleset ............................................................................................. 19012.1.5. General .......................................................................................................... 19112.1.6. Load Balancer ................................................................................................ 19212.1.7. Packet Processing ............................................................................................ 19312.1.8. PLDB Statwriter .............................................................................................. 19412.1.9. PLSD ............................................................................................................ 19412.1.10. IPv4 ............................................................................................................ 19512.1.11. TCPv4 ......................................................................................................... 19512.1.12. Ruleset ......................................................................................................... 19612.1.13. Shaping ........................................................................................................ 19612.1.14. Shaping counter ............................................................................................. 197

12.2. Configuring an SNMP Management Station .................................................................... 19812.2.1. Installing the PacketLogic MIB .......................................................................... 19812.2.2. Example: Polling a Value Using snmpget ............................................................ 19812.2.3. Example: Polling a Set of Values Using snmpwalk ................................................ 19912.2.4. Setting up a Trap Server ................................................................................... 200

12.3. Built-In SNMP Traps ................................................................................................. 20113. Triggers .............................................................................................................................. 203

13.1. Introduction .............................................................................................................. 20313.2. Host Triggers ............................................................................................................ 203

13.2.1. Host Trigger Types .......................................................................................... 20313.2.2. The "Exist" Trigger ......................................................................................... 204

13.3. Filtering Triggers ....................................................................................................... 20413.4. System Diagnostics Triggers ........................................................................................ 20413.5. Connection Protection Triggers .................................................................................... 20413.6. Using, Adding and Modifying Triggers .......................................................................... 204

13.6.1. Example: Using a Trigger ................................................................................. 20413.6.2. Example: Modifying an Existing Trigger ............................................................. 205

13.7. Trigger Definitions ..................................................................................................... 20613.7.1. Trigger Attributes ............................................................................................ 206

13.7.1.1. Filtering Trigger Attributes ..................................................................... 20713.7.1.2. Host Trigger Attributes .......................................................................... 20713.7.1.3. Connection Protection Trigger Attributes ................................................... 208

13.7.2. Debugging Triggers ......................................................................................... 20813.7.3. Trigger Code Skeletons .................................................................................... 208

13.7.3.1. Filtering Trigger Code Skeleton ............................................................... 20813.7.3.2. Host Trigger Code Skeleton .................................................................... 20813.7.3.3. System Diagnostics Trigger Code Skeleton ................................................ 20913.7.3.4. Connection Protection Trigger Code Skeleton ............................................. 209

A. System Configuration Values .................................................................................................. 211A.1. Introduction ............................................................................................................... 211

A.1.1. Restart Levels .................................................................................................. 211A.2. BGP ......................................................................................................................... 211A.3. Categories ................................................................................................................. 212A.4. Connection Handling ................................................................................................... 212A.5. Connsync .................................................................................................................. 213A.6. DRDL ....................................................................................................................... 213A.7. Debugging ................................................................................................................. 214A.8. Divert ....................................................................................................................... 215A.9. Filtering .................................................................................................................... 215A.10. General ................................................................................................................... 215


xiii

A.11. LiveView ................................................................................................................. 215A.12. Low Level Filters ...................................................................................................... 216A.13. Packet Handling ........................................................................................................ 217A.14. Queue Sync ............................................................................................................. 220A.15. Ruleset .................................................................................................................... 221A.16. Shaping ................................................................................................................... 222A.17. Statistics .................................................................................................................. 224

B. Keyboard Shortcuts ............................................................................................................... 227B.1. General Shortcuts ........................................................................................................ 227B.2. Main Interface ............................................................................................................ 227B.3. Backup Manager ......................................................................................................... 227B.4. File Manager .............................................................................................................. 228B.5. Log Viewer ............................................................................................................... 228B.6. System Manager ......................................................................................................... 228B.7. Objects & Rules Editor ................................................................................................ 228B.8. System Configuration Editor ......................................................................................... 229B.9. User Editor ................................................................................................................ 229B.10. Tech Support ............................................................................................................ 229B.11. Resource Manager ..................................................................................................... 229B.12. Statistics Viewer ....................................................................................................... 229B.13. Bookmark Manager ................................................................................................... 230B.14. Calendar Tool ........................................................................................................... 230B.15. LiveView ................................................................................................................. 231

C. System Diagnostics Values ..................................................................................................... 233C.1. Introduction ............................................................................................................... 233C.2. BGP ......................................................................................................................... 233C.3. Connection ................................................................................................................ 234C.4. Connsync .................................................................................................................. 235C.5. Divert ....................................................................................................................... 237C.6. Drdl .......................................................................................................................... 238C.7. Dynamic Ruleset ......................................................................................................... 240C.8. Ethernet .................................................................................................................... 242C.9. Filtering .................................................................................................................... 243C.10. GRE ....................................................................................................................... 245C.11. GTP ........................................................................................................................ 245C.12. IPv4 ........................................................................................................................ 246C.13. IPv6 ........................................................................................................................ 247C.14. Interface .................................................................................................................. 249C.15. Ipfix Exporter ........................................................................................................... 249C.16. L2TP ....................................................................................................................... 250C.17. Liveview .................................................................................................................. 250C.18. Load Balancer .......................................................................................................... 252C.19. PPPoE ..................................................................................................................... 255C.20. Packet Processing ...................................................................................................... 255C.21. Queue Sync .............................................................................................................. 256C.22. Ruleset .................................................................................................................... 257C.23. Ruleset Compiler ....................................................................................................... 260C.24. Shaping ................................................................................................................... 260C.25. Shaping Counter ....................................................................................................... 262C.26. Statistics .................................................................................................................. 262C.27. Statistics Writer ........................................................................................................ 264C.28. System .................................................................................................................... 265C.29. TCPv4 ..................................................................................................................... 265C.30. TCPv6 ..................................................................................................................... 267C.31. Teredo ..................................................................................................................... 269C.32. Tunnel ..................................................................................................................... 269


xiv

D. The Virtual Service Language ................................................................................................. 271D.1. Introduction ............................................................................................................... 271D.2. Condition Types ......................................................................................................... 272

D.2.1. IP protocol ...................................................................................................... 272D.2.2. Server IP ........................................................................................................ 272D.2.3. Server Port ...................................................................................................... 273D.2.4. Service ........................................................................................................... 273D.2.5. Port Taint ....................................................................................................... 274D.2.6. Property .......................................................................................................... 274D.2.7. Flags .............................................................................................................. 275D.2.8. clientbytes ....................................................................................................... 275D.2.9. serverbytes ...................................................................................................... 275D.2.10. age ............................................................................................................... 275D.2.11. DNS Lookup Address ..................................................................................... 275

D.3. Conflict resolution ...................................................................................................... 276D.3.1. Conflicts ......................................................................................................... 276D.3.2. Explicit yields .................................................................................................. 276D.3.3. Implicit yields .................................................................................................. 276

D.3.3.1. More specific rules takes precedence ......................................................... 276D.3.3.2. Yield by type ........................................................................................ 276D.3.3.3. Yield by order ....................................................................................... 277

D.4. Style guide ................................................................................................................ 277D.4.1. Matching domain names .................................................................................... 277D.4.2. Simplifying syntax ............................................................................................ 277D.4.3. Avoiding repetition ........................................................................................... 278D.4.4. Combination .................................................................................................... 278

D.5. Error Messages ........................................................................................................... 278E. Flow Sync protocol ................................................................................................................ 281F. GRE Transport for Monitored Traffic ........................................................................................ 283G. UDP Transport for Monitored Traffic ....................................................................................... 285H. Freeradius Configuration Example ............................................................................................ 287I. Cisco TAC PLUS Configuration Example ................................................................................... 289J. Examples of Category Files ..................................................................................................... 291Index ....................................................................................................................................... 295

About This Manual

1

Chapter 1. About This ManualRevision: 1.3

This document is intended as a description of and instruction for the PacketLogic product. This document isapplicable to release 14.1 of PacketLogic.

About This Manual

Introduction

3

Chapter 2. IntroductionThis chapter provides a description of the PacketLogic product, its specifications and use.

2.1. About PacketLogicPacketLogic is a scalable traffic management product for all types of network environments. PacketLogic performsdeep packet and flow inspection on Internet Protocol (IP) packets, and classifies their content using DatastreamRecognition Definition Language (DRDL) in an efficient and fast packet analysis engine. The result of this analysisis a comprehensive real-time view of the traffic flowing in a network. This includes applications transmittingand receiving the traffic (known as services in PacketLogic), server and client identification, bandwidth use, andproperties specific to services (such as the caller in a Voice over IP (VoIP) call). The list of services identified byDRDL is updated frequently, and a user may also define traffic recognition for proprietary services.

This constitutes the LiveView module, which is the core of PacketLogic. To put this information to use, there areadditional modules available, listed below. The modules enabled on a PacketLogic determine the functionalityavailable. For example, if the Traffic Shaping module is not enabled, the functions related to traffic shaping willnot be visible in the client or available using the API.

There are also specialized modules to enable certain functions in PacketLogic:

• Filtering The Filtering module adds the possibility to selectively allow or deny access to packets or diverttheir packet path, based on their classification. This allows filtering rules with a greater level of detail thanport numbers, source IP addresses, and other packet header fields. The filtering module also enables packetrewriting, which can be used to redirect users, for example to a login web page. For details on the Filteringmodule, see Chapter 6, Filtering.

• Traffic Shaping The Traffic Shaping module enables bandwidth management based on the classification fromthe LiveView module. Traffic Shaping can be performed on the same level of detail as is available to the filtering(host identities, services, time, and many more). Traffic shaping enables both bandwidth limiting and trafficprioritization. For details on the Traffic Shaping module, see Chapter 5, PacketLogic Traffic Shaping.

• Statistics The Statistics module stores data from the LiveView module over time, enabling analysis of trafficpatterns on a network to optimize the traffic (for example, by fine-tuning rules in the Filtering or Traffic Shapingmodules). For detail on the Statistics module, see Chapter 7, PacketLogic Statistics.

• BGP - enables traffic management based on BGP (AS path) information.

• Volume Based Shaping (VBS) - enables traffic shaping using a sophisticated volume-based shaping algorithmwhich circumvents the pitfalls of regular volume-based schemes. For information on VBS, see Section 5.5,“Shaping Counters”.

• Connection Logging - enables logging detailed information about connections for analysis.

2.2. Areas of UseThe PacketLogic can be used for any purpose where keeping track of the traffic flowing in a network is useful.The following are examples of such purposes:

• Protecting the network from malicious traffic.

• Limiting the bandwidth for bandwidth-consuming applications.

• Troubleshooting network problems.

• Enforcing network policies.

Introduction

4

2.3. User Interfaces• The Client: The PacketLogic has an intuitive client interface, allowing a low knowledge threshold for enabling

effective traffic management in a network. The PacketLogic is powerful enough, however, to allow a moreexperienced user an almost arbitrary level of detail in the monitoring and management of traffic. For furtherinformation on the client, see Chapter 8, The PacketLogic Client Interface.

• The API: For automation of tasks and integration with other network nodes (such as billing systems or customerdatabases), a comprehensive Application Programming Interface (API) is available as a Python module. Forfurther information on the API, please see http://python.proceranetworks.com.

• The Console: For basic configuration tasks when setting up the PacketLogic, troubleshooting, and certainsystems administration tasks, a menu-based console interface is available, either locally on a serial port orremotely using a secure shell (SSH). For a description of the console interface, see section Chapter 9, CLI Menu.

• SNMP: PacketLogic supports monitoring through the Simple Network Management Protocol (SNMP). Forinformation on monitoring see Chapter 12, Monitoring PacketLogic.

2.3.1. Integration Capabilities

The PacketLogic supports automatized interaction using the PacketLogic PythonAPI. To perform more advancedintegration tasks, for example with subscriber authentication services and business systems, a PacketLogicSubscriber Manager (PSM) can be deployed together with one or more PacketLogic systems. For more informationon this, see the PSM Product Guide and contact the local PacketLogic sales representative.

2.4. This ManualThis manual can be read back to front or section by section as the need arises. Reading this manual and using thePacketLogic requires only basic knowledge in IP networking, but deeper knowledge in networking will allow amore powerful and flexible use of the PacketLogic features.

This manual focuses on using and configuring an installed and operating PacketLogic. For each hardware platformthere is a separate Hardware Guide available, containing specifications and installation details, and a Quick Start,detailing on-site configuration steps.

2.4.1. TECH: Technical Sections

Interspersed with the regular sections are so-called Technical Sections. These aim to dissect and explainPacketLogic in greater detail than what is necessary for normal day-to-day operation of PacketLogic. Thesesections are intended for those interested, those who need more technical information for advanced systemconfiguration and those performing advanced maintenance and troubleshooting. Technical sections are indicatedby the section heading starting with TECH:, like in the heading of this section.

http://python.proceranetworks.com

New Features

5

Chapter 3. New Features3.1. New Since Release 14.0This section highlights the main changes from release 14.0 of PacketLogic. It is intended primarily for thosealready familiar with PacketLogic release 14.0 who want to quickly get up to speed on what is new in version 14.1.

3.1.1. Multiple StatisticsObjects in Statistics RulesA single Statistics rule can now use multiple StatisticsObjects.

Figure 3.1. Multiple StatisticsObjects in a Statistics rule

3.1.2. Statistics Averages Based on Usage AnalysisFrom 14.1 it is possible to calculate a statistics average for a graph data point using the active five second intervalsof the connection. This means that, when activating the Usage analysis option in the StatisticsObject configuration,graph data points will be based on the time the connection was active within a graph interval, instead of the entiredefault five minute graph interval. See Section 7.1.8, “Averages Based on Usage Analysis” for more informationon averages based on usage analysis.

3.1.3. Load Balancing over Multiple Divert SystemsIt is now possible to divert in more complex ways. Instead of selecting one physical channel, filtering rules candivert to a divert label. A divert label can consist of one or more divert configurations, each consisting of a channeland a VLAN tag. For divert labels with more than one divert configuration entry, the diverted connections canalso be load balanced over the available divert configurations.

For more information, see Section 6.9.3, “Divert Labels”.

3.1.4. Flexible Selection of Monitor TargetsMonitoring with a filtering rule can now use labels for the selection of where to send the monitored traffic. SeeSection 6.4.3, “Label” for details.

3.1.5. Dynamic LiveViewLiveView allows creating custom views. A custom view in LiveView narrows the set of connections shown in theview, and allows configuring the distribution of it (which defines how the view is navigated).

New Features

6

For more information, see Section 8.6.1, “Custom Views”.

3.1.6. URL CategorizationPacketLogic has added capabilities to categorize URLs efficiently. This allows setting policies based on URLcategories for large lists of URLs. For details, see Section 4.2.7, “URL Categorization”.

3.1.7. Improved Host TriggersHost Triggers now allow triggering on hosts or objects in specific NetObjects, and also to trigger on aggregatedvalues for NetObjects. For details, see Chapter 13, Triggers.

3.1.8. Connection Protection TriggersA new trigger type, Connection Protection triggers allows taking custom action on hosts setting off theconnection protection.

The connection protection trigger editor is described in Section 8.10.4, “Connection Protection Trigger Editor”.Triggers are explained in Chapter 13, Triggers.

3.1.9. IPv6 support in BGPBGP functionality in PacketLogic now supports IPv6, both for connecting to a BGP peer and for routes in the table.

PacketLogic still only supports connecting to one BGP peer to retrieve BGP information. To use IPv6 and IPv4data simultaneously, the connected peer must support both protocols. For details on BGP in PacketLogic seeSection 4.2.8, “Border Gateway Protocol (BGP)”.

3.1.10. System information for appliances

System information, which shows inventory and sensor data in the System Overview in the PacketLogic client isnow also available for appliance models. Currently system information is supported on PL7810, PL8720, PL8820,and PL8920.

3.1.11. Rewrite Log for CGNSource IP rewriting can optionally be logged, and the log searched in the PacketLogic client in LiveView. Fordetails, see Section 8.6.9, “Rewrite Log”.

3.1.12. Flexible SysloggingThe configuration of syslog allows selecting which facilities to write to disk locally on the PacketLogic. This isuseful in cases where certain facilities logging extensively can be directed to remote syslog hosts only, reducingthe load caused by frequent disk operations. The configuration is made in the CLI (Chapter 9, CLI Menu).

New Features

7

3.1.13. Fair Split Host Fairness in Shaping

PacketLogic shaping includes a new type of host fairness: Fair Split. Fair split shaping will ensure that all hostsor subscribers in a ShapingObject are entitled to a fair share of the available capacity. Should a host not consumeall capacity to which it is entitled, that capacity is available to others. For details, see Section 5.6.5.2.2, “Fair SplitHost Fairness”.

3.1.14. Other Changes

• Channel statistics are by default enabled (system configuration value PLS_CHANNELSTATS_ENABLED isdefault True).

• Connection protection now counts only half-open connections towards the threshold.

Note: This may mean that the threshold should be lowered to provide the same level of protection, since itpreviously took all connections into account.

• Force write now also forces connection log data to be written.

• A user can have a inactivity timeout defined, which logs the client session out after a configurable time ofinactivity. See Section 8.10.2.4, “Inactivity”.

New Features

Key Concepts

9

Chapter 4. Key ConceptsThis section describes the concepts on which operation and configuration of PacketLogic are based. To readersunfamiliar with PacketLogic or traffic management, it is recommended to read this section before proceeding.

The basic flow of PacketLogic is:

1. Receive a packet

2. Analyze the packet to determine the following:

• Does the packet belong in an existing connection (flow), or does it start a new one?

• Does the connection to which the packet belongs match any rules defined?

3. Enforce all rules to which the packet's connection applies.

4. If the packet has not been dropped or rejected during the enforcement of the rules, forward the packet.

PacketLogic also imposes certain restrictions on the traffic passing through it, some of which are configurable.For details, see Section 4.8, “Network Impact”.

4.1. TerminologySome components and concepts have many names to them. These are good to be familiar with, since they can beused interchangeably depending on context.

• Connection or flow is a series of packets with a common 5-tuple (see Section 4.4.8, “Connections”).

• Engine is the core software component performing traffic analysis, shaping, filtering and all other measuresin the packet path.

• Flow processor or packet processor is a CPU dedicated to processing packets in channel traffic. A flowprocessor essentially runs the engine and necessary control processes.

• Flow processor module (FP module) is a module (blade) in the PL10000/PL20000 platform series holding flowprocessors.

• Dynamic item (also referred to as dynamic IP) is a NetObject item inserted dynamically using the PacketLogicPython API. This allows changing NetObjects without resource transactions, allowing a high rate of operations.

• Named dynamic item (also referred to as subscriber) is a "virtual" NetObject, containing dynamic items. Thisallows using dynamic items in integration schemes in large-scale deployments with a consistent name for asubscriber even though the actual IP address changes.

• Subscriber see named dynamic item above.

• MiB, GiB, TiB (mebibyte, gibibyte, and tebibyte) are the units used for size. These are standards-based binarymultiples of bytes. A mebibyte is 10242 (or 220) bytes, a gibibyte is 10243 bytes, and so on.

4.2. Traffic AnalysisPacketLogic does analyze each packet that arrives on its interfaces. However, PacketLogic does not take actionbased on an isolated packet. Instead, it looks at the connection to which the packet belongs. Most of the selectionrules and traffic manipulation in PacketLogic apply to connections, not packets.

Key Concepts

10

This provides great advantages in both identification and management of traffic. For identification purposes,it gives a complete view of an entire connection, which will always be more detailed than single packets. Formanagement purposes, it gives more precise and concise rules. Since PacketLogic keeps track of, for example,which connections that connect to server ftp.domain.com using the service FTP, an administrator needs only knowthat he wants to limit or prioritize such connections, not how they break down into packets. That is taken careof by PacketLogic.

Each connection takes up resources in the form of an entry in the internal connection table. The maximum size ofthis table is defined by the system configuration value MAX_CONNECTIONS. When that is full, a new connectionwill be allocated an entry by LRU (least recently used) selection of unestablished connections. Should that also fail,the connection cannot allocate resources to track it. By default, this means packets for the connection are dropped.Setting SHUNT_CONNECTION_FAILURES to True changes this to shunting (direct forwarding), meaning thepackets are forwarded directly without analysis or rule application. Shunted traffic is accounted in the systemdiagnostics values Shunted bytes (connection create failure) and Shunted packets (connection create failure) inthe Connection zone (see Appendix C, System Diagnostics Values).

4.2.1. Tunneling

PacketLogic is capable of stripping tunnel layers to obtain information about the connections contained within atunnel. PacketLogic is capable of inspecting the following tunnel types:

• Teredo

• L2TPv2

• GRE (including PPTP)

• GTP-U and GTP-C

• Regular tunnels for encapsulating IPv6 traffic inside IPv4 packets (such as 6to4 and 6rd). IPv4 tunneled insideIP is also supported.

For tunneling support, the following system configuration values are relevant:TUNNELING_ACCOUNT_HEADERS, TUNNELING_GRE_SUPPORT, TUNNELING_GTP_C_PORT,TUNNELING_GTP_SUPPORT, TUNNELING_GTP_U_PORT, TUNNELING_L2TP_PORT,TUNNELING_L2TP_SUPPORT, TUNNELING_MAX_LEVEL, TUNNEL_CTXS, IPV6_TEREDO,IPV6_TUNNELING, and IPV4_TUNNELING. For further information, see Appendix A, System ConfigurationValues.

Using tunneling carries certain implications and limitations:

• ECN can not be used to replace packet drop in BROWN.

• The connections carried inside tunnels should not be used in traffic shaping, rewriting, injection, or diverting.

• Using reject in a filtering rule on a connection in a tunnel will silently drop packets rather than actively terminatethe connection.

• Performing traffic shaping on a tunnel disrupts the inspection of the connections in the tunnel.

• Counters for speed and volume exist for both the encapsulating tunnel and the connections inside an inspectedtunnel. This means that when viewing sum values where both tunnels and their encapsulated connections areincluded, the sums will be misleading as some of it is counted multiple times.

• By default, accounting for traffic in tunnels accounts only the header of the innermost inspected tunnel orconnection. Layer 2 headers and headers for tunnels outside the inspected tunnel or connection are disregarded.This behaviour can be changed with the system configuration value TUNNELING_ACCOUNT_HEADERS.

4.2.1.1. Tunnel Levels and Types

Key Concepts

11

PacketLogic makes a distinction between different tunnel levels in passing traffic. This is used both in inspectionand rule matching. For inspection, the system configuration value TUNNELING_MAX_LEVEL defines howmany levels of tunnels the PacketLogic engine traverses looking for connection information. For rule matching,the TunnelLevelObject (Section 4.7.1.13, “TunnelLevelObjects”) defines at which level a rule shall match.

As shown in Figure 4.1, “Levels of tunneling and tunnel types” the level defines how "deep" the PacketLogicengine will go. Tunnels and non-tunneled connections at the same level are treated the same way. In the figure,the number in parentheses following the name declares the tunnel level as seen by the PacketLogic engine.

Furthermore, a tunnel type exists for all connections. The tunnel type is defined by the closes parent tunnel inwhich the connection exists. For example, an HTTP connection in a Teredo tunnel has Teredo as tunnel type.Furthermore, if a tunnel exists within another tunnel, the inner connection will have the outer connection as tunneltype (see the example in Figure 4.1, “Levels of tunneling and tunnel types” where the Teredo tunnel has a tunneltype of GTP, since it is inside a GTP tunnel.

Figure 4.1. Levels of tunneling and tunnel types

Do note that a TunnelLevelObject with a certain level will not affect how many tunnel levels are traversedfor inspection purposes, only at which level a certain rule will apply. The system configuration valueTUNNELING_MAX_LEVEL, however, limits the number of levels traversed for inspection. Hence, ensure thatTUNNELING_MAX_LEVEL is set equal to or higher than any TunnelLevelObject.

4.2.2. IPv6 Support

PacketLogic supports IPv6 in channel traffic.

Figure 4.2. IPv6 Connection Details

4.2.3. Shunting

Key Concepts

12

PacketLogic is capable of shunting. Shunting in PacketLogic means that packets are not processed by the engineperforming traffic analysis and management. Shunted traffic is not visible in LiveView, no rules are applied toit, and it does not appear in statistics. The advantage of shunting is that it reduces the processing load on thePacketLogic.

Shunting can be done due to resource exhaustion (see above), or by selecting traffic for shunting. Traffic can beshunted based on VLAN IDs, ethertypes, IPv4 addresses, layer 4 protocols, MPLS labels, or being Ethernet overMPLS packets. Shunted traffic can also be directed to a monitor interface for channeling to another device or file.

Shunt options are controlled by the following system configuration values:

• SHUNT_DOT1Q contains a comma-separated list of VLAN IDs to shunt. IDs can be entered as single IDs (100)or ranges (100-200). Note that in case a packet has multiple VLAN IDs (Q-in-Q), the system configurationoption QINQ_ILEVEL defines which level of VLAN nesting is used to evaluate the filter.

• SHUNT_EOMPLS defines whether Ethernet-over-MPLS (EoMPLS) packets shall be shunted (True/False).

• SHUNT_ETHERTYPES contains a comma-separated list of ethertypes to shunt. Ethertypes can be entered assingle values (0x0800) or ranges (0x8100-0x9100). If a packet has multiple ethertypes, the filter will evaluateall of them.

• SHUNT_IPV4 contains a comma-separated list of IPv4 addresses to shunt. IPv4 addresses can beentered as single addresses (192.168.1.15), network addresses (192.168.2.0/24), or ranges of addresses(192.168.3.100-192.168.3.200).

• SHUNT_L4_PROTO contains a comma-separated list of layer 4 protocols to shunt. Protocol numbers can beentered as single values (6) or ranges (17-19).

• SHUNT_MONITOR_IFACE can be used to define a different interface to use for packets monitored by theshunting facility than the default monitor port.

• SHUNT_MPLS contains a comma-separated list of MPLS labels to shunt. Labels can be entered as single labels(100) or ranges (123-130). Note that in case a packet has multiple MPLS labels, the system configuration optionMPLS_ILEVEL defines which level of MPLS label nesting is used to evaluate the filter.

For SHUNT_DOT1Q, SHUNT_ETHERTYPES, SHUNT_IPV4, SHUNT_L4_PROTO, and SHUNT_MPLS, theconfiguration values define items or ranges for each criterion to shunt. Optionally, the items and ranges can befollowed by actions to take when the criterion matches.

4.2.3.1. Actions

The following actions are available:

• a accepts the packet and forwards it to the analysis and management engine.

• s shunts the packet.

• d drops the packet.

• m (not applicable on PL10000/PL20000 systems) monitors the packet. The monitoring option can be combinedwith the other options. By default, monitored packets are sent to the dedicated monitor interface. To use anotherinterface, the system configuration value SHUNT_MONITOR_IFACE can be set to the interface to use.

Actions are defined after the item or range for which the action is to be taken.

If no action is given, shunt is assumed.

The shunt filters are applied in the order that the data appears in the packet. Once a packet is evaluated to an actionother than accept by any filter, evaluation for that packet stops and the last action is executed.

Key Concepts

13

Examples:

• SHUNT_IPV4=192.168.1.2 shunts packets with IPv4 address 192.168.1.2.

• SHUNT_IPV4=192.168.2.2-192.168.2.5?dm drops packets with IPv4 address in the range192.168.2.2-192.168.2.5 and sends them to the monitor interface.

• SHUNT_DOT1Q=4?a,0-4095?s allows packets with VLAN ID 4 into the engine for analysis and management,and shunts everything else with VLAN IDs between 0 and 4095.

4.2.3.2. Port Filtering

In addition to shunting, port numbers for TCP or UDP can be used to drop packets without having thementer the analysis engine. This is configured using the system configuration values TCP_DENY_FILTERS andUDP_DENY_FILTERS.

4.2.4. Packet-Based Information

Some information is extracted from the headers of individual packets, making that information to some extentpacket-based rather than connection- or flow-based. To use this information in conjunction with the connection-based analysis and management, the parameters found in packet headers are determined for a connection by thedata in the first packet. Should this information change during a connection, the connection data is not updated toreflect this. The packet-based data is however kept per direction.

The information that has this behaviour is:

• VLAN ID

• MPLS label

• DSCP

• Channel

• TTL/Hop Limit

4.2.5. TTL/Hop Limit Tracking

PacketLogic can keep track of the Time To Live (TTL, for IPv4) and Hop Limit (IPv6) IP header fields.PacketLogic tracks the TTL/Hop Limit for each packet, and stores the information per host. This allows trackingif a host has many different TTLs/Hop Limits, which can be an indication of tethering in mobile networks. TheTTL/Hop Limit data can also be used to set off host triggers.

TTL/Hop Limit tracking is enabled by entering a path in a ServiceObject in the configurationvalue TTL_TRACKING_SERVICE_OBJECT_PATH. The path entered must exist in a ServiceObjectnamed Categories (this means selecting objects from the preinstalled ServiceObject ProceraNetworks Categories is easy). For example, to enable TTL/Hop Limit tracking on HTTP, setTTL_TRACKING_SERVICE_OBJECT_PATH to 'Web Browsing/HTTP'. Connections matching any service(including services contained in subobjects) in the ServiceObject will have their TTLs/Hop Limits tracked. Thisselective tracking is done to preserve resources by only tracking TTL/Hop Limit for relevant connections.

Optionally, hosts can have their TTL tracking cleared when they change NetObjects (such as aprovisioning change by PSM). To enable this behaviour, change the system configuration valueTTL_TRACKING_CLEAR_ON_DYNCHANGE to True.

4.2.6. Flow Synchronization

Key Concepts

14

Flow synchronization (flow sync) allows the exchange of connection (flow) information between multiple packetprocessors (referred to as engines). This enables complete connection tracking even when packets for a singleconnection are processed by different engines (asymmetric traffic). This applies only to TCP connections.

When an engine sees a packet for a connection that it does not have prior information on (and that packet is not thefirst in a new connection), that engine broadcasts a message asking if any other engine on the flow sync networkknows the connection for that packet. If another engine knows the connection, it responds to the broadcastingengine, and both engines then indicate each other as engines to update when packets arrive that belong to thatparticular connection. The two engines then send updates only to each other (unicast). Only the first request isbroadcast. Updates are only sent when there is an update to the connection information in one of the engines, andonly the pertinent information is sent, not full packets.

Connections taking part in flow synchronization are marked with the Flowsynced flag (see Section 4.7.1.12,“FlagObjects”).

Flow sync is implemented as a layer 2 protocol. A dedicated physical interface must be available on thePacketLogic units participating in flow sync, and the protocol must be carried directly over Ethernet. Using flowsync introduces a slight overhead, estimated at 2-6% of the asymmetric traffic seen. Only two engines can takepart in flow sync for any one connection. Flow sync does not handle the case where three or more engines seepackets from the same connection.

For flow sync to manage keeping syncing engines up to date, the time for a flow sync message to travel betweentwo engines must be lower than the round trip time for the packets in the connection being synchronized. If apacket arrives on a channel interface before the flow sync update for an earlier packet seen by the other engine,the connection is marked as out of sync and no further synchronization is done.

For an illustration of the flow sync protocol, see Appendix E, Flow Sync protocol.

Flow synchronization is configured in the CLI (see Chapter 9, CLI Menu).

Related system diagnostics values are listed in Section C.4, “Connsync”.

4.2.7. URL Categorization

Engine in PacketLogic sets a URL categorization property for all connections where there is a Server Hostnameproperty set.

Figure 4.3. Connection URL categories

With URL categorization, applying policies per URL category for large lists of URLs becomes feasible. With theURL categorization mechanism, PacketLogic handles lists of hundreds of millions of URL entries.

Note: URL categorization is subject to licensing. For the categorization mechanism to be usable, the PacketLogicsystem must have a license for it. This is shown as ContentLogic: yes when viewing the license in theCLI (see Chapter 9, CLI Menu). In addition, there is a license for the Internet Content Database, a comprehensivecategorization of 45 million URLs sorted into 110 main categories, provided as encrypted URLs.

Key Concepts

15

Categories are shown in the Categories view in LiveView (see Section 8.6.5, “Categories”). Categories can alsobe used as criteria in rules, using CategoryObjects (see Section 4.7.1.5, “CategoryObjects”), and as a criterion fordistribution in Statistics (see Section 7.1.3, “Distribution”).

Categories are kept as files on the PacketLogic. These files are possible to adapt and extend to customize the URLcategorization. The files are located in the URL data files folder in the File Manager of the PacketLogic clientwhen connected to a PacketLogic system. For examples of file contents, see Appendix J, Examples of CategoryFiles.

• categories.version contains a single number, which is the version of the currently available categories.

• categories.json contain a JSON formatted set of categories. The category set has data fields for whatversion it represents, and a sequence number indicating where a subsequent file starts. Each category has an IDnumber, a name, and optionally a description of the category.

• url-delta-<X>.txt are the URL lists. The first line contains four metadata items: A hexadecimalidentifier, a file type (0 for SHA1 hashed URLs, 1 for encrypted URLs), a start revision and an end revision.

Subsequent lines are URL categorizations. The first part is (for file type 0 which means SHA1 hashed URLswithout encryption) the domain hashed using SHA1. The second part is the categorization, represented as ahexadecimal value encoding the categories as follows:

62..54 53..45 44..36 35..27 26..18 17..09 08..00

ID 6 ID 5 ID 4 ID 3 ID 2 ID 1 ID 0

The numbers ID 0 through ID 6 are values in the range 1..511, and end with all zeros. For instance, to encodetwo category IDs 5 and 9, the value is 5 + 9 * 512 which is 4613 decimal, 1205 in hexadecimal.

4.2.7.1. Limitations

• A URL can exist in a maximum of seven categories.

• There can be a maximum of 511 categories.

4.2.8. Border Gateway Protocol (BGP)

AS path information is a BGP attribute that is delivered with the prefix-announcements of a BGP speaker (a routerthat uses the BGP protocol as IP-prefix distribution mechanism on the routing control plane).

This attribute is a well-known mandatory attribute that enumerates the AS systems through which the routingupdate for an IP prefix has passed.

PacketLogic is capable of associating an IP address with an AS path. For each connection, the AS path for boththe local host (internal AS path) and remote host (external AS path) are stored. The AS paths can be viewed in theconnection details for a connection in LiveView in the client, statistics can be distributed based on AS path, andrules can be applied based on AS path information. PacketLogic sets up a BGP connection towards an eBGP peerto receive the BGP table and routing updates. From that information, PacketLogic builds a BGP tree from whichthe AS paths for IP addresses can be obtained. Note that PacketLogic does not announce any prefixes. PacketLogicis completely passive as an eBGP peer and only uses the connection to obtain the BGP table and routing updates.

This feature can be used, for example, to differentiate between off-net traffic (originating outside the local AS)and on-net traffic (originating inside the local AS). Note that when there are multiple upstream eBPG peers (thatis, traffic can exit the local AS on one of multiple links), the AS path can vary accordingly.

The figure below illustrates an example how PacketLogic determines the AS path. Note that while PacketLogicdoes in fact reside in its own AS from the perspective of the BGP server, the AS paths of the connections do notinclude the private AS of PacketLogic. This is because the packets pass PacketLogic transparently, and the privateAS number (AS X in the figure) is only used for the connection to the BGP server.

Key Concepts

16

Figure 4.4. AS paths for a connection

The connection in this example is initiated by a host on the internal network, which hence becomes the client ofthe connection. The server resides on an external network, in this example several hops away. The following itemsare highlighted in the figure:

1. The AS path to the client is empty, since it resides on the same AS as the eBGP peer PacketLogic is connected to.

2. The AS path to the server in this example is A, B, C, D. A is not possible to match with an ASPathObjectcondition in a rule since that is the AS of the eBGP peer configured as neighbour to PacketLogic.

3. An eBGP peer is configured as a neighbour of the PacketLogic to provide a BGP table. PacketLogic isconfigured with its own private AS number (AS X) which is different from AS A, in order to enable eBGP (asopposed to iBGP, where they are in the same AS).

For instructions on configuring BGP, see Section 10.5, “Configuring BGP Support”. Note that the PacketLogicis completely passive as an eBGP peer, and does not take any action towards the configured eBGP peer. Theconnection is only used to retrieve the BGP table.

The received AS paths can be truncated using the System Configuration value BGP_PATH_CUTOFF (seeAppendix A, System Configuration Values). The value specifies how many AS numbers are kept, counting fromthe eBGP peer configured on the PacketLogic. By default, the paths are not truncated. Truncating them can beuseful to preserve system resources (CPU and memory) in systems that are heavily loaded, or that see complexBGP paths from their eBGP peer. Note that if BGP paths are truncated, using Origin in an ASPathObject is unlikelyto work, since the first AS in the path is likely to have been truncated.

4.2.8.1. Position Representation in AS Paths

When configuring rules with AS path elements as conditions, the following choices are available:

• Origin matches the AS number of the AS in which the host resides (do not confuse this with the BGP attributeORIGIN).

• Any matches any item in the AS path.

• 2-10 matches the exact position in the AS path.

Examples:

Based on Figure 4.4, “AS paths for a connection” above, the following conditions would match:

• BGPObject with Origin = D

• BGPObject with 4 = D

Key Concepts

17

• BGPObject with 2 = B

4.2.8.2. BGP Communities

BGP Communities are formed when a BGP router adds an additional identifier to its AS number when announcing.The meaning of this identifier is up to the announcer to define. PacketLogic stores BGP communities forconnections, displays them in connection details in LiveView, and allows matching them in rule conditions usingBGPObjects.

4.2.8.3. IPv6 support in BGP

BGP functionality in PacketLogic supports IPv6, both for connecting to a BGP peer and for routes in the table.

PacketLogic only supports connecting to one BGP peer to retrieve BGP information. To use IPv6 and IPv4 datasimultaneously, the connected peer must support both protocols.

PacketLogic supports RFC4760, MultiProtocol Extension for BGP-4. RFC4760 support is implemented withMP_REACH (Multi protocol extension) with AFI 1 (IPv4) or 2 (IPv6) and SAFI 1 (unicast). PacketLogic BGPalso supports capability AS4 (32 bit AS numbers).

4.2.9. Quality Measurement Algorithm

PacketLogic analyzes the perceived quality of TCP connections. The values presented for quality are calculatedas a percentage, dividing the number of drops or retransmissions by the number of packets seen. This is shown inconnection details, and can also be stored as statistical data.

The quality monitoring is done separately for each direction and each channel interface:

• Inbound internal are packets transmitted on the internal channel interface, destined for a host on the internalside.

• Outbound internal are packets received on the internal channel interface, destined for a host on the externalside.

• Inbound external are packets received on the external channel interface, destined for a host on the internal side.

• Outbound external are packets transmitted on the external channel interface, destined for a host on the externalside.

Figure 4.5. Quality monitoring separated

For the outbound internal and inbound external values, drops are noticed by gaps in the TCP sequences.

For the inbound internal and outbound external values, drops are noticed by seeing retransmissions indicatinga transmitted packet did not reach the destination. However, if a retransmission is detected for a packet for whichPacketLogic has seen an ACK packet in the reverse direction, the drop is instead accounted on the reverse direction,since it can then be concluded that it was the ACK packet that was lost on the way to the recipient.

Example: A retransmission seen on the inbound internal direction in a TCP connection for which an ACK packethas been seen on the outbound external direction is accounted as a drop on the outbound external direction, since

Key Concepts

18

it is the ACK packet that was lost. If no ACK packet has been seen, the drop is accounted on the inbound internaldirection, since the packet itself has not reached the host on the internal side.

4.3. Carrier Grade Network Address Translation(NAT)The CGN feature allows rewriting the layer 3 header of packets based on ruleset selection. PacketLogic will keepthe original and the rewritten header stored, along with data on the current NAT mappings used.

4.3.1. Limitations and Requirements

• In the current iteration, PacketLogic CGN does not manage asymmetric traffic, since the rewritten headerinformation is not included in flowsync.

• There needs to be layer 3 routing devices on both sides (internal and external) of the PacketLogic for CGN tofunction properly.

• Each external IP address to which the source IP address is rewritten represents a locking resource. A high ratio ofconnections rewritten to the same source IP can cause a high CPU load and an increasing number of connectionswaiting to be created. If a high CPU load is observed when source IP rewrite is enabled, reduce the ratio by, forexample, distributing the connections over a larger number of IP addresses to rewrite the source IP to.

4.3.2. Configuration

Two system configuration parameters are relevant for the CGN feature:

• REDIRECT_HDR_DIVISOR (in the Connection Handling category) controls the ratio of connections allowedto be rewritten. The value is the divisor of the ratio, meaning that the default setting of 50 allows 1/50 (or 2%)of connections to be rewritten. For deployments where load is no major concern it can be set to 1 to allow allconnections to be rewritten.

• SNMP_LOG_REWRITES determines if rewritten headers are sent to the SNMP agent for monitoring.

4.3.3. Operation

CGN is run as a filtering rule with action Rewrite, using a RewriteObject which rewrites the source IP address.

Figures Figure 4.6, “RewriteObject with Source IP Rewrite” and Figure 4.7, “Rewrite Rule using theRewriteObject” below show a RewriteObject and an associated Filtering rule using it to accomplish a source IPrewrite.

Figure 4.6. RewriteObject with Source IP Rewrite

Key Concepts

19

Figure 4.7. Rewrite Rule using the RewriteObject

4.4. TECH: Software ComponentsThe PacketLogic operates as a set of software components communicating with each other. The components canreside in one physical unit or be distributed over several, depending on requirements and hardware platform.

4.4.1. Load Balancer (PL10000/PL20000)

The load balancer in a PL10000/PL20000 system is dedicated to distributing the traffic on one channel over theavailable flow processor threads. The distribution is based on the 5-tuple of the connection to which the packetbelongs.

4.4.1.1. Buckets

To distribute packets to flow processor threads, the load balancer uses a set of buckets. The load balancingalgorithm decides which bucket a packet belongs to. The load balancer maintains a table indicating which thread acertain bucket shall be directed to. This is done to facilitate rebalancing and blacklisting, actions that can be takento prevent overloading a flow processing thread.

4.4.1.2. Load Balancer Blacklisting (PL10000/PL20000)

The load balancer in PL10000/PL20000 has an added option to blacklist traffic running through flow processingCPUs. This is useful to reduce the consequences of an attack. When a thread on a processor suffers from theeffects of an attack, the first step is to rebalance the traffic to reduce the load on the most loaded thread. If, afterrebalancing, a thread still suffers from RX drops (an indication of heavy load), the load balancer can decide toblacklist the bucket (see Section 4.4.1.1, “Buckets”) causing the drops. The blacklisting by default shunts thetraffic, but it can also drop the traffic (configuration option). The bucket that has been blacklisted is removed fromthe blacklist after a configurable timeout.

Blacklisting in the load balancer is configured with the system configuration values LB_BLACKLIST_ENABLED,LB_BLACKLIST_TIMEOUT, and LB_DROP_BLACKLISTED in the Packet Handling category in SystemConfiguration (see Appendix A, System Configuration Values).

4.4.2. Engine

The engine is the packet processing core of PacketLogic. The engine receives each individual packet, determineswhich connection it belongs to, sends it to DRDL to determine the service of the connection, sets the flow behaviourflags of the connection, and applies the rule set to the connection. Applying the rule set can mean enqueueing,dropping, rejecting, forwarding, rewriting, and combinations of the above.

Key Concepts

20

The engine is typically a processor. In some systems, the engine runs along with control applications in one singleprocessor, in other systems there are several processors running only the engine.

The engine reports connection information to a control application called PLD (see Section 4.4.4, “PLD”).

4.4.2.1. Engine in the PL10000/PL20000

The PL10000/PL20000 is a modularized (bladed) hardware platform architecture. In this architecture, there is atype of module dedicated to packet processing. Each such module has two physical processors. These processorshave eight cores, each capable of running four individual processing threads. One core is reserved for controllingthe processor, which leaves seven cores of four threads each. In all, that means that there are 28 instances of theengine running on each processor.

4.4.2.2. Reaper in the PL10000/PL20000

In a PL10000/PL20000 platform, each flow processor has what is called a Reaper. This is a process which collectsinformation from the engine processes and communicates with PLD. This can be seen in the system diagnosticszones where the values are per engine (such as the Packet Processing zone), where the engine threads are sortedunder each associated reaper.

4.4.2.3. Datastream Recognition Definition Language (DRDL)

DRDL is a payload analyzer (analyzing layer 4 payload, essentially containing the layer 7 data), called by thenetwork stack in PacketLogic. DRDL looks at every byte of each connection until the connection is matched toa signature and classified (or classified as Unknown). Once a connection has been classified, the network stackcan stop calling DRDL to analyze data for that connection. DRDL works regardless of the underlying protocol,although it seldom makes sense to run it on anything other than TCP and UDP.

DRDL uses a signature database, which is compiled by a DRDL compiler into binary form. This binary moduleis then loaded into the network stack, where the DRDL glue uses it to analyze packets.

For mapping protocols such as FTP, RTSP, and IRC, DRDL recognizes child connections. This means that whenthe FTP-data connection is established, it is classified as FTP-data without needing further analysis.

DRDL establishes what protocol the connection uses, and also extracts layer 7 information and stores this inproperties. Examples of properties are HTTP URI's, usernames, filenames, directories, channels, and MIME-types.The number and type of properties available varies with the service.

The CPU usage of DRDL is independent of the number of protocols in the signature database. The extra loadthat DRDL puts on the system very much depends on the type of traffic, especially the number of new sessionsper second, and the type of protocols used. In general, the more packets DRDL needs to look at to determine theservice, the higher the load is.

DRDL depends on seeing complete and ordered connections. The network stack in the PacketLogic engineprovides this.

Related system diagnostics values are listed in Section C.6, “Drdl”.

4.4.2.3.1. Asymmetric Traffic

DRDL relies on seeing both directions of a connection to achieve accurate traffic matching. For environmentswhere traffic flows asymmetrically (that is, the packets in one direction of a connection may take a differentnetwork path than the packets in the opposite direction), it is highly recommended to deploy a PacketLogic systemin all these network paths and interconnect them with flowsync. This will reduce the impact of asymmetric trafficdrastically. For UDP, flow sync is available only for select signatures, since UDP does not use sequencing whichis used in the generic TCP flow sync.

4.4.2.4. Virtual Services

Key Concepts

21

Virtual service allows defining service based on a number of criteria, and giving them a custom name. This allowsdefining services that will appear in the services view in LiveView and statistics (when services are used in theStatisticsObject distribution).

A virtual service can use any combination of the following selection criteria:

• Service

• Properties

• Server IP address

• Server Port

• IP protocol

• Flags (currently only RandomLooking and TextLike)

• Connection age

• Bytes transferred - Client / Server

Virtual services are written as text files using a specific syntax and uploaded to the PacketLogic in the PacketLogicclient file manager (Section 8.10.6, “File Manager”). There is a folder in the file manager dedicated to virtualservices definitions. Once uploaded, the definitions must be compiled and loaded in the CLI (Chapter 9, CLI Menu).

For a description of how virtual service definitions are written, see Appendix D, The Virtual Service Language.

4.4.2.5. Port Tainting

DRDL keeps track of the ports used on servers in connections in a port tainting data structure. It is possible toset virtual services on connections based on the ports being tainted. The identification is based on the triple serverIP address, server port, and IP protocol.

For details on using port tainting in virtual services, see Section D.2.5, “Port Taint”.

The data structure used to store the port tainting triples is preallocated in size, as defined by the systemconfiguration value DRDL_TAINT_STORE_SIZE (see Appendix A, System Configuration Values). As the usageof the data structure increases, the probability of false positives also increases. The usage of the data structure isaccounted in the system diagnostics value Port tainting datastructure usage in the DRDL zone (see Appendix C,System Diagnostics Values).

4.4.3. PLRCD

PLRCD is the component responsible for the following tasks:

• Loading the Application Recognition Module (ARM) with the compiled set of signatures to apply for DRDLto use.

• Retrieval of configuration elements from database daemon

• Ruleset compilation

• Counters in ShapingObjects

• Dynamic items management

• Queue synchronization

Key Concepts

22

4.4.4. PLD

The PLD is the software component that communicates with the engine, and provides client components (such asthe PacketLogic client or the API) with real-time data from the PacketLogic (such as traffic information as seenin LiveView in the PacketLogic client).

The PLD is responsible for the following tasks:

• Communication with all engines in the PacketLogic. Messages are exchanged using TCP.

• Communication with the clients (management client, statistics daemon, python api)

• Firewall log storage

• Firewall log queries

• BGP Table management (PLD then provides PLRCD with the AS paths for the prefixes in the table for rulesetuse)

4.4.4.1. Hosts

PLD holds a data structure for hosts. This is the PacketLogic view of hosts. The host data structure containsinformation on what NetObjects the host belongs to and what connections that host has.

Normally, an entry in the hosts data structure is created the first time the host has an established connection(a connection that has had packets in both directions). This behaviour can be altered to create an entry onunestablished connections as well, by setting the system configuration value HOST_ADD_UNESTABLISHEDto True (see Appendix A, System Configuration Values).

Note: Creating hosts for unestablished connections has resource implications, since attacks can generate a largenumber of unestablished connections for hosts that do not physically exist. This can exhaust the hosts data structure.It is therefore recommended to keep the default behaviour of only adding hosts for established connections unlessit is strictly necessary to change it.

Should the hosts data structure become exhausted (the size is defined by the system configuration valueHOST_NUM_HOSTS), subsequent hosts are not added. This means that the mapping to NetObjects andconnections cannot be created for those subsequent hosts. This affects the reporting that relates to NetObjects inLiveView and Statistics. Hosts that cannot be allocated in the hosts data structure will not be shown in the correctNetObject(s) in the Local Hosts view in LiveView, nor will their traffic be added to the total for the NetObject(s).Likewise for Statistics, the traffic for the host will not be accounted on the correct NetObject.

Traffic management relates to connections without any dependency on the hosts data structure in PLD, so trafficmanagement is not affected. Nor is LiveView and Statistics reporting based on other criteria than NetObjects (forexample Services).

As soon as a host no longer has any connections, it is removed from the hosts data structure. The size of the datastructure (defined by the system configuration value HOST_NUM_HOSTS) can therefore be set to the numberof expected concurrent hosts on the internal side of the PacketLogic.

4.4.5. PacketLogic Database Daemon

The PacketLogic Database daemon handles the following tasks:

• Communication with the different clients.

• Communication with and management of the local database holding the ruleset and configuration.

Key Concepts

23

• Communication with remote database servers (Proxy)

• Session and resource management (transaction based)

• Data queries (retrieval and modification)

• System Diagnostics

4.4.5.1. Database Daemon in a Statistics System

In a unit dedicated to statistics storage, the database daemon has additional tasks. For details, see Section 7.5.2,“Statistical Data Flow”.

4.4.5.2. Resources

Resources are kept in the resource table of the database daemon, and the current list can be seen in the ResourceManager in the PacketLogic client (see Section 8.10.9, “Resource Manager”). Each resource defines a subset of thePacketLogic System configuration. Some examples are the User Resource, the Channel Resource and the RulesetResource. Each resource defines a set of data (database tables or filesystem data) and a set of commands to retrieveor manipulate this data.

When a resource is database bound, a session attached to a resource will always be in a database transaction. Thereis also an implicit lock on each resource that is taken when the session sends the first manipulative command forthe resource.

Resource commands are divided into read-only commands, and write commands, and each user has a read andwrite privilege for each separate resource.

• Aggregation governs writing aggregated statistics to a statistics system (see Section 7.1.6, “Aggregation andLinking”).

• Backups governs creating and restoring database backups.

• Channel Management governs handling the channel interfaces.

• CommitLog governs the CommitLog, which keeps track of changes made to the configuration.

• Connection Log governs connection logging.

• Dynamic Ruleset governs the handling of dynamic items (subscribers).

• File Server governs the content found in the File Manager.

• Host Triggers governs the management of host triggers.

• Logs governs the management of log files.

• Resource governs the configuration of resources.

• Rules & Object Configuration governs the management of objects and rules (the ruleset).

• StatReader governs the function reading statistical data from disk.

• StatWriter governs the function writing statistical data to disk.

• StatWriter Backup governs the function writing statistical data to disk on a secondary statistics system.

• System Configuration governs the system configuration database.

Key Concepts

24

• System Diagnostics governs the handling of counters and alert levels in System Diagnostics.

• System Overview governs the function to show system information in the System Overview (see Section 8.5,“System Overview”).

• User Management governs the user database (see Section 8.10.2, “User Editor”).

4.4.5.2.1. Proxied resources

A resource might be proxied to another database daemon. If this is the case, the local database daemon will keep ahandle connected to the remote database daemon server, and translate/rewrite commands bound to a local sessionto a remote session. When the user creates a session on the local database daemon and attaches it to a proxiedresource, the local database daemon will create a corresponding session to the remote database daemon. All ofthis is transparent to the user.

This functionality is used to keep the same ruleset (or other resource) on several PacketLogic systems. Forinstructions on using this feature, see Chapter 11, Centralized Management.

4.4.5.2.2. Locking resources

Any number of sessions can be attached to the same resource without interfering, as long as they are only sendingreading commands. When a user issues a writing command to a resource, the resource will be locked for writinguntil the user sends a "Commit" message. This will trigger the database transaction to commit, and unlock theresource for writing again.

A session cannot write to a resource locked by a different session.

4.4.5.3. External Authentication Sources

By default, PacketLogic authenticates users using the database daemon and the user database normally defined inthe PacketLogic client (see Section 8.10.2, “User Editor”). It is also possible to make an external authenticationquery towards a RADIUS or TACACS+ server. Several authentication servers can be configured. When there aremultiple authentication servers, they will be tried in sequence until a response is received. That response will thendetermine the success of the authentication. If no authentication servers respond (or if the authentication resultsin access denied), PacketLogic falls back by default to authenticate with the internal user database. The fallbackto local authentication can be disabled in the configuration.

Note: For SSH login, local fallback on external authentication failure is always used. Disabling local fallback inconfiguration does not disable local fallback for SSH login.

For client and API logins, permissions for the authenticated users can be defined by configuring a local user andthen configuring the authentication server to provide the applicable local user name in the authentication response.The authenticated user will then get permissions equivalent to the local user given in the authentication response.For an example of configuring a Freeradius server to provide a local user using RADIUS, see Appendix H,Freeradius Configuration Example. For an example of configuring a Cisco TAC PLUS server to provide alocal user using TACACS+, see Appendix I, Cisco TAC PLUS Configuration Example. These configurations areexamples. Configuring the authentication server is not included in the PacketLogic external authentication, it isthe responsibility of the administrator of the authentication server.

For information on the CLI options for configuring external authentication, see Chapter 9, CLI Menu.

4.4.6. Statistics Daemon

The PacketLogic Statistics Daemon receives connection information from PLD for all traffic defined in Statisticsrules. The statistics daemon creates data sets of values, formed based on the StatisticsObject used in the Statisticsrule. These data sets are sent to the database daemon on the statistics system.

For more information on statistics, see Chapter 7, PacketLogic Statistics.

Key Concepts

25

4.4.7. Internal Communication

Communication uses PacketLogic Messages, a simple binary protocol that can be used for both request/responseand data message streaming.

Between user-land applications, communications use the proprietary FLICKA library (Fast Lightweight Cryptoand Key-exchange Abstraction). FLICKA negotiates a PKI encrypted TCP session using RSA for the symmetrickey exchange, and RC4 for session data.

4.4.8. Connections

PacketLogic defines a connection as a flow of packets between two hosts, using a protocol. The connection isidentified by its 5-tuple consisting of client IP address, client port, IP protocol, server IP address, and server port.

4.4.9. Local, Remote, Incoming, and Outgoing

PacketLogic has an "inside" and an "outside". PacketLogic is connected to the surrounding network with oneinternal and one external interface per channel. The network connected to the internal interface is considered local,and the network connected to the external interface is considered remote.

Along the same lines traffic is considered "incoming" or "outgoing". Traffic coming from the local network(arriving on the internal interface) destined for the remote network is outgoing, and traffic coming from the remotenetwork (arriving on the external interface) destined for the local network is incoming.

4.4.10. Client/Server versus Source/Destination

Most rule sets use the concept of source and destination instead of client and server. PacketLogic uses the client/server concept because of the state keeping properties of the PacketLogic network stack. A client is the hosttransmitting the first packet. In the returning packet from the server the client is still the same host. Thus, it is moreintuitive to use the client/server concept as it minimizes the rules needed.

4.5. Traffic IdentificationPacketLogic identifies traffic to a great level of detail. The following criteria are possible to match connections to:

Host and network IP addresses These criteria are defined in NetObjects, asindividual IP addresses, address ranges, or entireIP subnets (for details, see Section 4.7.1.1,“NetObjects”).

Layer 4 Port numbers These criteria are defined in PortObjects, asindividual port numbers or ranges of ports (for details,see Section 4.7.1.2, “PortObjects”). For example port21 or ports 6081-6089.

Network protocols These criteria are defined in ProtocolObjects, byprotocol name (such as TCP or UDP) or protocolnumber for proprietary protocols (for details, seeSection 4.7.1.3, “ProtocolObjects”).

Services generating the traffic These criteria are defined in ServiceObjects, as listsof service names from the services that PacketLogicidentifies. Services are defined as distinct connectionsignatures recognized by DRDL and can be specificto, for example, applications or protocols (for details,see Section 4.7.1.4, “ServiceObjects”).

Key Concepts

26

URL category These criteria are defined in CategoryObjects,as lists of URL categories from the set ofcategories recognized by PacketLogic (for details, seeSection 4.7.1.5, “CategoryObjects”).

Time and date These criteria are defined in TimeObjects, as timeintervals which can be made recurring (for details, seeSection 4.7.1.6, “TimeObjects”).

The ID number of the VLAN in which the connectionflows

These criteria are defined in VLANObjects, asindividual VLAN ID numbers or ranges of VLANID numbers (for details, see Section 4.7.1.8,“VlanObjects”).

Diffserv Codepoint (DSCP) These criteria are defined in DSCPObjects,as individual DSCP numbers or ranges ofDSCP numbers (for details, see Section 4.7.1.9,“DSCPObjects”).

Channel These criteria are defined in ChannelObjects, asindividual channels (for details, see Section 4.7.1.10,“ChannelObjects”).

Properties of the connection (such as file size, serverversion, user name). Which properties that are availabledepends on the application

These criteria are defined in PropertyObjects, asproperty names and matching strings (optionallywith wild cards) (for details, see Section 4.7.1.11,“PropertyObjects”).

Flow behavior, which define characteristics such astiming, packet size and distribution

These criteria are defined in FlagObjects, as differenttransfer behavior (XFB) flags to match as set or notset (for details, see Section 4.7.1.12, “FlagObjects”).

The level of tunneling in which to match traffic These criteria are defined in TunnelLevelObjects,as a number of tunnel levels to strip before lookingat actual connection information (for details, seeSection 4.7.1.13, “TunnelLevelObjects”).

The type of tunnel to look into These criteria are defined in TunnelTypeObjects, asany of a set of supported tunnel types (for details, seeSection 4.7.1.14, “TunnelTypeObjects”).

Multiprotocol Label Switching (MPLS) labels These criteria are defined in MPLSObjects, asindividual MPLS labels or ranges of labels (fordetails, see Section 4.7.1.15, “MPLSObjects”).

Other PacketLogic systems This is an object type identifying other PacketLogicsystems, defined by their machine ID (for details, seeSection 4.7.1.16, “SystemObjects”).

The AS path (BGP routing) These criteria are defined in BGPObjects, as ASnumbers, optionally specifying where in the paththe number shall occur to match (for details, seeSection 4.7.1.7, “BGPObjects”).

4.6. Traffic ManagementTraffic can be managed in the following ways:

Key Concepts

27

Bandwidth limiting and traffic prioritization (TrafficShaping)

This management is defined in ShapingObjects,which are attached to Shaping Rules.

Packet filtering and rewriting This management is defined in RewriteObjects andFiltering Rules.

Statistics How statistics are kept is defined inStatisticsObjects, which are attached to StatisticsRules.

4.7. Objects and RulesAs can be seen, PacketLogic relies on the concept of objects and rules to configure traffic management in anintuitive way. Objects are created to categorize the traffic on the network into different categories that are toreceive different service levels (such as groups of hosts that are to have limited bandwidth, services that are tobe prioritized, and so on). The objects consist of items which form the object. For example, a ServiceObject canconsist of multiple services (items), and a NetObject can consist of a range of IP addresses (an item) except aspecified subrange (another item in the same object).

Each object has a name identifier.

Note: Object names shall not exceed 64 characters in length.

Then objects and rules are created to implement the service levels. When this is done, all that is required is touse the appropriate traffic categorization objects as entry criteria to the appropriate rules, and PacketLogic willenforce the ruleset on the traffic instantaneously.

4.7.1. Object Types for Traffic Identification

Each object consists of a list of subobjects and items.

4.7.1.1. NetObjects

NetObjects group different network entities into named objects for hosts with different addresses or IP networkclasses.

These NetObjects can be used in rules as Client, Server, Host, or Local NetObjects, which makes maintenance ofthe rules much easier. If a NetObject is modified, it will affect all rules that use this NetObject.

An item can be of 3 different types: Address, Range or Network. Each item can be either "Include" or "Exclude".An address is simply an IP address. A range is a set of IP addresses specified with a starting IP address and anending IP address. A network is a prefix and a netmask. The network can also be written as prefix length, whichwill be translated into a netmask, that is, 24 will be translated into 255.255.255.0.

A NetObject is considered to match an address if either of the items set as "Include" match or any of the subobjectsmatch and none of the "Exclude" items match.

A NetObject can contain exclude items on the same object or parent objects. It is recommended to only use excludeitems in the same object for ease of use.

This setup makes it easy to build NetObjects that match the entire network, except some particular hosts.

When used in rules, a NetObject can be used in four different ways: as Client, Server, Host, or Local NetObject.

The Client NetObject criterion - To match this criterion the client IP address in the connection must be matchedby the NetObject.

Key Concepts

28

The Server NetObject criterion - To match this criterion the server IP address in the connection must be matchedby the NetObject.

The Host NetObject criterion - To match this criterion either the server or client IP address in the connection mustbe matched by the NetObject.

The Local NetObject criterion - To match this criterion the internal IP of the connection must be matched by theNetObject. Internal IP is the destination IP of an inbound packet and the source IP of an outbound packet.

Note: Due to the implementation of the Host NetObject criterion, do not use Host NetObject not equals aNetObject. The logical expansion of this will make such a rule match all traffic.

4.7.1.1.1. Dynamic Objects and Items

Regular NetObjects and their contained items are defined statically, and changing them requires acquiring a lockon the resource, changing it, and committing the change for writing. For large-scale deployments, this can causeproblems by an excessive rate of these transactions. For these purposes, there is a special type of NetObjects anditems, referred to as Dynamic.

4.7.1.1.2. Attributes

A NetObject can have a number of attributes defined. An attribute is a generic key-value pair, where certain key-value pairs are used for PacketLogic functionality. For example, link speed attributes, subscriber definitions, andlimits for volume-based shaping can be defined here, as well as attributes defining if the object shall be handledin any special way when displaying it in the client.

4.7.1.2. PortObjects

A PortObject is similar to a NetObject, but it is used to group a list of ports or port ranges into a named object.

Each PortObject consists of a list of subobjects and items. Each item can be one of two types, either a single portor a port range. Each item can be set to be included or excluded from the object.

TCP and UDP connections use the notion of client and server ports. Client port is the source port in the first packetsent by the client. Server port is the destination port in the first packet sent by the client.

4.7.1.3. ProtocolObjects

A ProtocolObject is used to group a list of protocols, for example TCP, UDP and ICMP.

4.7.1.4. ServiceObjects

A service is the PacketLogic representation of the type of traffic carried in a connection.

The concept of services is very important and frequently used. In many cases the same rule should apply to severalservices. This is where the ServiceObject is of great use. A ServiceObject groups a list of services together. EachServiceObject consists of a list of items, where each item is a service.

A list of supported services and protocols can be found in the signature documentation available in the File Managerof the PacketLogic client when connected to a PacketLogic system.

Additionally there are services that are not signatures:

Asymmetric The service Asymmetric is traffic where PacketLogicdetermines it only sees one direction of the traffic.

Not Analyzed The service Not Analyzed is traffic that DRDL doesnot process.

Key Concepts

29

Being Analyzed The service Being Analyzed matches all traffic thathas not got enough packet information to determinewhich service it is.

Note: PacketLogic can only detect what service aconnection uses after the first data packet has beensent. The connection is classified as Being Analyzeduntil enough data is gathered to determine the service.

Unknown The Unknown service matches all traffic which afterenough packet information still can not match theconnection to a known service.

Untracked The service Untracked matches all traffic wherePacketLogic has not seen the initiation of theconnection.

No signatures loaded This service is set on all connections when theengine has not yet loaded a signature set. Thisis temporary, and as soon as the signatures areloaded, the full signature set is used. However, allconnections that have already set the service to Nosignatures loaded stay that way, since DRDL doesnot reevaluate connections retroactively. As theseconnections close or time out, they should graduallydisappear altogether.

Incompatible string table This service is set when the services set bythe engine does not correlate to the string table(essentially the list of service names) in PLD. Thiscan for example occur when a PL10000/PL20000 isupgraded, updating the string table in PLD on the SMmodule, but without rebooting FPs, causing them toset services according to the previous string table.

4.7.1.5. CategoryObjects

PacketLogic categorizes all connections where the Server Hostname service property is present into a URLcategory. CategoryObjects contain a list of such categories.

An item in a CategoryObject is one such category. An item can either be included or excluded.

4.7.1.6. TimeObjects

PacketLogic uses the notion of TimeObjects to keep different sets of rules for different times of day and days ofthe week. TimeObjects contain a list of time descriptors, which defines time ranges either reoccurring weekly orbetween two dates.

An item in a TimeObject is a defined time interval, entered as a time and day of the week (recurring every week)or a date range (with a starting time and date and a finishing time and date). An item in a TimeObject can be setto be included in or excluded from an object.

If a TimeObject is selected for a rule, the rule will only match if the current time matches the TimeObject.

Note: If a connection matches a filtering rule that accepts a connection at a given time, it could reject the sameconnection at a later time, and the connection will be terminated. This means that connections could suddenly beterminated when the clock strikes 12, for example.

4.7.1.7. BGPObjects

Key Concepts

30

A BGPObject is used to match an AS path received from BGP. Items in the object can define that an AS numbershould be found on a specific hop, origin or anywhere in the AS path. There is no "direction" in the routingcondition, it always checks both directions.

BGPObjects can also match communities (the combination of an AS number and an identifier). If any of thecommunities in the BGPObject is found in the list of communities seen for a connection, the connection matches.

If both AS path conditions and BGP community conditions are used in a BGPObject, both an AS path item and acommunity item from the object needs to match for a connection to match the object.

For more information on BGP and AS paths, see Section 4.2.8, “Border Gateway Protocol (BGP)”.

Note: BGPObjects are not visible until a valid license is applied and BGP configuration is enabled in the systemconfiguration (see Section 10.5, “Configuring BGP Support”).

4.7.1.8. VlanObjects

A VlanObject is similar to a PortObject, but it is used to group a list of VLAN (802.1Q) IDs. This is useful whenyou want to restrict a certain VLAN's bandwidth or access to the Internet. PacketLogic supports VLAN IDs from0 to 4095.

Each item can either be a single ID or a range of IDs. An item in a VlanObject can be set to be included in orexcluded from an object.

PacketLogic supports Q-in-Q (multiple VLAN IDs). The level of VLAN IDs to traverse to select a VLAN ID forrule matching using VlanObjects is user-configurable with the System Configuration value QINQ_ILEVEL.

Note: PacketLogic sets the VLAN for a connection when it is first seen. Should a connection change VLAN duringits lifetime, this is not reflected in the connection information in PacketLogic.

4.7.1.9. DSCPObjects

A DSCPObject groups a list of DiffServ CodePoint tags.

Each item can be a single DSCP tag or a range of tags. An item in a DSCPObject can be set to be included inor excluded from an object.

4.7.1.10. ChannelObjects

A ChannelObject groups a list of channel IDs. Channel IDs are the numerical IDs for channels, and can be usedto match connections depending on which channel they pass through. Channel IDs can be mapped to interfacelocations in the Channel Editor (see Section 8.10.10, “Channel Editor”).

4.7.1.11. PropertyObjects

PropertyObjects are used to match connections with certain properties. The properties you can choose from arethe same as in the Detailed Connection View (see Section 8.6, “LiveView”).

Choose a property and type a match string into the field. Wildcards may be used in the match string.

Different properties can be used together in the same object.

Wildcards

* Matches anything. For example, ``www*'' matches all strings that begin with ``www''.

? Matches one arbitrary character. For example, ``www??'' matches all strings that begin with ``www'' and endwith two arbitrary characters.

Key Concepts

31

\ Will escape a wildcard. If you want to match something with * or ? in it you will have to precede the characterwith \.

If a PropertyObject has multiple items there are two different evaluation processes, objects with the same propertiesare going to be evaluated with OR, objects with different properties are going to be evaluated with AND. An emptyPropertyObject (without items) will match all connections.

Note: PropertyObjects expressed with multiple wildcards result in a complex evaluation for PacketLogic. Thestate machine that is composed of the PropertyObjects has a limit imposed on its complexity. Exceeding thiswill result in the rule using a too complex PropertyObject not matching. The complexity level allowed is definedby the System Configuration value RULESET_PROPOBJECT_MAX_COMPLEXITY (see Appendix A, SystemConfiguration Values)}.

4.7.1.12. FlagObjects

FlagObjects are used to group traffic with certain characteristics in the flows themselves. These characteristicsare called flow behavior. PacketLogic can identify a number of different flow behaviors, described below. Notethat the behavior may change over time in one connection. The flow behavior flags for the connection will changeaccordingly. Also, a connection can have several behaviors simultaneously.

• Active indicates that PacketLogic has seen at least one packet belonging to the connection during the pastconnection update interval (5 seconds by default, but configurable with the system configuration valueCONNECTION_UPDATE_INTERVAL).

• Asymmetric indicates that only one direction of the connection is seen by PacketLogic.

• Beginning indicates that it is the start of the connection. This flag follows the connection for longer than theInitial flag, and is mainly used to facilitate capturing traffic for analysis.

• Bulky is a flow consisting mainly of large packets in the main direction of the flow. Typical protocols are FTPtransfer sessions, IRC DCC file transfers, and HTTP and SMTP with non-negligible payload.

• CBR Streaming (where CBR stands for Constant Bit Rate) is a flow where a considerable part of the flowhas packets of the same size in the main direction of the flow. Typical protocols are RTP and certain gamingprotocols.

• Client is Local is, as the name implies, a flow where the host acting as client is on the network consideredlocal by PacketLogic.

• Download is a flow consisting mainly of large packets in the main direction of the flow and where the vastmajority of the data transferred is in the main direction of the flow.

• Established indicates that a connection has seen traffic in both directions.

• Flowsync failed indicates that the connection was being flowsynced between systems, but the flow sync failed.

• Flowsynced indicates that the connection is taking part in flow synchronization (see Section 4.2.6, “FlowSynchronization”).

• Inbound indicates that most of the traffic in the connection is inbound (coming from external to internal).

• Initial is a behavior that defines the beginning of a connection.

• Interactive indicates that the connection has had a relatively infrequent exchange of packets.

• Out of sync indicates that TCP considers the connection to be out of sync.

• Outbound indicates that most of the traffic in the connection is outbound (coming from internal to external).

Key Concepts

32

• Pseudo Unidirectional is a flow mainly going in one direction. A connection can have a few packets going inthe opposite direction (such as a handshake), but the majority of packets go in one direction. Typical protocolsthat are pseudo unidirectional are HTTP, stock market tickers, and SNMP.

• Random looking indicates that the connection contains data which appears random. This is typically the casefor encrypted traffic. The Random Looking flag combined with ServiceObject Unknown can be used in rulesto match the encrypted peer-to-peer file sharing traffic not caught by the regular services for those protocols.

• Server is Local is a flow where the host acting as server is on the network considered local by PacketLogic.

• Streaming is a flow where the main direction of the flow contains much more traffic than the other direction.This is typically the case with downloads, but can also apply to, for example, IRC, SMTP, HTTP web browsingof medium to large size web pages, and database queries.

• Unidirectional is a flow going strictly in one direction. Typical protocols are RTP, FTP transfer sessions, andIRC DCC file transfers.

• Untracked indicates that PacketLogic has not seen the start of this connection.

4.7.1.13. TunnelLevelObjects

A TunnelLevelObject defines at what level of tunneling to match connections. A level of 0 means the rule appliesto all toplevel tunnels and non-tunneled connections, whereas a level of 1 means the rule matches any connectioncontained within a toplevel tunnel, and so on. For a description of tunnel levels, see Section 4.2.1.1, “TunnelLevels and Types”.

4.7.1.14. TunnelTypeObjects

A TunnelTypeObject defines what type of tunnel header to match in the rule.

• GTP

• ESP

• Teredo

• GRE

• L2TP

• IPv4/IPv6

4.7.1.15. MPLSObjects

An MPLSObject is similar to a VlanObject, but it is used to group a list of MPLS labels. Each item can either be asingle label or a range of labels. An item in an MPLSObject can be set to be included in or excluded from an object.

4.7.1.16. SystemObjects

The condition is based on the machine IDs of the different PacketLogic systems using the same rule set.SystemObjects enables the control of what rules are applied to which systems.

4.7.2. Nesting and Hierarchies

The object types used for traffic identification are possible to nest inside other objects of the same type, to create ahierarchy. This allows for great flexibility in adjusting rulesets while keeping manual actions minimal and enablesrulesets that are easy to overview.

Key Concepts

33

Figure 4.8. Nested NetObjects

For this reason, object nesting of traffic identification objects is highly recommended for any non-trivial ruleset.Nesting allows for a fine-grained separation of traffic identification criteria while still being able to easily includelarge categories of traffic without selecting many small categories. Also, nesting allows exclusion of objects, whichis useful to, for example, impose limits on an entire network except certain individual hosts.

4.7.3. Object - Item Relationships (or, and, exclude)

The objects and items are compared in the rule evaluation with either OR or AND operator depending on what kindof object it is. General rule of thumb is that all objects and items are evaluated using the OR operator, howeverthere is an exception. PropertyObjects compare the items a bit differently.

PropertyObjects are evaluated using OR as long as the items are of the same kind. When mixing properties theyare evaluated using AND.

4.7.3.1. Exclude

An object defines a subset of an object type, such as network addresses or port numbers. The definition is madeusing items, which can be used to add to or exclude from the object definition. Objects can also have child objects,whose definitions are then included in the parent object.

There are rules of precedence to take into account when defining objects:

• Excluding has precedence over including in the same object.

• Items in a parent object have precedence over items in a child object.

• Items in a parent object are not taken into account in a child object, if the child object is used directly in a rule.

• Sibling objects (different child objects of the same parent object) do not affect each other.

In short, to determine the set defined by an object, perform the following calculation:

1. For each child object (remember sibling objects do not affect each other):

Key Concepts

34

a. Add included items.

b. Subtract excluded items.

2. Add included items in the object itself, overriding any excludes in the child objects.

3. Subtract excluded items in the object itself.

To illustrate, Figure 4.9, “An object” shows an object with an included set and an excluded subset.

Figure 4.9. An object

Now, consider adding a child object. The child object also has an included set and an excluded subset. The result,if the parent object is used, is shown in Figure 4.10, “A parent and child object”.

Figure 4.10. A parent and child object

As can be seen, the exclude item in the child object is overwritten since it is in the included set of the parent object.Also, the exclude item from the parent object excludes part of the include item in the child.

If only the child object is used in a rule condition, the parent object items are disregarded, leaving the set shownin Figure 4.11, “The child object”.

Figure 4.11. The child object

Key Concepts

35

4.7.4. Object Types for Traffic Management

4.7.4.1. RewriteObjects

A RewriteObject defines if Destination IP, Destination MAC, DSCP (Differentiated Services - DiffServCodePoint, RFC 2474), or Source IP (see Section 4.7.4.1.1, “Rewriting Source IP” for source IP rewriteconsiderations) should be rewritten for matching traffic in a filtering rule. To use a RewriteObject in a filteringrule, choose Rewrite as action and select the RewriteObject.

The RewriteObject can, for example, be used for redirecting a virus-infected user to an information page aboutthe infection, with instructions and advice what to do. It can also redirect users who are not logged in to a loginpage and "DiffServ-stamp" certain traffic so that a router further away will know how to prioritize it.

Note that when using a RewriteObject in a rule, the conditions to select traffic for the rule cannot use Layer 7information (such as ServiceObjects or PropertyObjects). This is because it takes a few packets before the Layer 7information is available for a connection. If a RewriteObject is used, it will be applied after the initial handshakehas taken place, which will not give the intended effects.

Note: For rewritten destination IP addresses, source ports are not rewritten. This means there is a minimal risk ofcollisions if two hosts are redirected to the same IP address at the same time and they use the same source port.Hence Destination IP rewrites should not be used for permanent redirection of traffic. It is only recommended forredirecting a non logged in user to a login page.

4.7.4.1.1. Rewriting Source IP

Rewriting source IP addresses is part of the carrier grade Network Address Translation (NAT) feature. Source IPaddresses must only be rewritten as part of a NAT solution. See Section 4.3, “Carrier Grade Network AddressTranslation (NAT)” for details.

4.7.4.2. ShapingObjects

ShapingObjects describe a traffic limit used in shaping rules. ShapingObjects have various criteria and limits.

The limits available are inbound, outbound and bi-directional speed. Bi-directional speed defines the sum of bothinbound and outbound speed. The limits can be specified in terms of bandwidth, packet rate, or connection rate,and can have specified latency goals and queue sizes.

Note: Connection rate limiting cannot be combined with any other limit type in the same Shaping Object orShaping Rule. For details, see Section 5.2.5, “Shaping Bits, Packets, or Connections”.

For each ShapingObject, BROWN Advanced Queue Management (for details, see Section 5.6.5.1, “ConnectionFairness”), Host Fairness, and byte counting can be enabled or disabled, and a maximum number of concurrentconnections in the ShapingObject can be specified.

Enabling the byte counter on a ShapingObject allows it to be used in VBS, by exposing the byte counter to thecomponent keeping track of the consumption. For details on VBS, see Section 5.5, “Shaping Counters”.

To facilitate defining ShapingObjects for many instances of a rule, a ShapingObject can be set to be split, usingthe "Split by" parameter (for further information on the use of "Split by", see Section 5.2.4, “Split By”).

For details on how Traffic Shaping works, see Chapter 5, PacketLogic Traffic Shaping.

4.7.4.3. StatisticsObjects

A StatisticsObject defines several aspects of how statistics for the traffic on which it is applied is stored:

Fields Define what information on the traffic that shall be stored.

Distribution Defines on what criteria the statistics are stored.

Key Concepts

36

Limits Defines the volume of incoming or outgoing traffic that must be sent to theStatisticsObject for it to start storing statistics.

Aggregation Determines whether the statistics stored using this StatisticsObject shall beaggregated (for details see Section 7.1.6, “Aggregation and Linking”).

For further information on statistics and the use of StatisticsObjects, see Chapter 7, PacketLogic Statistics.

4.7.5. Rules

4.7.5.1. Conditions

Each rule has a set of conditions. All criteria need to match if the rule action is to be used. The order of eachcondition in the list is irrelevant. A condition consists of an object type from the list of object types used for trafficidentification, an operator (equals or not equals) and a specific object of that type. If a connection matches all theobjects set to "equals" and none of the objects set to "not equals" in the rule, the rule will apply to the connection.

Note: If there are no conditions in a rule, the rule will match all traffic!

4.7.5.2. Filtering Rules

A filtering rule has a set of matching conditions as described above, a number of parameters, and optionally aRewriteObject attached to it.

Parameters that can be set on a Filtering rule are:

Action The action to take if the rule matches, one of thefollowing:

Accept Passes the traffic.

Reject Sends a reject response.

Drop Silently drops the traffic.

Rewrite Rewrites the packets using thedesignated RewriteObject.

Divert Diverts the traffic (for details onDivert, see Section 6.9, “TECH:Divert”)

Inject Injects content into the connection(for details on Inject, seeSection 6.3.6, “Inject”).

Do not process additional rules An attribute which, if set, will exit the filteringruleset evaluation if the rule matches and apply itimmediately.

Logging Determines the level of logging for the rule sent to thefiltering log. The choices are Off, Brief, and Verbose.

Rewrite Object Selects the RewriteObject to use if the rule matchesand the action is set to Rewrite.

Monitor Interface Sets if the traffic matching the rule shall be monitoredand written to file, using one of the available snoopersor a PCAP (packet capture) writer for further analysis.

Key Concepts

37

Trigger Selects a filtering trigger to execute when the rulematches a connection. For more information ontriggers, see Chapter 13, Triggers.

For details on how the Filtering rules work, see Chapter 6, Filtering.

4.7.5.3. Shaping Rules

Figure 4.12. Shaping rule

A shaping rule connects a set of objects for traffic identification (conditions) to a ShapingObject, limitingthe connections matching the conditions according to the ShapingObject. A shaping rule can use multipleShapingObjects, in which case the rule will borrow bandwidth from subsequent ShapingObjects. Additionally,the shaping rule can specify parameters in the rule itself:

Priority Assigns a priority number to the connections matching the shaping rule. The lower thenumber, the higher the priority.

Exclusive Connections that match this rule will not be included in other shaping rules. This optionshould be used with care, since a connection matching two different rules both markedexclusive will select one in a random fashion, leading to unpredictable behavior.

For details on how Traffic Shaping works, see Chapter 5, PacketLogic Traffic Shaping.

4.7.5.4. Statistics Rules

Statistics Rules define conditions, much like filtering rules and shaping rules. The same objects for trafficidentification can be used for statistics rules as for the other rule types. The rule also defines whether trafficmatching the rule shall be logged in the connection log.

The statistics rule also defines statistics objects (see Section 4.7.4.3, “StatisticsObjects”) to use for the trafficmatching the rule.

For further information on statistics, see Chapter 7, PacketLogic Statistics.

Key Concepts

38

4.8. Network ImpactThis section describes a set of restrictions that are imposed on the traffic passing through PacketLogic.

4.8.1. MTU Restrictions

The MTU for packets that PacketLogic inspects and applies rules to is configured by the system configurationvalue PACKET_INSPECT_MTU. The MTU for packets that can be received on a channel interface ishigher, and depends on the platform. Note that PacketLogic allocates resources for each packet based on thePACKET_INSPECT_MTU setting, so setting it too high will consume unnecessary resources and potentiallyreduce the rate of packets the PacketLogic can manage.

All MTU values are including Ethernet headers but excluding the FCS checksum field.

4.8.2. Connection Protection

PacketLogic has a feature called Connection Protection. Connection protection monitors the rate at whichconnections are initiated, in connections per second (CPS). When the total rate of half-open connections exceedsa configured threshold, each host is limited to 100 CPS for connections where the host is client. This ensures thatattacks (such as worms, Denial of Service (DoS), or Distributed Denial of Service (DDoS) attacks) are limited.100 CPS as a client is still a high level of CPS for an individual host, so normal hosts should not be affected bythe connection protection. The impact of the attack, however, will be dramatically reduced since a typical attackpattern generates a very high number of CPS. The hosts that are exceeding the individual limit when connectionprotection is enabled are marked in red in the local host view in the client (see Section 8.6.2, “Local Hosts”). Whenthe total number of CPS recedes back below the threshold, the connection protection is disabled.

Connection protection can also set off triggers to perform custom actions using Python scripts. For details, seeChapter 13, Triggers.

Note: Due to the sampling interval used, it is actually sufficient to exceed 10% of the configured threshold during1/10th of a second for connection protection to be triggered. That is, for the default values, if the total CPS exceed1000 and a host exceeds 10 CPS for 1/10th of a second, connection protection will be applied to that host.

The threshold at which connection protection is triggered is configurable by adjusting the System Configurationvalue CONNPROT_THRESHHOLD. Setting CONNPROT_THRESHHOLD to 0 disables connectionprotection. The hosts exceeding 100 CPS when connection protection is enabled can also be logged if the SystemConfiguration value OUTPUT_CONNPROT_HOSTS is set to True. For details on System Configuration values,see Appendix A, System Configuration Values.

Do not combine connection protection with shunting of connection failures (system configuration valueSHUNT_CONNECTION_FAILURES), as connection protection will cause connections to be dropped, renderingthe shunt setting ineffective.

Related system diagnostics values are Attempts refused (connprot) and Protection enabled in the Connectionzone (see Section C.3, “Connection”).

PacketLogic Traffic Shaping

39

Chapter 5. PacketLogic TrafficShapingPacketLogic Traffic Shaping enables shaping the traffic flowing in the network. Traffic shaping, in short, meansthat certain types of traffic can be prioritized and the amount of traffic consumed by different hosts, networks,protocols, and applications can be limited.

PacketLogic Traffic Shaping uses the IP stack of PacketLogic, thus has the ability to limit traffic based on all theinformation extracted by PacketLogic.

The hosts or applications using the most bandwidth can easily be pinpointed and restricted in the client, bynavigating the LiveView views in the client (see Section 8.6, “LiveView”).

5.1. InstallationPacketLogic Traffic Shaping is always deployed on a PacketLogic system. PacketLogic Traffic ShapingPacketLogic Filtering need to be in the packet path. This usually means that the PacketLogic system should beplaced between the local network and the uplink or router.

There is no software limit on the number of Ethernet interfaces in PacketLogic Traffic Shaping, but the normalhardware on which the PacketLogic system is installed is equipped with at least dual interfaces. The number ofinterfaces is always upgraded in pairs due to the "channel" structure.

5.2. How Traffic Shaping Works: An OverviewThis section will attempt to explain how shaping rules and shaping objects work and interact.

Figure 5.1. Boundary of an unmanaged network

Figure 5.1, “Boundary of an unmanaged network” shows the network boundary of a network where no shapingis performed. Typically, the traffic exceeds the bandwidth available in the connection to the outside (typically the


40

Internet). The boundary equipment normally holds a queue, where packets that have not yet been transmitted tothe wire are kept. Since, at least during certain times, the traffic exceeds the output rate for extended periods, thequeue (or buffer) is filled, and packets will be dropped.

Packet drops are in themselves not necessarily bad, and they are in most scenarios unavoidable.

The first thing PacketLogic does is provide the possibility to monitor the traffic flowing, which is the first stepin implementing an effective usage policy.

Figure 5.2. Traffic identified and viewed with the LiveView module

In many cases, the first look at a network where shaping is not implemented is the one shown in Figure 5.2, “Trafficidentified and viewed with the LiveView module”, where traffic intensive in bandwidth and connections consumesmost, if not all, of the available bandwidth. Important traffic that does not consume much in itself is preempted,and even if it is able to get through, it may be latency-sensitive (such as voice traffic) and hence crippled by thelatency added by the overfilled queues.

5.2.1. What PacketLogic Does

It is safe to assume that bandwidth in an unmanaged network boundary will be consumed, hence increasing thecapacity is not the answer (even though it may be necessary to cater for the usage policy, once it is in place).Instead, some traffic must be held back and other traffic allowed to pass in its place.

Note: Good practice is to have a comprehensive rule set that has the same speed limits as the upstream speedof the Internet connection. This will ensure that traffic is queued in the PacketLogic instead of a router or othernetwork equipment further away in the network.


41

Figure 5.3. Multiple Queues

What PacketLogic does, as shown in Figure 5.3, “Multiple Queues”, is to add multiple queues for the traffic toenter. The number of queues and their behavior is fully configurable by means of simply setting up a ruleset. Thefunnels in the figure are roughly the equivalent of a shaping object (for an overview of objects, see Chapter 4, KeyConcepts), and the decision of what traffic goes in which funnel is determined by the rules and their conditions.

There are a few points to remember when handling shaping rules and objects in PacketLogic:

• Connections can go in multiple queues

This does not mean that the packets are split up in any way. The PacketLogic representation of the packet is entirelyput in all the queues that have rules that apply. This is represented by the blue packet in Figure 5.4, “Packets areenqueued in multiple shaping objects”.


42

Figure 5.4. Packets are enqueued in multiple shaping objects

• The shaping object with the least remaining bandwidth determines the speed

This is necessary to ensure that all the restrictions are met, so bandwidth is not exceeded for any shaping object.There is a slight exception to this rule when using borrowing (see Section 5.2.3, “Borrowing”).}

5.2.2. Priority

A shaping rule is a means of directing traffic with certain conditions (the conditions of the rule) into certain shapingobjects. In addition to this, shaping rules can also assign a priority number to a connection. Since the packets inthe shaping object queue are dequeued and transmitted in order, the priority can be enforced while maintaining thebandwidth limits set by the shaping object. Priority dequeuing is accomplished by allowing all priority levels todequeue a certain amount (equivalent to the queue goal) in a burst, and doing so, consume the burst bandwidth forpackets with worse (higher) priority. Hence, bursting may cause dequeueing to exceed the limit of a ShapingObjectmomentarily, but the dequeueing compensates for this by not dequeueing after the burst, evening the bandwidthover time.

As mentioned, traffic can be affected by multiple rules and objects simultaneously. To create a predictablebehavior, PacketLogic assigns only one priority to one connection, regardless of how many rules it matches.PacketLogic selects the lowest (hence, best) priority number out of all the priority numbers assigned to aconnection. This priority number then follows the connection into all relevant shaping objects.


43

Figure 5.5. The same priority may give different queue positions in different shapingobjects

Note: If the system configuration value PRIO_EMPTY_ACK is set to True (default), TCP ACK (acknowledge)packets without payload are assigned a priority one lower (better) than the rest of the connection. In the sameway, if PRIO_RETRANSMISSION is True, packets that are retransmissions (due to drops) in TCP connectionsget priority improved. These automatic priority adjustments shall not be combined with priority 0 fast lane (seeSection 5.2.2.1, “Priority 0 Fast Lane”).

5.2.2.1. Priority 0 Fast Lane

There is an option to enable a "fast lane" in PacketLogic Traffic Shaping. This is done by setting the systemconfiguration value SHAPING_PRIO0_FASTLANE to True. With this option enabled, connections with priority0 (zero) are allowed to pass all other traffic in ShapingObjects, and are also allowed to exceed the limits configuredin the ShapingObjects. All other traffic is still forced to respect the limits of the ShapingObject, and the bandwidthused by priority 0 traffic is deducted from the available bandwidth of the ShapingObject.

Do not enable PRIO_EMPTY_ACK or PRIO_RETRANSMISSION when priority 0 fast lane is used.

5.2.2.2. Weighted Fair Queueing

By default, priority is handled by allowing bursts up to the queue goal as mentioned above. To avoid starvingconnections that receive poor priority, weighted fair queueing (WFQ) can be used. WFQ configures a percentagefor priority levels 4 through 9. This percentage is the ratio of the burst capacity reserved for this priority level.

In the case that a priority level does not consume its reserved burst capacity, it is consumed by other priority levelsrequesting it in strict priority order (that is, if priority 5 does not burst and priority 3 and 4 both want all of it,priority 3 gets all of it).

Note: Low priority numbers means high priority traffic.


44

5.2.3. Borrowing

Borrowing is exactly what it sounds like: It allows shaping rules to borrow bandwidth from shaping objects whentheir "primary" shaping object is full (provided, of course, that there is bandwidth left in the object to borrow from).This is done by adding multiple shaping objects to one shaping rule. Connections matching the rule will then beenqueued in all shaping objects. However, the rule will add one to the priority number for each step it goes in thelist. That is, if the rule has priority 3 and three shaping objects, the first shaping object has connections assignedwith priority 3, the second shaping object priority 4, and the third priority 5. Note that in the borrowing setup,contrary to the overall policy for multiple shaping rules, the shaping object that first dequeues a packet transmitsit. This does, however, only apply among the shaping objects in the rule using borrowing. If there are other rulesthat apply, a packet must still be dequeued from all shaping objects in those rules before it is forwarded.

Figure 5.6. Borrowing bandwidth

This makes it easy to create a ruleset where a certain bandwidth is available to each of a set of users, but theyare allowed to use a common pool of bandwidth if it is not fully used. Using the case in Figure 5.6, “Borrowingbandwidth” as an example, there are two shaping rules: One using the red shaping object as a primary shapingobject, and one using the yellow shaping object as primary shaping object. Both rules use the middle shaping objectas a borrowing object. Since both the red and the yellow shaping objects are full, the middle shaping object has themost remaining bandwidth to offer, and is hence used. If the middle object were to be filled, this would change.

5.2.4. Split By

ShapingObjects can be split by certain criteria. Splitting means creating a copy of the ShapingObject for eachexisting item in the split criteria.

The ShapingObject can be set to "Split by" with the following options:


45

None When this option is used the object is shared among all hostsmatching a shaping rule which uses the ShapingObject. If thelimit of the object is 1024 kbps, the "Split by None" means thatthe matching hosts have to share 1024 kbps.

Local host Each host considered local gets a virtual instance of theShapingObject. If the limit of the object is 1024 kbps, this meansthat the matching local hosts get 1024 kbps each.

Host NetObject Each NetObject where there are connections seen where theserver or the client of the connection is in the NetObject gets avirtual instance of the ShapingObject. There has to be at leastone selected Host NetObject in the conditions of the shapingrule.

Client NetObject Each NetObject where there are connections seen where theclient of the connection is in the NetObject gets a virtualinstance of the ShapingObject. There has to be at least oneClient NetObject in the conditions of the shaping rule.

Server NetObject Each NetObject where there are connections seen where theserver of the connection is in the NetObject gets a virtualinstance of the ShapingObject. There has to be at least oneselected Server NetObject in the conditions of the shaping rule.

Connection Each connection gets a virtual instance of the ShapingObject.

Local NetObject Each NetObject where there are connections seen where theinternal IP of the connection is in the NetObject gets a virtualinstance of the ShapingObject. Internal IP is the destination IPof an inbound packet and the source IP of an outbound packet.There has to be at least one selected NetObject in the conditionsof the shaping rule.

Subscriber Each subscriber (named dynamic item) gets a virtual instanceof the ShapingObject.

Local Network Prefix Each local (internal) IPv6 address segment of the lengthdefined by the entered value gets a virtual instance of theShapingObject. Example: Prefix length 56 means addressessharing the same first 56 bits in the IPv6 address also share thesame ShapingObject virtual instance.

For all Split by NetObject choices, it is the selected NetObjects that are used. If a NetObject holding subobjectsis selected, only the top-level object gets a copy of the ShapingObject. To provide each subobject with a copy,select each subobject individually. Also note that using Split by NetObject creates a virtual rule copy for eachselected NetObject. This copy is included in the number of shaping rules allowed in the system, limited by thesystem configuration value SHAPING_MAX_RULES (see Appendix A, System Configuration Values).

5.2.4.1. Split by Considerations

When using "Split by" a new ShapingObject is automatically created for matching traffic, but only if no otherautomatically created object is already created. When using "Split by Connection" this doesn't really matter, butwhen using "Split by Local host" a new ShapingObject will only be created for each unique ShapingObject.

This means that if two different rules, with different criteria, both use "Split by Local host" and use thesame ShapingObject, the automatically created object will be shared. To avoid this behavior, use differentShapingObjects.


46

A regular split-by is rather predictable since the regular object structure is known (for example, using split byHost NetObject will at most create as many object copies as there are selected NetObjects). For so-called dynamicsplits, this is more complex. Dynamic splits are called dynamic since the criteria by which a new copy is allocatedvaries dynamically. This is the case for local hosts, connections, subscribers, and local network prefixes.

5.2.5. Shaping Bits, Packets, or ConnectionsThe limits in a Shaping Object can be expressed in bandwidth (expressed in bit per second, bps), packet rate(packets per second) or connection rate (connections per second). Bandwidth and packet rate can be combinedin one Shaping Object, but connection rate limiting cannot be combined with any other limit, due to howPacketLogic determines the dequeuing order of packets. This applies to Shaping Rules as well; even if CPS limitsare defined in a separate Shaping Object, it cannot be combined with a Shaping Object using a different type oflimit in the same Shaping Rule.

If it is required to apply connection rate limits as well as another limit on the same connection, it is necessary todefine the connection rate limit in a separate Shaping Object used in a separate Shaping Rule. To apply it to thesame connections as another Shaping Object/Shaping Rule, simply use the same conditions in the two ShapingRules.

Note: Connection rate (CPS) limits are per packet processor. Hence, in a system with multiple packet processors(such as the PL10000 systems), the CPS limit is per processor.

5.2.6. Limiting Concurrent ConnectionsA Shaping Object can also enforce a limit on the total number of concurrent connections that are allowed to exist ina Shaping Object. This limit is applied in real time, and includes both established and unestablished connections.Note, however, that a Shaping Object can only act on traffic passing through it. Due to this, there can be connectionsthat appear to exist but pass no traffic that are not affected by a connection limit. The number of connectionswill stabilize over time as such connections time out, and connections passing traffic are immediately affectedby the limit set.

A connection that tries to send packets when the limit is reached will be refused by means of an RST for TCP,or an ICMP port unreachable for other protocols.

Note: Concurrent connection limits are per packet processor. Hence, in a system with multiple packet processors(such as the PL10000/PL20000 systems), the concurrent connection limit is per processor.

5.3. Monitoring the Shaping SystemThere is real-time information on the performance of shaping rules and objects in the LiveView part of the client,in the Shaping Objects view and the Shaping zone in System Diagnostics.

5.4. Configuration Examples5.4.1. Limiting a NetworkA common scenario is the need to limit the amount of traffic generated by a network (specified by a prefix anda netmask). To do this with PacketLogic Traffic Shaping, create a NetObject and include an item with the prefixand netmask. Call the object "Net One".

Create a ShapingObject and specify the amount of bandwidth to allocate to this network. Call this object "NetOne Traffic".

Go to the shaping rules and create a new rule called "Net One Limits", add "Net One Traffic" as the ShapingObjectslist.

Add a condition for this rule, choose Host NetObject and select "Net One" from the list of NetObjects.


47

Now that network will be limited by the "Net One Traffic" bandwidth.

5.4.2. Limiting Each Host on a NetworkCreate a new ShapingObject, name it "Net One Per Host".

Choose Local host in the "Split by" drop down menu. Also set an appropriate speed.

Create a rule called "Net One Per Host" and add the ShapingObject "Net One Per Host" to the selected list ofShapingObjects for that rule.

As a condition add "Net One" as Host NetObject.

5.4.3. Limiting Overall FTP to 2 MbpsCreate a new ServiceObject called "FTP" and add an item containing FTP transfer.

Create a new ShapingObject, called "FTP" and set it to 2 Mbps.

Add a new rule, called "Limit FTP", and choose the "FTP" ShapingObject. Also add the ServiceObject "FTP" tothe conditions of the shaping rule.

Now overall ftp-data is limited to 2 Mbps. To include FTP control connections in the same class, add the serviceFTP to the ServiceObject "FTP".

5.5. Shaping CountersShaping counters are byte counters attached to ShapingObjects. They can be used to maintain counters for entities.Common uses are volume-based shaping (VBS) and quota and CDR management on PSM. The counter is enabledby checking the Byte counter box under Advanced Options in the ShapingObject editor.

Counters are not used internally. Rather, they are intended for other entities to subscribe to. The user subscribingto counter updates needs to have Shaping view permissions.

The system configuration value SHAPING_COUNTERS_GRANULARITY_SHIFT determines how muchtraffic shall be counted before sending an update to those subscribing to counters. This is expressed as a shiftvalue, equivalent of a power of 2. The default value is 18, giving a granularity threshold of 256kB (218). Thismeans the counters in the PLD will allow 256kB of data to increment a counter before updating the entities thatkeep track of the counters. This value should be set as high as the necessary granularity allows, as fewer updatessignificantly reduces the load on the controller.

The system configuration value SHAPING_COUNTERS_MAX defines the maximum number of countersallowed to exist simultaneously in PLD. Note that this includes multiple counters created by a single ShapingObjectwhen the object is set to be split by any criterion. When a new counter is requested when the maximum is reached,an existing counter will be recycled. Ensure that the number of counters matches the number of concurrently activehosts that are to generate counters to avoid recycling counters in active use.

5.5.1. Volume Based ShapingVolume-based shaping (VBS) in PacketLogic allows changing the available bandwidth in a ShapingObject basedon the total data transferred over a specified fixed time period or a sliding window (the VBS duration)1.

5.5.1.1. Implementation and Configuration

The VBS functionality is split into several subsystems.

A ShapingObject to be used for VBS is marked as such by setting attributes on it, stating the limits to apply whenthroughput limits are exceeded. These attributes are stored by the database daemon and can be viewed and edited

1The sliding window is only available in the internal VBS, the "minivbs".


48

in the PacketLogic client by clicking the Edit VBS button in the ShapingObject editor (see Figure 5.8, “The VBSShapingObject, limits”).

Furthermore, a VBS ShapingObject needs to have a counter enabled. This allows the VBS controller to subscribeto the counter, giving it continuous updates on how many bytes that have passed through the ShapingObject. Thecounter is enabled by checking the Byte counter box under Advanced Options in the ShapingObject editor.

With this in place, a VBS controller can retrieve the configured limits from the database daemon, and subscribeto the relevant counters for all ShapingObjects that have VBS limits defined. The VBS controller will then keeptrack of how much traffic that has passed through a ShapingObject, compare to the defined limits, and ensure thatmatching traffic is limited accordingly.

The VBS controller is available in two forms: Internal or external. The internal VBS controller resides on thePacketLogic itself, whereas the external VBS controller is implemented as a component in the PacketLogicSubscriber Manager (PSM). The key difference is scalability, as the internal VBS controller can only handle arelatively small number of concurrent hosts being managed with VBS.

Enabling the internal VBS controller is done in the CLI on the PacketLogic, in System Administration -> InternalVBS.

Regardless of which controller is used, some variables in the PacketLogic itself control VBS performance andbehaviour.

5.5.1.2. Example

A brief example is illustrated below. The VBS Shaping Object has an initial limit of 2048 kbps, as set in themain ShapingObject editor (see Figure 5.7, “The VBS ShapingObject, main editor”). Looking at the limits editor(Figure 5.8, “The VBS ShapingObject, limits”, opened with the Edit VBS button in the main ShapingObjecteditor), the first limit is at 1024 MiB of accumulated transfer, which lowers the bandwidth to 1024 kbps. Thesecond limit is enforced after 2048 MiB of accumulated transfer, and lowers the available bandwidth to 512 kbps.This limit is enforced until the accumulated transfer is back below the limit.

Figure 5.7. The VBS ShapingObject, main editor


49

Figure 5.8. The VBS ShapingObject, limits

Lowering the accumulated transfer can happen in two ways:

• Manual reset is typically used when an external VBS controller like the PSM is used. The external entity returnsthe subscriber to a lower limit based on any criteria available to it. This will usually be a fixed reset cycle dateor the occurrence of an account top-up or upgrade.

• Sliding window is used by the internal VBS controller (the "minivbs") and calculates the accumulated transferover the past window period. See Section 5.5.1.2.1, “Sliding Window” for a description.

5.5.1.2.1. Sliding Window

This section describes how the sliding window used by the internal VBS controller works.

The VBS duration is illustrated by the black frame. In this specific example, the duration is three time units (forexample days), and the transfer shown is inbound traffic in kilobytes.

5.5.1.2.1.1. Time t2

At time t0 (shown in Figure 5.9, “Time t2”), the duration (the sliding window illustrated by the black frame) showsa transfer of 2200MiB over the past three time units, which gives a current bandwidth of 512 kbps.


50

Figure 5.9. Time t2

5.5.1.2.1.2. Time t3

At time t3 (shown in Figure 5.10, “Time t3”), the transfer from the t0 time interval has left the sliding window,and the transfer used in the t3 time interval has been added. Hence, at t3, the sliding window shows a transfer of1900MiB over the past three time units, which gives a current bandwidth of 1024 kbps.


51

Figure 5.10. Time t3

5.5.1.2.1.3. Time t4



52


5.5.1.2.1.4. Time t5



53


5.6. TECH: Queueing Engine

5.6.1. Packet Queueing

Traffic shaping in PacketLogic simply means queueing of packets2, just like a router or a switch will do when theincoming rate of packets exceeds the output rate. When a queue is full, packets will be dropped. Dropping packetsdue to queue overflow is a natural part of network traffic. Without packet drops TCP would not be able to adjustwindow sizes, and congestion on any non-negligible network size would be considerable.

Shaping uses queues and an Active Queue Management (AQM) algorithm. The currently available AQM optionsare BLUE, per-connection BLUE (used by selecting BROWN in a ShapingObject), and CoDel. It is also possibleto disable using AQM for a ShapingObject. Additionally, Stochastic Fair BLUE is used for host fairness. Therecommended behaviour for most cases is BLUE.

There is a queue for each priority level in each ShapingObject. PacketLogic marks each packet enqueued in theShapingObject according to the queue build-up, resulting in either a forwarding, a tail drop, or a potential drop.

2Virtual queueing does not actually queue packets.


54

When the packet has been evaluated against all matching ShapingObjects, it ends up being a forwarded packet, atail dropped packet, or a potential early drop. The drop decision for a potential early drop is made by the AQMchosen. These preemptive drops will cause an adjustment in the TCP window by well-behaving TCP stacks inthe end points.

BLUE performs early drops with a probability set for the ShapingObject for that priority. BLUE also adjuststhe drop probability for the ShapingObject based on queue usage. When the ShapingObject is empty, the dropprobability is reduced. When the queue is full (enqueued packets are equal to queue size), the queue increases thedrop probability. This is to make the queue size trend towards being filled to the latency goal, but not more.

CoDel (Controlled Delay) performs early drops based on the time packets spend in queue. If the time to reach thehead of the queue is more than the the latency goal for an interval (by default 50ms), early drops are performed.The rate of early drops starts low but increases with the number of subsequent intervals where the time in queueexceeds the latency goal. When CoDel is used, the parameters for shaping need to be adjusted. See Section 5.6.6,“Fine-tuning the Shaping System”.

Instead of being actually dropped, packets may also be marked as congested using Explicit Congestion Notification(ECN). See the system configuration values ECN_SUPPORT and ECN_FULL_SHAPING in the PacketHandling category for more information.

Optionally, active queue management can be disabled by selecting None (tail drop) in the ShapingObjectconfiguration. This simply means that no preemptive drops are done, and the only packets that are dropped arethose that arrive when the queues are full (tail dropping).

5.6.1.1. Priority handling

Priorities are implemented by burst capacity. All priority levels are allowed to burst a number of packets equivalentto the latency goal of the queue. When a priority level bursts, it consumes the burst capacity of all higher prioritynumbers (remember that high numbers mean low priority and vice versa in PacketLogic).

5.6.1.2. BROWN

BROWN, which was the queue management algorithm in the earlier releases, is no longer used. What used to becalled BROWN, and which is also what is activated when you choose to use BROWN for connection fairness, isactually per-connection BLUE. This ensures fairness among connections by associating the drop probability withconnections. For the majority of deployments, BLUE without the per-connection component (the per-connectioncomponent is enabled by selecting BROWN) is preferred.

5.6.2. Queue Synchronization

Queue synchronization is a method for multiple packet processors (referred to as engines) to share queues froma rule set. This can be either separate PacketLogic units (in which it is called external queue synchronization), orseparate processors in the same PacketLogic unit (such as the packet processors in a PL10000/PL20000 platform).

Engines taking part in queue synchronization report their usage of a ShapingObject to the PLD. In external queuesynchronization, the PLD of each unit communicate to determine the share among them. PLD then distributes thetotal usage over the participating engines, giving shares based on the current usage of the other engines (the peers).For n engines participating in queue synchronization, the minimum allotment for one engine is always 1/nth of thetotal ShapingObject (that is, for ten engines each engine always gets a minimum of 10% of the ShapingObject).Updates are sent once per second.

Example: At time 0, two engines sharing a ShapingObject of 10Mbps both have 10Mbps available, as no peerusage has been reported.

Both engines start enqueueing on the ShapingObject, engine 1 at 6Mbps and engine 2 at 3Mbps. They both reportthis usage. At time 1, engine 1 is allotted 7Mbps since engine 2 reported using 3. Engine 2, on the other hand,is allotted 5Mbps even though there is only 4 left over when engine 1 uses 6Mbps. This is because of the 1/nthminimum. Engine 1 then enqueues at 4Mbps and engine 2 at 5Mbps.


55

As can be seen from this example, queue synchronization will allow short term overuse of a ShapingObject.However, this should give only negligible effects.

Queue synchronization is configured using the system configuration values EXT_QUEUESYNC_ENABLEDand EXT_QUEUESYNC_IFACE (see Appendix A, System Configuration Values).

5.6.2.1. Tuning the Queue Synchronization Algorithm

By default, the queue synchronization adjusts the available bandwidth of a synchronizing peer to the newcalculated value immediately. When external queue synchronization is used with more than two peers, and thereare peers not seeing any traffic for the shared ShapingObject queue, this can cause oscillation leading to theShapingObject going over limit in a non-negligible way. This can be addressed by configuring the inertia withwhich a peer share converges towards the calculated value. This is done by setting the system configuration valueQUEUESYNC_AIMD_THRESHOLD to a non-zero value (zero disables the inertia entirely). The higher thevalue, the slower a peer will raise its bandwidth use in a shared ShapingObject queue.

5.6.2.2. Parallel Queueing Structure

In most other queue implementations, a packet is placed in a single queue, and when it is dequeued from thereit is transmitted on the wire. In PacketLogic, a packet can be queued to any number of queues in parallel. Eachqueue is assigned a queue length and a bandwidth. Only when the packet is dequeued from all queues is it actuallytransmitted on the wire. This enables having a certain bandwidth for a User (for example, John Doe gets 5 Mbps)and a certain bandwidth for a protocol (for example, HTTP gets 30 Mbps), and then a certain bandwidth for awhole VLAN (for example, VLAN 102 gets 100 Mbps). Now, if a HTTP packet is received from John Doe onVLAN 102, that packet is queued in three different queues with bandwidth 5, 30 and 100 Mbps. Since the 100Mbps queue has the fastest queue, will it be dequeued from the queue first? The answer is: That depends on theamount of packets already in the queues. If all queues are empty, then the packet will be dequeued from the 5Mbps user queue last, and then be transmitted on the wire.

On top of this, queues can borrow from other queues, which is how "Borrowing" is implemented. In this casepackets are queued to all queues with capacity and sent out when the top object dequeues it. If the queue in thetop level object is full the packet is dropped. If a shaping object with virtual queueing enabled had capacity forthe packet it is permitted to be sent out directly.

5.6.2.3. Queueing Versus Window Scaling

Some traffic shaping schemes implement their throttling by modifying TCP packets such that the TCP windowsizes are decreased sufficiently to bring down the bandwidth usage on the network. This is not implemented byPacketLogic for several reasons. First, it only works on TCP traffic. Second, it only works on TCP packets whorespect window sizes, i.e not handshake and teardown packets. This will skew the relation in the queueing spacebetween these packets and thus not scale to larger networks.

5.6.2.4. Latency

Latency in a network can cause various problems. Throughput is affected, which lowers bandwidth utilization.There are also application protocols that are sensitive to latency (particularly conferencing and streaming mediaapplications).

However, to be able to prioritize and rate control, latency is necessary. Packets must be buffered to control the orderin which they are forwarded, which is necessary to accomplish prioritization. Shaping by controlled dequeueingalso requires a built up queue of packets to dequeue from, implying introduced latency. So, the more traffic isbuffered, the better it can be prioritized, and the more latency is added to the affected traffic.

PacketLogic provides an administrator with the tools necessary to adjust the latency introduced to the conditionsin the specific network. Queue lengths and dropping policies can be controlled with configuration values (seeSection 5.6.6, “Fine-tuning the Shaping System” below), and latency sensitive applications can be managedseparately by using the object and rule structure of the PacketLogic traffic management implementation combinedwith the precise service recognition provided by DRDL.


56

5.6.3. Explicit Congestion Notification (ECN)

PacketLogic supports Explicit Congestion Notification (ECN) for connections where the ECN bit is available toset (packets that have been flagged with ECT(0)). In that case PacketLogic sets the ECN bit instead of droppinga packet when an AQM wants to perform an early drop. Fragments are not marked. The ECN support is optional.To enable ECN support, set the system configuration value ECN_SUPPORT to True. This will use ECN inShapingObjects that are split by connection, local host, or subscriber. To use ECN for all ShapingObjects, alsoset ECN_FULL_SHAPING to True.

Note: ECN is not applied to connections inside decapsulated tunnels.

5.6.4. Using Differentiated Services Code Point (DSCP) Markingin Shaping

It is also possible to use the DSCP field in the packet header in shaping. With system configurationvalue SHAPING_DSCP_MARKING set to True, the DSCP values given in the system configuration valueSHAPING_DSCP_MAP will be applied to packets.

SHAPING_DSCP_MAP is a comma-separated list of DSCP values (between 0 and 63, 255 means the existingDSCP value is left). Which value that is applied depends on the level of borrowing. For packets dequeued by thefirst ShapingObject in a shaping rule, the first value is applied. For packets dequeued by the second object (firstborrowing object), the second value in the list is applied, and so on.

5.6.5. Fairness

5.6.5.1. Connection Fairness

PacketLogic, by default, does not implement connection fairness. Under most circumstances connection fairnessis not necessary to enforce. Should connection fairness still be desired, enable the per-connection AQM (labelledBROWN connection fairness in the Advanced Options of the ShapingObject editor).

5.6.5.2. Host Fairness

There is also a mechanism to ensure host fairness. With Host Fairness enabled in a Shaping Object, PacketLogicwill approximately divide the queue space evenly among the local IP addresses (referred to as hosts in PacketLogic)that are competing in the Shaping Object.

Host fairness works by allowing each host that has enqueued packet on the shaping object to use its fair share.The size of this "fair share" is based on the latency goal (see Section 5.6.6, “Fine-tuning the Shaping System” fordetailed information on the latency goal) and how many hosts are enqueueing packets on the shaping object.

5.6.5.2.1. Local Host Fairness

With host fairness set to Local Host, hosts are not accounted. Instead, each host gets a "bucket-id". Each shapingobject has a matrix of buckets that share the queue giving each bucket a fair share of the queue (although onlythe buckets that have hosts in them are used). This means that sometimes hosts get the same bucket and thereis no fairness between them. To mitigate this the bucket-id is re-calculated at regular intervals so hosts wanderaround randomly in the buckets.

The buckets do not have an internal priority order, they are treated equally when choosing which packet to dequeuenext.

One limitation when combining host fairness with prioritization is that PacketLogic does not take priorities intoaccount when enqueueing packets. This means that an unprioritized packet with space left in its bucket is allowedto enqueue, while at the same time a prioritized packet whose bucket is full might be denied enqueueing on thesame queue.


57

5.6.5.2.2. Fair Split Host Fairness

With host fairness set to Fair Split, PacketLogic will ensure a fair share of the overall ShapingOject capacity toeach host or subscriber sharing the ShapingObject. Capacity not used by a host will be available for others. Toapply fairness to subscribers rather than hosts, set the Subscriber NetObject parameter to a NetObject containingall subscribers as individual subitems. Unlike Local Host fairness, fair split also needs an AQM defined.

The following limitations apply to using fair split:

• The system configuration value SHAPING_OR_BORROWING must be set to True.

• Per-subscriber byte counting will not work on ShapingObjects with fair split host fairness. To use per subscriberbyte counting, set up a separate ShapingObject split by subscriber and enable the counters there.

• Fair split requires that all traffic entering the ShapingObject has the same priority. Do not mix different prioritiesin a ShapingObject with fair split.

5.6.5.2.3. Host Fairness in the PL10000/PL20000

The PL10000/PL20000 architecture contains multiple instances of the PacketLogic engine. Each physical flowprocessing (FP) module holds two physical CPUs performing packet and flow processing. Each of these CPUs, inturn, runs several threads each on several cores. Host fairness on a PL10000/PL20000 is effective within each CPU,but not between CPUs since the host fairness aspect is not included in queue synchronization (see Section 5.6.2,“Queue Synchronization” above for a description of queue synchronization). This has very little impact in reality,since the load balancing implementation, distributing connections across the FP CPUs in the system, means asingle CPU can perform host fairness effectively on the allocated traffic subset.

5.6.5.3. Weighted Fair Queueing

Weighted Fair Queueing (WFQ) enables setting a ratio for each priority from four through nine for how much ofthe ShapingObject capacity the priority is allowed to consume. For priorities one through three strict prioritizationis used.

Should a priority level not use the allotted capacity, the remainder is available for other priority levels in strictpriority order.

This allows constructing a rule set where, for example, a certain service is given a priority level and then entitledto a defined ratio of the capacity.

5.6.6. Fine-tuning the Shaping System

The default behavior of PacketLogic works well for many typical network scenarios. However, certain trafficcharacteristics cannot be accommodated for with default values, since the settings for some extreme cases wouldbe less suitable for more common scenarios.

The system configuration value PRIO_RETRANSMIT should generally be False.

One typical symptom which motivates looking into fine-tuning the shaping system is if the acquired bandwidthis not sufficiently close to the limits set. The acquired bandwidth will typically be 7-10% below the limits onaverage. This is because the limits are maximum limits for how much traffic is allowed to pass through a ShapingObject. To ensure that they are not exceeded, the real traffic will fluctuate just below the limit, but never exceed it.

If the 7-10% margin is not acceptable, but it can be allowed that a class of traffic occasionally exceeds the intendedlimit by a few percent, a simple solution is to add the 7-10% as headroom to the limits. That is, to obtain 2048kbps, set the limit to around 2200 kbps. Note that if there is shaping or rate limiting being performed beforePacketLogic sees the traffic (for example in modems at end users), the limit in PacketLogic should be lower thanthe limit imposed in other devices, to avoid that queues build up outside PacketLogic that the traffic shaping inPacketLogic cannot influence.


58

If the speeds deviate substantially from the limits, the values of the following parameters may be worthinvestigating:

• SHAPING_QUEUE_FACTOR (System Configuration)

• SHAPING_QUEUE_GOAL (System Configuration)

• Latency goal (set per limit in Shaping Objects)

• Queue size (set per limit in Shaping Objects)

Before describing how they can be modified, let us look at what these values define.

To select which packets to drop before the queue is full to avoid congestion, the AQM combined with othermechanisms mark packets and drop those enqueued after the queue is filled so it is expected to exceed its latencygoal with a calculated drop probability. How early on these candidates are selected, and how long the queues arein total, is what is determined by the parameters.

Figure 5.13. Shaping Object parameters

Figure 5.13, “Shaping Object parameters” shows a Shaping Object with one associated queue. There are severalqueues associated with each Shaping Object. The dashed lines show the configurable values for latency goal andqueue size. The latency goal, expressed in milliseconds, is calculated to a number of packets internally, based onthe configured bandwidth limits.

The example in the figure above has a latency goal equivalent to three packets, a queue size of six packets, whichimplies a queue factor of two (the queue size is two times the latency goal in packets).

The values actually used are calculated as follows:

The number 666 in the denominator comes from a calculation of the most commonly found average packet size.

When a connection enqueues a packet after the queue is filled to the latency goal, PacketLogic marks that packetas a candidate for early drop.

To set a default latency goal for all queues where there is no specific latency goal set, change the SystemConfiguration value SHAPING_QUEUE_GOAL. To set the latency goal for an individual queue in an individual


59

Shaping Object, set the Latency goal value for that limit. To change the ratio between the latency goal andtotal queue size for all queues where there is no queue size set, change the System Configuration valueSHAPING_QUEUE_FACTOR. To directly set the queue size for an individual queue in an individual ShapingObject, set the Queue size value for that limit.

The default values (latency goal of 30 ms and queue factor of 5) should cater well for most situations. However,if the traffic characteristics indicate that they should be altered, the first measure is usually to increase the latencygoal by a factor of 5-10, to see if this remedies the problem, and then tweak the value until the achieved valuesare satisfactory. If the problem is only seen for one or a few Shaping Objects, it is recommended to change thevalues only in those Shaping Objects, since changing the System Configuration values will change all ShapingObjects where the values have not been explicitly set.

5.6.6.1. High-RTT Networks

In networks with inherently high round trip times (RTT) (for example, satellite-based ISP networks), decreasingthe queue factor to 3 and increasing the queue goal is recommended. The internal and external RTT in live viewor statistics will give an indication of if queue goal needs to be adjusted.

5.6.6.2. CoDel

When CoDel is selected as AQM, shaping should be configured with a queue goal of 5ms and a queue size thatis at least as large as the expected RTT.

Filtering

61

Chapter 6. FilteringPacketLogic Filtering is an add-on module for PacketLogic.

PacketLogic Filtering uses the same flexible rule system as PacketLogic Traffic Shaping. If you have a runningPacketLogic Traffic Shaping system you can use the same objects as used for shaping.

The Filtering module can be used with or without the Traffic Shaping module on the same system.

PacketLogic Filtering uses the powerful IP stack of the PacketLogic system, thus has the ability to filter packetsand connections based on information extracted by PacketLogic.

PacketLogic Filtering is a layer 2 transparent firewall, thus there is no need for network address renumbering whenthe firewall is introduced on the network.

6.1. Maintaining Filtering RulesManipulating a set of filtering rules is not an easy task. It requires extensive knowledge on how IP networks andapplication protocols work.

With PacketLogic, the information on traffic flowing is instantaneously available. Based on this information it iseasier to configure filtering policies.

All configuration of the PacketLogic Filtering is done in the Objects & Rules editor in the client (see Section 8.10.1,“Objects & Rules Editor”).

See Section 4.7, “Objects and Rules” for an overview of rules, objects, and items.

6.2. Understanding a Rule SetFor a connection passing through the filter, each rule is matched against the connection properties. But, sincePacketLogic features a state keeping network stack, once a connection is accepted, all subsequent well behavingpackets in this connection are accepted without further checking until some criterion in the connection changes.

A ruleset is built with conditions that decide what traffic the filter is going to consider for the different actions.The conditions can use the objects defined in Section 8.10.1, “Objects & Rules Editor” to select the granularityof the filtering rule. A filtering rule can be enabled or disabled. Only enabled rules have effect on traffic andruleset evaluation.

Figure 6.1. List of filtering rules

Filtering

62

A list of filtering rules are evaluated in the order they appear. The last filtering rule matching a connection is theone that is applied. A way to alter this behavior is to use the "Do not process additional rules" attribute. If, duringevaluation of the rules, a connection comes across a filtering rule that matches and has the "Do not" attribute set,that rule will be applied immediately and no more rules will be evaluated for that connection.

Example: Consider the ruleset shown in Figure 6.1, “List of filtering rules”. The top rule, "log HTTP", has the"Quick" attribute set. The other two rules, "Block virus" and "Allow administrators", do not.

In the first scenario, a connection matches the conditions for both "Block virus" and "Allow administrators", butnot for "log HTTP". Then the evaluation will proceed to the end of the ruleset and match the last matching rule,in this case "Allow administrators".

Figure 6.2. Normal rule evaluation

In the second scenario, a connection matches the first rule, "log HTTP". This rule has the "Do not process additionalrules" attribute set, and the rule evaluation will end, matching on "log HTTP". The rest of the rules will not beconsidered.

Figure 6.3. Quick rule evaluation

Note: Remember that a filtering rule without any conditions matches everything!

6.2.1. Allowing Multiple Filtering Rules to Apply

The default behaviour, described above, allows only the settings of one filtering rule to apply to a connection. Forcases where settings from different actions need to be combined, an alternative evaluation can be used. This isenabled by setting the system configuration value RULESET_FILTER_NEW_BEHAVIOUR to True.

With this enabled, filtering rule evaluation is performed as follows:

• Rules with 'Do not process additional rules' set work the same way as the default behaviour, they are evaluatedfirst and a matching rule with this set terminates the rule evaluation.

• Rules without 'Do not process additional rules' set are processed in order as before. However, the ruleset is ableto 'remember' rule properties and accumulate them, and then continue processing rules.

• DIVERT, REWRITE, INJECT, and ACCEPT rules are able to accumulate settings from each other, creating acombined rule that acts as an ACCEPT rule with potential to divert, rewrite, and inject data into the connection.If accumulated settings are encountered more than once, the last encountered setting is applied.

• REJECT and DROP rules overwrite the accumulated rule and are only able to perform their specific action.

Filtering

63

Example 6.1. Alternative filtering ruleset evaluation

Consider a connection matching the following rules:

• Rule #1 has action DIVERT, divert channel X

• Rule #2 has action REWRITE, RewriteObject Y

This connection will have action ACCEPT, be diverted to divert channel X and rewritten according toRewriteObject Y as metadata.

Consider the case where there is a third rule:

• Rule #3 with action DROP

Then it is is the DROP action that will be used as it is the action of the last (bottom) rule.

Consider the following scenario:

• Rule #1 has action REWRITE, RewriteObject X

• Rule #2 has action REWRITE, RewriteObject Y

The connection will be accepted and rewritten with RewriteObject Y. RewriteObject X will not be applied,regardless of whether X is rewriting L3 and Y is rewriting L2.

6.2.1.1. TECH: Ruleset Execution Order for Alternative Evaluation

The order the accumulated actions will be executed in is:

1. Rewrite

2. Inject

3. Divert

Consequently, if rewrite is used the rewritten header will be stored by divert.

6.3. ActionsEach filtering rule has an action. The action defines how the filter should react when presented with the matchingconnection. You can choose from one of the following actions: Accept, Reject, Drop or Divert.

Figure 6.4. Selecting an action in a filtering rule

Filtering

64

6.3.1. Accept

The connection is accepted.

6.3.2. Reject

The connection is not accepted. A packet is sent back to the client notifying that the connection was refused.

The actual packet transmitted depends on what type of protocol was used in the offending packet. If it was TCP,then PacketLogic Filtering sends an RST packet, for other protocols an ICMP port unreachable is sent.

6.3.3. Drop

With Drop, the connection is not accepted and no notification is sent to the client. The connection is silentlydropped.

Note: It is polite to tell both the server and the client that this session is not allowed, so the rule should rather be"Reject" than "Drop". This is important when dealing with detected protocols as it establishes a connection beforeit will be firewalled and we do not want the parts (hosts) to end up with a session that will live until there is aTCP timeout, which is about 2 days.

6.3.4. Rewrite

With Rewrite, a RewriteObject is selected and applied to the matching traffic. This will rewrite the packetsaccording to the RewriteObject before forwarding them. For information on RewriteObjects, see Section 4.7.4.1,“RewriteObjects”.

When Rewrite uses a RewriteObject to rewrite the source IP address of the connection, this enables networkaddress translation (NAT) in PacketLogic. For details, see Section 4.3, “Carrier Grade Network AddressTranslation (NAT)”.

6.3.5. Divert

With Divert, the connections matching the rule are passed to the divert label(s) before being forwarded. For detailson Divert, see Section 6.9, “TECH: Divert”.

6.3.6. Inject

With Inject, the client receives a packet with the inject data (as specified in the rule editor) along with the FINand ACK flags set. The client will also receive a final ACK packet to respond to the FINACK packet it will sendin response. The server gets a packet with the RST flag set. Hence, the connection is terminated on both ends. Theclient takes any action prompted by the injected data. The case for which the inject action is designed is HTTPredirection by means of injecting a HTTP 307 (Temporary Redirect) response. This will cause the HTTP client(web browser) on the client to initiate a new connection to the HTTP server given in the URL used in the injectedresponse.

Note: Ensure that the server being redirected to is excluded from the rule applying Inject, otherwise the connectionsthat are already redirected will be closed again with a redirect. This is easily achieved by adding a NetObject withthe IP address of the server to redirect to and adding a condition Server NetObject not equals that NetObject tothe rule.

Injection can also use properties from the connection subject to the injection. This is done by enclosing the name ofthe property in curly brackets in the inject string. To URL encode the property, prepend it with a percent character(%) inside the curly brackets. To allow a property to be absent in the connection, prepend it with a caret character(^).

Filtering

65

Example:

http://landing.example.com/main?StatusCode={^Status Code}&FailedURI={%URL}&Referer={%Referer}

This inject string will use the properties Status Code, URL, and Referer from the connection in the injected data.Status Code may be absent from the connection, and URL and Referer will be URL encoded.

If properties used in the inject string are missing in the connection and are not prepended by a caret (^), the injectionwill fail. The system configuration value ALLOW_FWD_ON_INJECT determines how PacketLogic handles theoriginal connection in that case. If ALLOW_FWD_ON_INJECT is True, the packets are forwarded. If it is False,the packets are dropped. The value is in the Packet Handling section of the system configuration (see Appendix A,System Configuration Values).

In the same way, information from the connection 5-tuple (client and server IP and port, and protocol) can be usedin the injected data. The following keywords can be used in the same way as properties above:

• SERVER-IP (use {%SERVER-IP} in the inject string)

• CLIENT-IP (use {%CLIENT-IP} in the inject string)

• SERVER-PORT (use {%SERVER-PORT} in the inject string)

• CLIENT-PORT (use {%CLIENT-PORT} in the inject string)

• PROTOCOL (use {%PROTOCOL} in the inject string)

6.4. MonitorPacketLogic features an extensive flow inspection engine that classifies all traffic. This can also be used to enablethe scripting core of the PacketLogic to process or save packet and flow contents.

The monitor interface can use a virtual interface that the PacketLogic uses to redirect and analyze the content.Monitoring can also use a physical channel or channel interface by defining a monitor label in the channel editor(see Section 8.10.10, “Channel Editor”).

The monitor interface can be used for Lawful Interception as well as traffic analysis or, for example, sendingtraffic dumps of flows that are proprietary in the local network to aid the DRDL development.

For instructions on setting up PacketLogic to monitor traffic for snooping or capture purposes, see Section 10.3,“Enabling Snooping”.

Note: The virtual interfaces have limited bandwidth available. Use as narrow match conditions as possible whenusing a monitor interface in a filtering rule. If traffic monitored reaches 1Gbps or more, it may congest insidePacketLogic, leading to unreliable results.

There are six monitor options:

Filtering

66

Figure 6.5. Selecting a Monitor Interface

6.4.1. Custom Snooper

It is possible to monitor traffic to a custom snooper. The custom snooper can be used for anything available toa snooper script in python. Examples include tunneling packets in a GRE tunnel or forwarding them to a remotesystem using UDP. To use a custom snooper, name the snooper file custom.py and upload it to the CustomSnooper files in the file manager in the PacketLogic client. The snooper will be used when a filtering rule hasCustom snooper selected as Monitor interface in the Advanced options of the Filtering rule editor. The monitoredtraffic will use the Admin or Aux interface of the PacketLogic, depending on which network the endpoints are on.

For examples, turn to Appendix F, GRE Transport for Monitored Traffic for a GRE transport or Appendix G,UDP Transport for Monitored Traffic for a UDP transport.

6.4.2. DHCP Snooper

Dynamic Host Configuration Protocol (DHCP) is one of the most used protocols for assigning IP-addresses tousers. The client sends a broadcast UDP packet asking for an IP address, giving its unique Machine AccessControl (MAC) address as reference. If authorized the DHCP server will respond with a DHCP acknowledgewhich includes the IP address of the computer.

The DHCP snooper can intercept this communication and make a MAC address to IP address translation.This mapping will be automatically appended to the PacketLogic NetObject structure. A computer with MACaddress XX:XX:XX:XX:XX that is assigned IP 192.168.1.42 gets a entry in /NetObjects/DHCP/By MAC/XXXXXXXXXX with an item that contains the IP.

If the DHCP request is relayed by a relay agent the IP address is also added under a "/NetObjects/DHCP/By relay-agent/1.2.3.4" where 1.2.3.4 is the IP address of the relay agent.

If option-82 (Relay agent information) is present in the _request_ the IP will be added to a netobject named "/NetObjects/DHCP/By option-82/<Agent Circuit ID>/<Agent Remote ID>".

Filtering

67

Both "Agent Remote ID" and "Agent Circuit ID" values are vendor specific. The DHCP snooper treats them asopaque values and only encodes them as hex strings to make them useful as NetObject names. "Agent Circuit ID"is often the switch port if the relay agent is a switch. Consult the documentation for the relay agent for the exactmeaning and encoding of those options. More information about this can be found in RFC-3046.

The snooper script used can be found in the File Manager in the PacketLogic client (see Section 8.10.6, “FileManager”) connected to the system, in the folder DHCP Snooping files.

6.4.3. Label

The Label option sends the traffic duplicated to the configured monitor label.

A monitor label is a target for monitored traffic from a filtering rule. Monitor labels are configured in the channeleditor (see Section 8.10.10, “Channel Editor”). Multiple monitor labels can be entered, comma-separated, in thetext field shown when <Label> is selected, in which case the monitored traffic is sent to all labels.

A monitor label consists of a physical channel and an optional VLAN tag. Traffic matching a filtering rulemonitoring to a label will be sent on that channel and tagged with the selected VLAN tag.

Note: Monitoring to a physical port on a PL10000/PL20000 platform uses bandwidth on the backplane. Ensurethat the traffic subset monitored is kept to a minimum to avoid buffer overruns or backplane bandwidth starvation.Monitoring more than 1Gbps total may cause backplane starvation, and more than 1Mpps per flow processingCPU may cause buffer problems on the flow processing CPU.

6.4.4. PCAP/PCAP-2 Writer

PCAP is a common packet capture format, which allows the monitor function to save the traffic to a file. The filesare then downloaded from the PacketLogic File Manager (see Section 8.10.6, “File Manager”) to a local computerwhere they can be processed. The files can be found in the folders PCAP/PCAP-2 Writer files. The files are splitafter a certain number of packets have been stored, the amount of files and the size are configurable in the CLIsystem configuration (see Chapter 9, CLI Menu).

There are two PCAP writer interfaces; PCAP and PCAP-2. This allows writing to different PCAP files if necessary.

6.4.5. RADIUS Snooper

Remote Authentication Dial In User Service (RADIUS) is a very common protocol where traditionaltelecommunication equipment is available, such as different DSL standards.

The RADIUS snooper listens for "AccessRequest"-"AccessAccept" pairs, this means that it will know when anIP address is allowed access (according to RADIUS) to some service and it will add the IP address to the rule set.

The IP will be added under "/NetObjects/RADIUS/By Calling Station/<Calling Station>" and "/NetObjects/RADIUS/By NAS Port/<NAS IP> - <NAS Port>". "Calling Station" identifies the end user and could be thetelephone number in case of a dial in service. "NAS IP" and "NAS Port" are the IP address and port of the equipmentthat terminates the connection (such as a DSLAM or wireless access point). Consult the documentation for theNAS for the exact meaning. More information about this can be found in RFC-2856.

Both the DHCP and the RADIUS snooper are written in python with source code included allowing easycustomization of them.

The snooper script used can be found in the File Manager in the PacketLogic client (see Section 8.10.6, “FileManager”) connected to the system, in the folder RADIUS Snooping files.

6.4.6. SIP Snooper

The SIP snooper extracts basic information about SIP traffic from the monitored traffic and sends it to the syslogdaemon. The information is represented by a comma separated format, containing the following information:

Filtering

68

• Time (as a unix timestamp including milliseconds)

• Source IP address

• Source port

• Destination IP address

• Destination port

• From (Caller)

• To (Callee)

• Method

• Request URI

• Code

• Call ID

• Call sequence number

• Reason

Example: The following is an example entry from the SIP snooper, as found in the Python Programs log in theLog Viewer:

Mar 28 01:15:54 pl2 python: sipdata:1175037354.29,10.1.1.1,5060,192.168.1.2,5060, """foo"" <sip:[email protected]>;tag=b56e6e",<sip:[email protected]>,,,100, [email protected],2 INVITE,Trying

The example above contains the following information:

• Time: 1175037354.29

• Source IP: 10.1.1.1

• Source port: 5060

• Destination IP: 192.168.1.2

• Destination port: 5060

• From: """foo"" <sip:[email protected]>;tag=b56e6e"

• To: <sip:[email protected]>

• Method:

• Request URI:

• Code: 100

Filtering

69

• Call ID: [email protected]

• Call sequence number: 2 INVITE

• Reason: Trying

The snooper script used can be found in the File Manager in the PacketLogic client (see Section 8.10.6, “FileManager”) connected to the system, in the folder SIP Snooper files.

6.5. Rule List EvaluationNormally the filter will evaluate the list of filtering rules from the top to the bottom and use the rule that matchedmost recent (that is, the one furthest down the list). When the Do not process additional rules attribute is set thefilter will skip matching the rest of the rules in the list if it matches.

6.6. Using the Log Attribute

Figure 6.6. The Log attribute

To keep logs of connections or connection attempts, use the log attribute for a certain rule. Each connection mayend up in the log more than once, if the connection information changes.

Logging can be either brief or verbose. Brief logging stores the following information:

• The rule that caused the log entry

• The service as identified by DRDL

• The client and server IP addresses and ports

• The protocol used

Verbose logging, in addition to the information above, stores all information on the connection as identified byDRDL.

Note: Logging imposes a considerable load on the PacketLogic Filtering. A badly configured firewall that usestoo extensive logging could decrease the performance of the Filtering.

6.7. Monitoring the FilteringThere is real-time information on the performance of filtering rules in the LiveView part of the client, in theFiltering Rules view and the System Diagnostics - Filtering view. A history of connections matching the filteringrules where logging is enabled can be found in the Filtering Log view in LiveView.

Filtering

70

6.7.1. Filtering Log View

Figure 6.7. The filtering log view

If a rule has the log attribute set, information about packets and connections using this rule will be saved in thefiltering log. The log contains a list of entries, where each entry specifies time, matched rule, matched service,client, server, client port, server port and IP protocol.

The number of entries stored is controlled by the system configuration value FW_MAX_LOG (see Appendix A,System Configuration Values).

6.7.2. Sending the Filtering Log to Syslog

The filtering log can also be sent to the syslog server. First, configure the syslog server in the CLI (see Chapter 9,CLI Menu). This configuration change requires a restart from the CLI (see Chapter 9, CLI Menu). Then setthe System Configuration variable FW_SYSLOG to True in the System Configuration editor in the client (seeAppendix A, System Configuration Values for descriptions of system configuration values and Section 8.10.12,“System Configuration Editor” for a description of the System Configuration editor in the client), and reload theconfiguration (choose File -> Reload Configuration.. in the System Configuration editor. Note that this will causea short stop in traffic.)

The filtering log will now be sent to the configured syslog server. The syslog only accepts brief filtering logging,so the Verbose setting in a rule will still only give Brief logging to syslog.

6.8. Filtering default behavior

6.8.1. Using the "Accept All Except These" Approach

The easiest firewall to configure is a firewall that allows all connections, except those matching a list of rules.These rules protect certain services that you do not want passing the firewall. This approach is not very secure,but still very usable.

To build a rule set using this approach, let the last rule in the rule set match all connections (using no conditionswill work) and use the Accept action. Then add rules before this "Policy rule" (the last rule in the rule set) that usethe Do not process additional rules attribute that Rejects or Drops certain connections.

6.8.2. Using the "Reject All Except These" Approach

This approach is somewhat more complicated for the person configuring the firewall and requires more extensiveknowledge of networks and application protocols.

The Policy rule should be rejected or dropped and match all connections.

Start adding rules with Accept that match the connections you want to allow.

Filtering

71

Note: If a strict firewall is required, check if the PacketLogic system has network bypass functionality installed andactivated. Bypass means that the traffic will fail to wire in case the PacketLogic suffers a system failure, forwardingall traffic. This may conflict with a very strict firewall policy, in which case one has to consider disabling thebypass functionality.

6.9. TECH: DivertWhen traffic is diverted, it is redirected internally to a channel, optionally with a VLAN tag added. The target iscalled a divert label. Any channel in the PacketLogic can be included in a divert label. For details on divert labels,see Section 6.9.3, “Divert Labels”. Diverting is intended for connecting equipment that does packet analysis, todivert the relevant traffic to that equipment. When the external unit forwards the packet, it is sent back to thePacketLogic on the divert channel and forwarded on the regular channel.

Figure 6.8. Divert functionality

Figure 6.8, “Divert functionality” shows the divert functionality for outbound traffic (going from internal toexternal). Inbound traffic is handled in the same way in the opposite direction.

When PacketLogic receives packets in connections that are to be diverted, it stores data about the originalconnection to ensure that packets that come from the divert unit have correct packet headers. This data is stored perdirection. Should the divert unit send packets in a direction for which no packet in a connection has yet been seen,such data is constructed from the existing data for the other direction, but with source/destination MAC addressreversed. As soon as a packet in the reverse direction is seen, this constructed data is overwritten with the data seen.

1. Traffic arrives in the internal interface of the normal traffic channel.

2. The PacketLogic ruleset selects packets to send to the divert label, by matching conditions on a filtering rulewith action Divert. All other traffic is unaffected.

3. The selected traffic is forwarded on the external interface of the divert channel, to which the internal interfaceof the divert unit is connected.

4. The divert unit performs its analysis and actions on the traffic it receives.

5. The divert unit forwards the traffic on its external interface, to which the internal interface of the divert channelon the PacketLogic.

6. PacketLogic sends the traffic to the external interface of the normal traffic channel.

7. The traffic is forwarded on the external interface of the normal traffic channel, exactly as the traffic that hasnot been diverted.

8. PacketLogic continuously sends heartbeat packets on the divert channel to ensure that the divert unit isoperational (see Section 6.9.5, “Heartbeats” for details).

Filtering

72

This is the case for a single divert channel. Any number of channels can be used for diverting. The diverting canbe parallel (see Figure 6.9, “Multiple divert channels”), chained (see Section 6.9.4, “Chained Divert”), or both.

Figure 6.9. Multiple divert channels

6.9.1. Installation

The unit connected to the divert channel (henceforth referred to as the divert unit) can be a transparent layer 2device or a routing layer 3 device. PacketLogic will detect which it is and act accordingly.

Any regular channel can be configured as a divert channel. In the channel editor (see Section 8.10.10, “ChannelEditor”), on the Physical Channels tab, set the value in the Used for column to Divert. On the Divert Labels tab,create a divert label and include a divert label entry with the channel to use. For details on divert label configuration,see Section 6.9.3, “Divert Labels”.

The internal port of the divert unit shall be connected to the external interface on the PacketLogic channel usedfor divert, and the external port of the divert unit shall be connected to the internal interface on the PacketLogicchannel used for divert. This "reversed" interface connection is necessary to allow the divert channel to coexistwith the regular channels.

For any connections the divert unit initiates independently, a separate interface not connected to the divert channelon the PacketLogic must be used.

6.9.2. Configuration

The following steps enable divert:

1. At least one divert label must be defined (see Section 6.9.3, “Divert Labels”).

Filtering

73

2. A non-zero setting of the system configuration value DIVERT_NUM_HOSTS. DIVERT_NUM_HOSTSdefines the number of entries in the divert hosts table to allocate space for. Each entry consists of a pair of hostsin a connection being diverted, and needs to be large enough to hold all such pairs that are in the diverted setof connections. Setting DIVERT_NUM_HOSTS to zero disables Divert.

3. A filtering rule with action Divert, which will divert all traffic matching its conditions to the divert label. Whenno enabled rules using the Divert action exist, Divert is not operating (however, memory for the divert datastructures is still allocated if DIVERT_NUM_HOSTS is non-zero).

Before the divert channel starts receiving actual traffic, PacketLogic ensures the divert unit is operational bysending heartbeat packets (see Section 6.9.5, “Heartbeats”).

6.9.3. Divert Labels

A divert channel is an abstraction identified by a divert label. When a filtering rule uses divert, divert labels areused to identify where the matching traffic shall be diverted. A divert label can, in the simplest case, be a singlephysical channel. It can also contain more than one entry where each entry consists of a channel, a VLAN tag,a load balancing scheme, and asymmetric VLAN assignment. Each label can use a maximum of 28 entries. Foran example, see Figure 6.10, “Divert label with entries”. There is one divert label defined, named Divert.video.This is the target that can be indicated in filtering rules. The label can also use a load balancing scheme. Thedivert label Divert.video contains two divert label entries, each consisting of a channel, a VLAN, and optionallyasymmetric VLAN assignment.

Figure 6.10. Divert label with entries

6.9.3.1. Divert Channel

The channel in a divert label entry is the physical channel that shall be used.

6.9.3.2. Divert VLAN

The divert VLAN is a VLAN tag that is added to the traffic diverted to this divert label entry.

Note: VLAN 0 means untagged.

6.9.3.2.1. Asymmetric VLAN

This is a property in the divert label entry that defines if the VLAN tag assigned to traffic diverted to this divertlabel entry shall have different VLANs added depending on their direction. With this set, packets going to andfrom the local host have the configured VLAN added, whereas packets going to and from the remote host have theconfigured VLAN incremented by one added (for example, a divert label entry with VLAN 1 and asymmetricVLAN configured adds VLAN 1 to the traffic to and from the local host and VLAN 2 to the traffic going to andfrom the remote host). This is useful to allow the switch that separates the VLANs to differentiate between thedirections.

Filtering

74

Note: With asymmetric VLAN assignment, ensure that the increment is reserved. That is, if a divert label entryon one channel uses VLAN 1 and asymmetric VLAN, do not use VLAN 2 for another divert label on the samechannel. Also, VLANs 0 (untagged) and 4095 cannot be used with asymmetric VLAN. VLAN 0 means untagged,and using asymmetric VLAN would give inbound traffic VLAN 1, meaning the headers have different lengthswhich is not allowed. VLAN 4095 does not work with asymmetric VLAN since it is not possible to incrementthe VLAN beyond 4095.

6.9.3.2.2. Load Balancing

This defines how to load balance the traffic over the entries in a divert label. The available options are:

Hash Local Host This load balancing scheme selects the entry based on a hash of the localhost IP address.

Round Robin This load balancing scheme uses simple round robin among the availableentries.

6.9.3.3. Use Cases

The virtualization of divert channels into divert label entries allow using a switch between the PacketLogic andmultiple divert units to which traffic shall be diverted, both to minimize the use of channel interfaces on thePacketLogic for divert and to allow load balancing over multiple divert units.

6.9.3.3.1. Diverting to Multiple Units on one Channel

One potential use is to divert to multiple units without having to dedicate more than one channel. This is useful ifthe expected throughput for a set of divert units to which to divert traffic is significantly less than the capacity ofone channel, and the remaining channels are needed for regular traffic management.

Such a setup could look as follows:

Figure 6.11. Diverting to multiple units using VLAN

• There are four divert labels configured in the Channel Editor (Divert.A, Divert.B, Divert.C, Divert.D). Eachdivert label has one entry each. All use channel 2 and asymmetric VLAN. Divert.A uses divert VLAN 1,

Filtering

75

Divert.B VLAN 3, Divert.C VLAN 5, and Divert.D VLAN 7. The VLANs used are spaced two apart to allowthe asymmetric VLAN assignment, where the traffic to and from the remote host has the VLAN assigmentincremented by one (so remote host traffic going to, for example, divert label Divert.A gets VLAN 2).

• There are four filtering rules matching the traffic to divert to each system. These rules can, for example, selectservices applicable for the divert units (streaming video to video optimization systems, web browsing to blacklistunits, and so on). Rule A uses divert label Divert.A, Rule B uses Divert.B, and so on.

1. Outbound traffic from the client arrives on the internal channel interface on channel 1, a regular channel. Trafficmatches filtering rule Rule B which diverts to divert label Divert.B. PacketLogic stores the original L2 headersince it will be replaced with a divert-specific header. The single entry in Divert.B is channel 2 with VLAN3, so PacketLogic adds that VLAN tag.

2. The switch is configured to take traffic tagged with VLAN 3 and send it out untagged on the switch portconnected to the internal interface of divert unit B.

3. Divert unit B processes the traffic and sends it out on the external interface.

4. The switch receives the traffic untagged from divert unit B and sends it out on the switch port connected to theinternal interface of channel 2 on the PacketLogic tagged with VLAN 4.

Note: PacketLogic accepts both VLANs 3 and 4 from divert unit B on the internal interface in this example,but it is recommended to use one VLAN per direction to allow the switch to separate the directions (VLAN 3towards the local host and VLAN 4 towards the remote host).

5. PacketLogic receives the traffic on the internal interface of channel 2, strips the outermost VLAN tag andforwards the traffic on the external interface of channel 1.

6. The server response arrives on the external interface of channel 1. Being the same connection, Rule B is applied.Traffic is diverted onto channel 2 with VLAN 4 added. This is because divert label B had VLAN 3 configuredwith asymmetric VLAN, giving traffic from (and to) the remote host VLAN 3+1.

7. Traffic arrives on the switch port connected to the internal interface of channel 2.

8. The switch is configured to take traffic tagged with VLAN 4 and send it out untagged on the switch portconnected to the external interface of divert unit B.

9. After processing by divert unit B, the switch passes the traffic, tagged with VLAN 3 back to the externalinterface of channel 2.

Note: PacketLogic accepts both VLANs 3 and 4 from divert unit B on the external interface in this example,but it is recommended to use one VLAN per direction to allow the switch to separate the directions (VLAN 3towards the local host and VLAN 4 towards the remote host).

PacketLogic receives the traffic on the external interface of channel 2, replaces the L2 header with the originalheader which was stored in 1, and forwards the traffic on the external interface of channel 1.

6.9.3.3.2. Load Balancing over Multiple Systems on one Channel

One potential use is to load balance across multiple systems. This is useful if the expected amount of traffic exceedsthe capacity of a single divert system.

Such a setup could look as follows:

Filtering

76

Figure 6.12. Load balancing across multiple devices using VLAN

• There is one divert label configured in the Channel Editor (Divert.A). This divert label has four entries. All usechannel 2 and asymmetric VLAN. The first entry uses divert VLAN 1, the second VLAN 3, the third VLAN5, and the fourth VLAN 7. The VLANs used are spaced two apart to allow the asymmetric VLAN assignment,where the traffic to and from the remote host has the VLAN assigment incremented by one (so traffic to andfrom the remote host on, for example, the second entry gets VLAN 4). Additionally, this divert label has a loadbalancing scheme configured (local host hash or round robin).

• There is one filtering rule matching the traffic to divert to all units.

1. Outbound traffic from the client arrives on the internal channel interface on channel 1, a regular channel.PacketLogic stores the original L2 header since it will be replaced with a divert-specific header. Traffic matchesthe filtering rule which diverts to divert label Divert.A.

2. PacketLogic load balances across the entries in the divert label. In this case, a VLAN to add is selected sinceall entries use channel 2. It would be possible to load balance across multiple channels as well.

3. The switch is configured to take traffic tagged with VLAN 1 and send it out untagged on the switch portconnected to the internal interface of divert unit A, VLAN 3 to the internal interface of divert unit B, and soon. Which unit any individual packet goes to is determined by the VLAN set by the load balancing scheme.

4. The selected divert system processes the traffic and sends it out on the external interface.

5. The switch receives the traffic untagged from the divert units and sends it out on the switch port connected tothe internal interface of channel 2 on the PacketLogic, tagged with the VLAN of the divert unit it came fromincremented by one.

Note: PacketLogic accepts both VLANs for a divert unit on the internal interface in this example (for divertunit B both VLANs 3 and 4 are accepted), but it is recommended to use one VLAN per direction to allow theswitch to separate the directions (in this example, traffic from divert unit B would have VLAN 3 towards thelocal host and VLAN 4 towards the remote host).

6. PacketLogic receives the traffic on the internal interface of channel 2, replaces the L2 header with the originalheader which was stored in 1, and forwards the traffic on the external interface of channel 1.

Filtering

77

The server response arriving on the external interface of channel 1 is handled the same way, but since asymmetricVLAN is configured, PacketLogic will add the incremented VLAN (VLAN 4 for divert unit B) to the divertedtraffic from the server, and expect the configured VLAN (VLAN 3 for divert unit B) from the switch after theresponse has passed through the divert unit.

6.9.4. Chained DivertDivert can also be chained. Chaining divert label A and divert label B means that when a packet has come backin on divert label A, it is immediately sent out on divert label B. When it comes back on divert label B, it is sentout on the regular channel it came in on. Chaining is configured by entering more than one divert label in thefiltering rule, separated by comma.

Note: Mid-session divert (Section 6.9.7, “Diverting Mid-Session”) cannot use chained divert. A filtering rule formid-session divert must use one single divert label.

Figure 6.13. Multiple divert chain pairs

Consider Figure 6.13, “Multiple divert chain pairs”, where there are four divert labels (A, B, C, and D) configured.In the example shown, the labels consist of one physical channel each. The divert labels could however be morecomplex as described in Section 6.9.3, “Divert Labels”. Additionally, there is a divert chain configured as thedivert target in the filtering rule: A,B,C,D. This will cause the chaining shown, as follows:

1. A packet belonging to a connection matching a filtering rule with action Divert and divert label A selectedarrives on an internal channel interface. It is diverted onto divert label A.

2. Once the packet returns on divert label A, PacketLogic sees that there is a chain defined, and sends the packetonto the second divert label in the chain (B).

Filtering

78

3. Once the packet returns on divert label B, PacketLogic sends the packet onto the next divert label in the chain(C).

4. Once the packet returns on divert label C, PacketLogic sends the packet onto the last divert label in the chain (D).

Once the packet returns on divert label D, the packet is sent out on the regular channel (in this example the externalchannel interface, since the packet arrived on the internal interface).

6.9.5. Heartbeats

The divert feature monitors each divert unit by sending heart beats through it and ensuring they are properlyforwarded. If PacketLogic detects that the divert unit does not seem to forward packets, the divert label entry isdisabled and the traffic is forwarded on the regular channel directly. For divert labels with multiple entries, thestill operating entries continue to operate, but the traffic destined for the failed unit is forwarded. The heartbeatsare controlled by three system configuration values: DIVERT_HB_MS, DIVERT_HB_MAX_LOST, andDIVERT_HB_RECOVERY. In normal operation, PacketLogic sends a heart beat packet every DIVERT_HB_MSmilliseconds. If DIVERT_HB_MAX_LOST packets are lost, the divert channel is bypassed, and traffic isforwarded on the regular channel as if there was no divert rule. When the divert channel is bypassed, PacketLogiccontinues to send heartbeat packets (this is called recovery mode). In recovery mode PacketLogic also falls backto L2 divert mode, regardless of whether it was operating in L2 or L3 mode, and starts sending ARP requests todetermine whether to go into L2 or L3 mode when re-enabling divert. Once DIVERT_HB_RECOVERY packetsin a row have passed successfully through the divert unit, the divert label entry is re-enabled. When a filteringrule with action divert is first enabled, DIVERT_HB_RECOVERY packets must also pass successfully for thedivert label to start receiving traffic.

6.9.6. Diverting to Layer 3 Routing Devices

The basic functionality when diverting to a layer 3 routing divert unit is the same as for diverting to a layer 2transparent divert unit. There are a few additional features to properly accommodate a layer 3 routing unit:

• PacketLogic sends ARP requests to the divert unit when it is in recovery mode, one ARP request for eachheartbeat packet. When the divert label entry leaves recovery mode it uses L3 mode if it got ARP requestsand responses from the divert unit. Once the divert label entry is re-enabled, PacketLogic does not send ARPrequests to the divert unit.

• PacketLogic will respond to ARP requests from the divert unit, whether the divert channel is in recovery modeor not.

• Optionally, PacketLogic can increase the TTL of IPv4 packets, to conceal the fact that there is a routing unitdecrementing the TTL. This is controlled with the system configuration value DIVERT_L3_TTL_INC, whichdetermines how much to increment the TTL by.

For the heartbeat packet, the routing in the divert unit must be configured correctly. The topology and addressscheme used is shown in Figure 6.14, “Topology and addressing when diverting to a routing device”. The addressscheme is predefined. No IP configuration is needed on the PacketLogic, and the connected divert unit must beconfigured according to the address scheme shown.

Filtering

79

Figure 6.14. Topology and addressing when diverting to a routing device

Note: While IPv6 traffic can be diverted, the heart beats and neighbour discovery uses IPv4 only.

6.9.6.1. Routing Examples for L3 Divert Units

Ensure that the divert unit has appropriate routes set up. This section contains examples of routing configuration asthey would be entered on a Linux system, with eth0 as the internal interface and eth1 as the external interfaceof the divert unit.

Example 6.2. Routing example for L3 device with support for policy based routing

ip address add 169.254.240.254/24 brd + dev eth0 ip address add 169.254.250.254/24 brd + dev eth1 ip rule add iif eth0 table 200 ip rule add iif eth1 table 201 ip route add default via 169.254.250.1 table 200 ip route add default via 169.254.240.1 table 201

Example 6.3. Routing example for L3 device without support for policy based routing

Routes must be added for all client subnets via the IP address on the external interface of the divert channel onPacketLogic (169.254.240.1). This routing table must be kept up to date for divert to function.

ip address add 169.254.240.254/24 brd + dev eth0 ip address add 169.254.250.254/24 brd + dev eth1 ip route add default via 169.254.250.1 ip route add 169.254.241.0/24 via 169.254.240.1 ip route add x.x.x.x/y via 169.254.240.1

6.9.7. Diverting Mid-Session

Proxied divert (sometimes referred to as mid-session or late divert) allows initiating the divert after the firstpacket. This allows matching on, for example, services by using PacketLogic ServiceObject as conditions for thediverting filtering rule. This is done by allowing PacketLogic to act as a proxy in the connection setup towardsthe divert unit.

Filtering

80

6.9.7.1. Limitations

• Proxied divert can be used on connections when the divert can be initiated on the first client request or thefirst server response. Initiating divert later than that in the connection life span will cause the divert to fail, asPacketLogic will be unable to recreate the connection towards the divert unit.

• A filtering rule used for mid-session divert cannot use a divert chain. One single divert label must be used. Thislabel can however use multiple entries and load balancing.

6.9.7.2. Configuration

Using proxied divert consists of the following configuration steps:

• Configure a divert label to which the divert unit will be connected. See Section 6.9.3, “Divert Labels”.

• Create a Filtering rule, action Divert, using the desired service(s) (represented by a ServiceObject). If needed,proxied divert injects a TCP handshake and a client request in the diverted traffic. This injected data goes to thedivert unit, to set up the connection correctly in the divert system before it can receive the subsequent traffic.In the figure below an example of a client request to inject is shown.

Note: Injecting client request data is only necessary when the filtering rule matches on server response. This istypically the case for services matching on content type (for example Flash video over HTTP).

The format for inject data is identical to that used in Inject rules (see Section 6.3.6, “Inject”).

The example in the image above is a simple client HTTP GET request, and looks as follows:

GET {%Filename} HTTP/1.1\r\n Host: {%Server Hostname}\r\n User-Agent: {%User-Agent}\r\n\r\n

The system diagnostics values relevant for proxied divert are:

Proxied connections This is the current number of existing connections onthe divert channel.

Failed proxy connections This is the number of times the proxied divert hasfailed. The reasons for this can be:

• The number of connections matching the proxieddivert rule exceeds the system configuration value

Filtering

81

DIVERT_MAX_PROXY_CONNECTIONS (inthe Divert category).

• The number of host pairs stored for storingdivert data exceeds the system configurationvalue DIVERT_NUM_HOSTS (in the Divertcategory).

• The proxied divert rule used a divert channel whichis part of a divert channel chain, which is notsupported for proxied divert. This case is alsoseparately counted (see below).

Failed proxy connections (too many channels) This is the number of times the proxied divert hasfailed because the proxied divert rule used a divertchannel which is part of a divert channel chain, whichis not supported for proxied divert. This case is alsoincluded in the overall counter for failed proxy divertconnections (see above).

These values are all found in the Divert zone in System Diagnostics.

Filtering

PacketLogic Statistics

83

Chapter 7. PacketLogic Statistics7.1. Description7.1.1. Charts and graphs

PacketLogic Statistics is an add-on module for PacketLogic which gives the network administrator the means toview how the network has been used over time. The statistics module does what the LiveView module does, butit handles the past instead of the present. The statistics module presents data and views in forms of graphs andcharts to view the bandwidth used by different applications, ports, users, AS-paths, and so on. For a descriptionof the Statistics viewer in the PacketLogic client, see Section 8.8, “Statistics”.

All statistics functions are governed by Statistics rules and StatisticsObjects. StatisticsObjects determine how tostore and organize all statistical data to which the StatisticsObjects are applied. Statistics rules set conditions forwhich traffic that shall be selected for statistical storage, and apply StatisticsObjects to that traffic.

Some examples are statistics for local visited websites, remote visited websites, users (defined by IPs, NetObjects,MAC-addresses and Switch Ports (using DHCP snooper and option 82), RADIUS usernames, and so on), andapplications or protocols.

The combinations are endless. Any subset of traffic that can be matched with a Statistics rule can create statistics.

By configuring Statistics rules and StatisticsObjects, statistics can be produced for (for example):

• Application usage and User usage per AS-Path.

• Application usage per group of users or departments.

• Visited websites by user, department, AS-Path, etc.

7.1.2. Values

Statistics in PacketLogic is composed of values. A value is a set of counters, with an associated value path andoptional graph data.

Examples:

• Collecting all HTTP traffic constitutes one value.

• Collecting all HTTP traffic and, under that, all HTTP traffic for each host in a set of 5000 hosts constitutes5001 values.

Values are stored per day. The graph data associated with a value is a set of data points for the value.The frequency of the collection of the data points is configurable through the System Configuration optionPLS_MIN_FREQUENCY.

A value can consist of several fields. A field is a metric for the traffic for which to keep statistics. Fields areavailable as total fields and graph fields. Total fields collect accumulated metrics (that is, how much so far).Graph fields collect samples, to show how the metric has varied over time.

For total values (accumulated), the following fields can be selected:

• Incoming bytes

• Outgoing bytes

• Connections


84

• Unestablished connections

• Incoming connections

• Outgoing connections

• Incoming unestablished connections

• Outgoing unestablished connections

• Total Bytes

• Incoming concurrent connections (Peak)

• Outgoing concurrent connections (Peak)

• Incoming Dropped Packets

• Outgoing Dropped Packets

• Incoming Avg Latency

• Outgoing Avg Latency

• Sub-Item Count

• Incoming Quality (Internal)

• Outgoing Quality (Internal)

• Incoming Quality (External)

• Outgoing Quality (External)

• Incoming Quality Packets

• Outgoing Quality Packets

For graph (sample) values, the following fields can be selected:

• Incoming bps

• Outgoing bps

• CPS

• Unestablished CPS

• Incoming CPS

• Outgoing CPS

• Incoming unestablished CPS

• Outgoing unestablished CPS

• Incoming concurrent connections

• Outgoing concurrent connections

• Sub-Item Count


85

• Total bps

• Incoming Dropped Packets

• Outgoing Dropped Packets

• Incoming Avg Latency

• Outgoing Avg Latency

• Incoming Quality (Internal)

• Outgoing Quality (Internal)

• Incoming Quality (External)

• Outgoing Quality (External)

• Incoming Quality Packets

• Outgoing Quality Packets

In the PacketLogic client, the field selection is configured in the Objects & Rules editor (see Section 8.10.1.15,“StatisticsObject Editor”).

Figure 7.1. Fields in a StatisticsObject in the Objects & Rules Editor

7.1.3. Distribution

The Distribution is organized in a tree. Each level organizes the statistics stored according to the selecteddistribution type. At the next level, another distribution type can be selected. For each member in the firstdistribution level, statistics are then distributed in the next level.

To clarify, see the example in Figure 7.2, “Simple distribution example”.

Figure 7.2. Simple distribution example


86

The distribution is NetObjects at the top level, and Services underneath the NetObjects. In this example, there areonly three NetObjects (A, B, and C) in the rule set. A value is stored for each of them. For each NetObject, a valueis then stored for each service. What aspects that are stored in each value is defined in the Fields selection for theStatisticsObject (see Figure 7.1, “Fields in a StatisticsObject in the Objects & Rules Editor”).

When this distribution is used and statistics are stored, the root view in the Statistics viewer in the PacketLogicclient will show the single StatisticsObject. Clicking the StatisticsObject will open the top level distribution, in thiscase NetObjects. A bar chart showing all NetObjects defined in the ruleset is displayed. Clicking on a NetObjectwill show the Services for that NetObject. At each level, the chart type can be changed between bar, line, stackedarea, and pie chart where each chart type is applicable. This is the simplest case. The distribution can be fine-tuned by using a multi-level NetObject structure, changing the depth of the NetObject distribution, and changingthe NetObject root. This is described in Section 7.1.4, “Depth and Object Root” below.

Expanding on the same Statistics Object, see Figure 7.3, “Another distribution example”. A top level distributionof Local Host has been added, and underneath each local host Remote Vhosts has been added.

Figure 7.3. Another distribution example

Returning to the navigation, this would show the same view when clicking the StatisticsObject, but in the Typedrop-down list, Local Host would be available along with NetObject, since those are the two distributionsavailable at the top level in the object. Selecting Local Host shows a bar chart with a list of all local hosts in theStatisticsObject. Clicking one of those hosts will show the virtual host names of the remote hosts in the connections(essentially the web addresses).

7.1.4. Depth and Object Root

When NetObjects or ServiceObjects are used in the distribution, the objects defined in the ruleset (the Objects &Rules editor) are used in the distribution tree. The NetObjects and ServiceObjects are trees in themselves. Thesetrees become part of the distribution trees. For the remainder of this section, the NetObject tree is discussed andillustrated. The same configuration applies to ServiceObjects, however.


87

Figure 7.4. An example NetObject tree

With the NetObject tree shown in Figure 7.4, “An example NetObject tree” and the simple distribution inFigure 7.2, “Simple distribution example”, the distribution tree would look as in Figure 7.5, “Distribution withNetObject tree” below.


88

Figure 7.5. Distribution with NetObject tree

By default, the entire object trees are included. In some cases, this is not desired. Using the example above,it is possible that only the Customers subtree of the NetObject tree shall be included. In that case, the rootof the NetObject tree that shall be included in the StatisticsObject distribution can be selected. This is done inthe Distribution of the StatisticsObject by clicking the Change button by the NetObject root field and selectingthe NetObject root wanted (to do the same for ServiceObjects, use the ServiceObject root field). Figure 7.6,“Distribution with NetObject root defined” below shows what the distribution looks like with the NetObject rootset to All NetObjects/Network/Customers with the NetObject tree in Figure 7.4, “An example NetObject tree”configured.


89

Figure 7.6. Distribution with NetObject root defined

Furthermore, it may be desired to limit how far into an object tree to go before using the next distribution typeunderneath. This can be accomplished by setting the Depth of a NetObject or ServiceObject (depth can also be setfor the AS path distribution, see Section 7.1.5, “Depth in AS Paths” below). Returning to the example, if it is onlydesired to show statistics for the Staff, Guests, and Customers NetObjects before distributing by Service, thedepth can be limited. This is done by setting the Depth parameter to something other than All on the distributionlevel with NetObjects or ServiceObjects.

As an example, setting Depth to two (2) for the NetObject distribution in the example would give the distributionshown in Figure 7.7, “Distribution with Depth configured on NetObject” (in this illustration, the NetObject roothas been set back to the default of All NetObjects).

Figure 7.7. Distribution with Depth configured on NetObject

7.1.5. Depth in AS Paths

The Depth parameter can also be set for AS Path distribution levels. This is applied on the AS path itself, noton an object tree. For connections with AS path 1,2,3,4, depth All would give values for AS 1, below that AS2, below that AS 3, and below that AS 4. Setting the depth to, for example, two (2) would give a value for AS1 and below that for AS 2.

7.1.6. Aggregation and Linking


90

For each StatisticsObject, there is an option to aggregate the statistics to a dedicated aggregation server. Theaggregation server is a PacketLogic statistics system receiving values from other statistics systems, instead ofdirectly from PacketLogic systems monitoring and managing traffic.

To aggregate a StatisticsObject, simply check the box Aggregate this object to the aggregation server in theobject. The statistics generated by the object will be stored on the aggregation server, rather than the local statisticssystem.

See Section 7.3.2.1, “Aggregation” for instructions on setting up the statistics systems for aggregation.

The distribution of a StatisticsObject can also be configured to contain links to other StatisticsObjects, on the samestatistics system or a different one. A link in a StatisticsObjects distribution indicates that subsequent levels inthe distribution are stored by a different StatisticsObject. The link can either point to the root level of the otherStatisticsObject, or the linking object can indicate a distribution itself, by adding distribution levels below the link.

Combining aggregation with linking provides a way to collect network-wide statistics in a central location, andthen provide links to local statistics systems for more detailed information.

Consider an example. Two PacketLogic systems (A and B) are placed at different locations. System A managesthe staff network, and System B manages the customer network. The total network is defined by the NetObjecttree shown in Figure 7.8, “A NetObject Tree”, which is shared among the systems by means of a resource proxy.

Figure 7.8. A NetObject Tree

Now, the statistics data is to be aggregated. This can be done for a variety of reasons:

• A single statistics system cannot handle all statistics generated by a multi-system deployment, but some datafrom all systems shall still be combined to show total network statistics.

• An aggregated view is desired to provide a high-level view for central network management staff, but detaileddata is necessary for local engineers.

• Separation of access to central versus local statistics.

To aggregate a top-level view of combined statistics and keep granular statistics locally, the StatisticsObjectsshown in Figure 7.9, “StatisticsObjects for Aggregation” can be used.


91

Figure 7.9. StatisticsObjects for Aggregation

The StatisticsObjects are defined locally on the PacketLogic systems. The local statistics systems build the data setsfor both Aggregate Object and Local Object, but sends the data for Aggregate Object to the aggregation system,since that object is configured to be aggregated. The Aggregation system is configured on the local statisticssystems as the Aggregation resource (see Section 7.3.2.1, “Aggregation”).

When viewing statistics on the local statistics systems (using the local systems for the StatsViewer resource), theLocal Objects are shown and can be navigated. If instead the aggregation system is used, the Aggregate Objectis shown, combining the data from both statistics system A and B (since the object has the same name). Whennavigating into the distribution on the aggregation system, only the top level of the defined NetObject tree isretrieved locally. Navigating below that, the link defined will make the aggregation system point to the local PLSrelevant for the data to view. In this example, the Aggregate Object will proceed into the NetObject distribution onthe local statistics systems, since there is a NetObject distribution defined under the link. If there was no distributionlevel under the link, the root of the Local Objects would instead be shown.

7.1.7. Graphing

To store graph data for a distribution level, set the Graph data value to Graph for the distribution level. Also, ensurethat the desired graph fields are checked in the Fields configuration of the StatisticsObject.

Note: Graph values consume considerable resources compared to Total values. Use them only where needed.

7.1.8. Averages Based on Usage Analysis

By default, graph data points are averages that are calculated using the traffic volume seen during five minute graphpoint intervals. If peak values of the traffic are of interest, this calculation may be misleading since a connectionmay be active only during a short period of the five minute interval.

Consider the following example. A connection sees 3000 bytes of traffic during 10 seconds of a five minute (300seconds) graph interval. The average value for that connection will be calculated as follows:

3000 bytes / 300 seconds = 10 bytes per second

Using only the 10 seconds that the connection was active would result in a more accurate view of the peak valueof that time interval:


92

3000 bytes / 10 seconds = 300 bytes per second

Averages based on Usage analysis is a feature that, when enabled, stores an activity bitmask along with the graphdata based on the graph interval of five minutes. This means that additional graph data points based on the fivesecond intervals that the connection has been active can be calculated. The traffic volume that a connection seesduring the five minute graph point interval will then be divided by the active five second intervals of the connectionto get the average value based on the Usage analysis.

The bitmask that is linked to the connection is used to determine which five second intervals are active for theconnection. Each bit in the bitmask corresponds to a connection update interval, which is five seconds by default.If the connection is active during the connection update interval, the corresponding bit is set. The time intervalto use for the calculation of the average is then based on how many bits are set in the bitmask. If a connectionis active during two connection update intervals, two bits in the bitmask will be set, and the calculation of theaverage for the five minute graph point interval will be based on the 10 seconds that the connection was active.

If two or more connections are related to the same value, they are linked to form one bitmask. The resulting bitmaskis then stored along with the value of the connection.

Note: The graph point interval (PLS_MIN_FREQUENCY) is set to five minutes by default. The connectionupdate interval (CONNECTION_UPDATE_INTERVAL) is set to five seconds by default. They are bothconfigurable. For averages based on usage analysis to work properly, the following condition should be met:

PLS_MIN_FREQUENCY / CONNECTION_UPDATE_INTERVAL ≤ 64

The graph point interval divided by the connection update interval must be less than or equal to 64, since that isthe length of the bitmask when the values are built. The following example uses the default values:

300 (PLS_MIN_FREQUENCY) / 5 (CONNECTION_UPDATE_INTERVAL) = 60

In this case the first 60 bits in the bitmask will be used for setting the activity of a connection.

To enable Usage Analysis based averages, set the Graph Points option to Usage analysis in the distribution ofthe StatisticsObject. Usage analysis is enabled per distribution level. It is always enabled on the root level of aStatisticsObject.

Figure 7.10. Configuring Usage Analysis


93

To view the Usage analysis data in the statistics viewer, select the Use usage analysis data checkbox in the Graphstab.

Figure 7.11. Viewing Usage Analysis Data

7.1.9. Peak Analysis

Peak data can be shown for any distribution level in a StatisticsObject, if the sub-items of that distribution levelhave graph points enabled in the Fields configuration of the StatisticsObject. This allows showing the ten sub-items that have contributed the most to any point on a graph. To view the peak data for a point on a graph, holddown Ctrl and click the graph where the peak data is desired.

7.1.10. Listing Durations for Thresholds

It is possible to list the duration during which values have been within a defined set of limits (such as, for howlong has a certain host has exceeded 10Mbps during the last 24 hours). This is done from a bar chart view in theclient statistics viewer, by checking the option Show duration for matches and defining the limits for each value.

7.1.11. Priority

A distribution level in a StatisticsObjects can have a Priority set to either Normal or High. The difference is thegranularity with which data is stored for the distribution level.

• Normal: Values are updated if the data transferred exceeds the threshold set by the system configuration valuesPLD_PLSD_CONN_THRESHOLD_IN (for inbound traffic) and PLD_PLSD_CONN_THRESHOLD_OUT(for outbound traffic). Also, when the value cache usage on the statistics system exceeds the threshold defined bythe system configuration value PLS_PRIORITY_THRESHOLD, values with Normal priority are not created,to avoid value cache exhaustion. See Appendix A, System Configuration Values for information on configuringsystem configuration values.

• High: Values with high priority are always updated, regardless of the set thresholds. Also, high priority valueswill never be filtered based on storage thresholds. The root level of a StatisticsObject distribution is alwayshigh priority.


94

7.2. InstallationThe PacketLogic Statistics module is installed on a separate statistics system. This statistics system can receivestatistics from several PacketLogic units performing traffic monitoring and management.

The statistics system will communicate with the traffic management system using TCP. The bandwidth requiredfor these operations depends on the size of the network and the amount of traffic (flows, hosts, rules, etc), and isextremely bursty in nature. The amounts vary from small networks where a few Mbps is enough, to larger networkswhere the requirements may be a few hundred Mbps.

Typically, the traffic management system and statistics system are connected through the Aux ports. The networkused does not need to be publicly addressable.

7.3. ConfigurationThis section describes the various configuration values involved in setting up statistics:

7.3.1. PRE

7.3.1.1. PRE with Local Statistics Storage

Typically, a separate system is dedicated to storing statistics data. For non-PL10000/PL20000 systems where theexpected amount of statistics data to store is low, the data can be stored on the traffic management system itself.To configure this, log on to the CLI of the traffic management system using SSH or serial console (Chapter 9, CLIMenu), and go to System Administration -> Statistics -> Local Statistics and choose to enable local statistics.

7.3.1.2. PRE with Separate PIC

Log on to the traffic management system using the PacketLogic client, and open the Resource Manager (seeSection 8.10.9, “Resource Manager”). Configure the resource StatReader to proxy, with the IP of the statisticssystem and a user defined on the statistics system with permissions to read the StatReader resource.

Optionally, but highly recommended, create a user on the traffic management system dedicated for statisticsretrieval. The user shall have at least Generic surveillance permissions set on the LiveView tab in the User editor(see Section 8.10.2, “User Editor”).

7.3.2. PIC

Log on to the CLI of the PIC using SSH or serial console (Chapter 9, CLI Menu), and go to System Administration-> Statistics -> Remote system (see Chapter 9, CLI Menu for details). Add the traffic management system(s) forwhich this statistics system shall store statistics, with a corresponding user.

7.3.2.1. Aggregation

Aggregation is configured per Statistics Object (see Section 8.10.1.15, “StatisticsObject Editor”). For eachstatistics system that is to aggregate statistics data to another statistics system, the Aggregation resource shall beconfigured to the statistics system to which this statistics system is to send aggregate data. For information onconfiguring resources, see Section 8.10.9, “Resource Manager”.

7.4. TECH: Performance Considerations7.4.1. Number of Values

The variable that affects storage space is the number of values. A value is a NetObject, a host, a service, a shapingrule and most of the logical combinations of all of the above. Adding more Statistics rules will produce more


95

values. StatisticsObjects can also be configured to an almost arbitrary level of detail, so one single Statistics ruleusing an extremely detailed StatisticsObject will also be able to produce a large number of values.

The number of values will also affect the performance, since it will take longer to dump all values to disk.

Graph point values consume more resources than total values.

7.4.2. Connection Logging

Enabling connection logging will affect storage space and performance a lot. If the traffic has lots of newconnections per second, then the job for the connection logger will be harder.

7.4.3. Distribution by Property

Using Property in a distribution level in a StatisticsObject can consume considerable resources. When a Statisticsrule with such a StatisticsObject is enabled, it is recommended to monitor resource consumption to ensure thesystem is not overloaded. This includes monitoring memory usage in engine and PLD and bandwidth usagebetween engine, PLD, and the statistics daemon.

7.5. TECH: Architecture7.5.1. Overview

To understand what information is stored and how, it is useful to look at the components and information flowsin PacketLogic.

The engine receives the traffic passing through the channels in the PacketLogic. The engine analyzes all traffic andextracts all information from it on a per-connection basis. The engine also applies the traffic management policiesto the traffic (called the rule set). The rule set is provided in a compiled form by PLD and sent to the engine.

PLD receives information about the traffic from the engine. PLD provides real-time information about the trafficseen to requesting interfaces, such as the LiveView part of the PacketLogic client, the realtime part of thePacketLogic Python API, and the statistics daemon.

The PacketLogic Statistics Daemon receives information about traffic defined in Statistics Rules from PLD.The statistics daemon creates data sets from this information and sends these data sets periodically to the databasedaemon responsible for writing statistics on the statistics system.

The PacketLogic Database Daemon stores configuration data persistently in a database and provides aninterfaces to this data. In addition, the database daemon on a statistics system is responsible for writing statisticaldata to disk and reading it upon request.

7.5.2. Statistical Data Flow

The engine sends information updates on connections to PLD. This occurs when a connection is removed, and alsoon a timer (default every 5 seconds). For every connection, information is kept on the data transferred (inboundand outbound, respectively) and what statistics rules the connection matches. This is kept in both engine and PLD.

PLD sends information to the statistics daemon when a connection is removed, and when the statistics daemonrequests an update (by default every 5 minutes). This includes the inbound and outbound data transfers and thestatistics rules matching. Also, when PLD reloads the ruleset, an update is sent to the statistics daemon since thismay affect what statistics a connection applies to.

The statistics daemon builds data sets in memory from the information received from PLD. The statisticsdaemon writes temporary dataset files locally at an interval defined by the system configuration valuePLS_DISK_DUMP_INTERVAL. These temporary data sets ensure that data loss in case of a system failure isminimized, as the temporary files are stored persistently.


96

Note: To avoid running out of disk space for other data, the amount of data consumed by the temporary files, theyare removed when exceeding a set limit of disk space consumption. This limit is by default set to 50GB, but isconfigurable in the CLI (see Chapter 9, CLI Menu).

The statistics daemon sends the temporary data sets built to the database daemon designated to write statistics at aninterval defined by the system configuration value PLS_DUMP_INTERVAL or when a statistics write is forced.

Note: If PLS_DISK_DUMP_INTERVAL is not smaller than PLS_DUMP_INTERVAL, the statistics daemondoes not store temporary files locally, instead it sends the dataset for the entire interval directly to the databasedaemon.

The database daemon charged with writing statistics receives data sets from the statistics daemon. One suchdatabase daemon can potentially receive data sets from multiple statistics daemons. The database daemon writestemporary files with the data sets. When the temporary files are written, it starts a statistics writing backgroundprocess (PLSWB) that reads the temporary files and writes the data sequentially to disk.

7.5.3. Statistical Data Storage

7.5.3.1. Values

A value consists of a path (such as /StatisticsObject/NetObjects/Staff or /StatisticsObject/ServiceObjects/HTTP)with a set of counters. Counters are stored per day.

Each value has totals counters for each of the fields selected for totals storage. A totals counter is a single floatvalue which is incremented over time. A value also has graph values, which are sample float values of the fieldsselected for graphs storage. Graph values are stored with a 5 minute resolution by default.

7.5.3.2. Storage Layout

Statistics are stored in a way that resembles a file system, with directories (file folders) in a hierarchy. This mapswell to the way statistics are stored and retrieved in an efficient way. However, since data is always writtensequentially with the same layout, locating a value for a specific path, type, and day, consists of going directly toa position in the file system. This is accomplished by maintaining offsets for each value path.

At the top level, a PacketLogic statistics file system consists of one or more global index directories and onedirectory for each day.

A global index directory consists of one or more strings and collisions files. The strings files contain entries withhash buckets. A value path (for example /StatisticsObject/NetObjects/Staff) is hashed to find the correspondinghash bucket. The strings file maps this hash bucket to an index key. Should there be a hash collision, the strings filewill point to a collision file, where the index keys for value paths that hashes to the same hash bucket are stored.

A global index directory is created with a fixed size. If the number of statistics values increase beyond that size,a new globals directory is added.

Actual statistical data is stored in directories, one for each day. A day directory consists of an index file, one ormore graphs files, and one or more totals files. The index file for a day is keyed by the index key retrieved fromthe global index. The daily index maps this index key to offsets, one for totals values and one for graph values.Once the offset has been retrieved from the daily index, locating statistical data consists of opening the totals (fortotals values) or graphs (for graph values) files and seeking to the offset. The relevant data is available at thatoffset and sequentially forward in the file.

All files in a PacketLogic statistics file system are compressed to achieve efficient storage and transfer withoutcompromising performance.

7.5.3.3. Reading

With the architecture described, searching for statistical data becomes very fast. It is a matter of obtaining theindex key for the path from the global index, going to the directory for the day in question, locating the offsetcorresponding to the index key, and reading the data directly.


97

Reading can provide a list of available values (all or a top list of the highest values), total values, or graph values.A feature to provide a list of subvalues that contribute the most to a spike in a parent value graph is also planned.

7.5.3.3.1. Statistics Reader Peering

For deployments where one statistics system (PIC) does not hold all the data for a value path (for example due toload), the data can be shared among multiple PICs. To present a unified view of the data, the statistics reading canuse peering to allow connecting to a single system and still see all the data.

With peering configured, a statistics reader on a PIC will, in addition to reading its own data for a query, forwardthe query to all its configured peers. The statistics reader will aggregate the data received from all peers with itsown data in the response.

Statistics reader peering is configured with the system configuration value PLDB_STATREADER_PEERS. Thevalue is a semicolon-separated list of peers on the form user:password@host. If this value is non-empty ona PIC system, statistics queries towards that PIC will attempt to retrieve data from the peers.

Intended use is for large deployment where single PICs cannot hold all data for the configured statistics objectsand rules. A single PIC can be designated as the one to use for reading statistics, and that PIC has all other PICswith relevant data as peers.

Note: Statistics reading peering has only limited handling of query loops. If two systems both are peering witheach other, this is handled. If three or more systems are peering with each other, queries will result in loops andcause statistics reading to fail.

If network or system issues or misconfiguration cause that a PIC using peering does not receive replies from allits peers, no data will be shown for the query.

7.5.3.4. Backup, Restore, and Archiving

All actual statistical data is self-contained in a day directory, which can hence be archived and transferred forbackup purposes. Restoring a backup consists of unpacking the day(s) in the live statistics file system, and updatingthe global index with the information available in the day(s) restored, if the global index does not already havethat information. To this end, each day directory contains metadata to quickly determine if it exists in the presentglobal index, and update the global index if the information is not there.

7.6. TECH: Comparison to Alternative StorageArchitecturesA commonly used approach to organizing and storing data is a database (for example an SQL database). Usinga standard database has the advantage that creating an application interface towards it is relatively easy. Thedrawback, which becomes a major impairment when considering the size and complexity of the data discussed,is that it is not possible to control how data is written to disk by the database manager. The database managercan potentially write data which is closely related at locations far apart on disk. This can dramatically increaseread times. Since read operations are involved both when viewing and updating data, this can seriously affectperformance.

The PacketLogic approach stores logical blocks of data in memory until it is time to write. At that point, it collectsall this data into a data set and sends it off for writing. Also, the file system layout is predetermined by the offsetsin the global index, so the only search required is in the global index.

This results in highly efficient use of resources on all involved platforms. Data is organized before writing it, ratherthan when reading it. Writing data consists of finding the existing values for the data to write, add the data currentlycollected, and writing it back. This procedure is approximately as consuming when updating for an hour's worth ofdata as for five minutes. Therefore, scheduled writing can be done once per hour without problems. Furthermore,reading data consists of opening files, jumping to predefined positions (offsets), and reading. This operation givesconsistent performance regardless of whether the files are large or small, and regardless of whether the file systemis almost full or almost empty.


98

The drawback is that the architecture must be designed from the bottom up, and application interface designbecomes more complex. Both these tasks, however, are time-consuming only in the design stage and resultin extremely efficient storage and retrieval of data, which is essential to accommodate the requirements onmanagement of statistical data in PacketLogic.

7.7. Connection LoggingFor each Statistics rule where connection logging is enabled, PacketLogic will store information about each andevery accepted connection matched by the rule in a very optimized way, and then the Connection Search functioncan be used to search for connections with specific properties. With the connection search function, connectionsbeing made to and from an IP address, at a specific point in time, using a specific application or port, and soon, can easily be identified. This makes network forensics considerably easier and is a powerful tool for abusemanagement and network control.

The connection logging only stores information about the connections, and not the corresponding packet data. Toobtain entire packets for debugging purposes, use the "Monitor" option in a filtering rule to duplicate packets tothe PacketLogic PCAP Writer or to packet analysis tools available (see Section 6.4, “Monitor”).

To log connections matching a Statistics rule, enable the checkbox Enable connection log for the rule.

Figure 7.12. Statistics Rule Editor

7.8. Connection SearchFigure 7.13. Connection Search

7.8.1. Description

The Connection Search is a tool that takes search criteria and a date interval to search for connections. All acceptedconnections that passed through the PacketLogic(s) will be appended to the database in a search friendly way.


99

In just a few seconds the complete list is retrieved. The more criteria added to the search, the more specific theresults will be. Storing all connections in a database like this is of course rather resource expensive, but when itis needed, this kind of information is invaluable.

The connection search can be performed in the client (see Section 8.10.8, “Connection Search”).

7.8.2. Usage overview

The connection search accepts a set of criteria input and returns a result set. Searching at any time will querythe connection database for connections that match the criteria. The criteria only support exact positive matches,so searching for something which is NOT EQUAL to something is not possible. Criteria that are not defined areset to "Any".

The database is structured so that the more criteria that are added to the search, the longer it will take to producethe results.

At least one criterion must be given to perform a search.

7.8.3. Available criteria

• Client - The client's IP address or port, provided as exact match or range.

• Server - The server's IP address or port, provided as exact match or range, or the host name of the server.

• Host - IP address of client or server, provided as exact match or range.

• Start time interval - A time interval during which the connection was initiated.

• End time interval - A time interval during which the connection ended.

• Service - The service in question.

• Protocol - The protocol in question.

• Visible NetObject - The name of a visible NetObject in which the connection belongs.

It is recommended to only specify the necessary fields to optimize the search. For example, select just the Service"http", instead of the Service "http", the Protocol "TCP" AND the Server Port "80". Both "TCP" and "80" isobvious information in this case.

As an example: There is a set of hosts connecting to the Internet through a NAT appliance. An abuse case is reportedwhich states that someone from the host 1.2.3.4 has attacked their web server. The host 1.2.3.4 is the externalinterface of the NAT appliance and the PacketLogic is placed behind the NAT so it can log the connections madeby the private hosts. In this case specify "www.webserver.com" as the Server hostname criterion and perform asearch. This will return the results of what private address has performed the attack.

7.8.4. Stored details

The connection log stores and is able to display the following parameters for each connection stored:

• Start Time

• End Time

• Client

• Server

• Client Port


100

• Server Port

• Protocol

• Service

• Serverhost

• Incoming

• Outgoing

• Flags

• NetObjects

7.8.5. Storage considerations

Each connection stored consumes approximately 100 bytes of storage space (varying slightly with compression).

7.9. IPFIX ExportA PacketLogic system capable of storing statistics can also build and export IPFIX records as per the definitions inRFC5101. The system where the IPFIX daemon is configured will connect to the configured PacketLogic systemsto receive connection data. From this the IPFIX daemon builds IPFIX records which are exported (sent) to theconfigured collector(s).

Note: A gatherer (the IPFIX daemon component that connects to PacketLogic systems) can only configure a rangeof engines available at the target system. If not all engines are available or running, the gatherer will continue totry to connect and log the connection failure.

Configuration is done in the CLI, in System Administration -> Statistics (Chapter 9, CLI Menu).

The IPFIX daemon in PacketLogic has two templates: One for IPv4 and one for IPv6. They contain the followingfields (named according to RFC5102). The number is the field length in bytes. The templates are sent to thecollectors every minute by default.

IPFIX IPv4 template (template ID 5995)

• sourceIPv4Address (4)

• destinationIPv4Address (4)

• sourceTransportPort (2)

• destinationTransportPort (2)

• flowStartSeconds (4)

• flowEndSeconds (4)

• octetTotalCount (8)

• packetTotalCount (8)

• ingressInterface (4)

• egressInterface (4)


101

• bgpSourceAsNumber (4)

• bgpDestinationAsNumber(4)

IPFIX IPv6 template (template ID 5996)

• sourceIPv6Address (16)

• destinationIPv6Address (16)

• sourceTransportPort (2)

• destinationTransportPort (2)

• flowStartSeconds (4)

• flowEndSeconds (4)

• octetTotalCount (8)

• packetTotalCount (8)

• ingressInterface (4)

• egressInterface (4)

• bgpSourceAsNumber (4)

• bgpDestinationAsNumber (4)

The IPFIX exporter, when running, registers a system diagnostics zone with counters to monitor operational status.

7.10. PythonAPIThere are endless combinations and views that can be made from the statistics generated by PacketLogic.The views available in the Statistics viewer in the client provide easy access to those frequently used.However, to produce output for customized purposes, the PacketLogic PythonAPI is available. The PacketLogicPythonAPI has functions to access statistics data and connection logging, and adapting the output is a matterof writing a Python script. The API is available, along with reference documentation and examples, at http://python.proceranetworks.com.



The PacketLogic Client Interface

103

Chapter 8. The PacketLogic ClientInterfaceThe PacketLogic client is the graphical user interface to configuring and operating PacketLogic. It implementsall commonly used features of the PacketLogic (monitoring in the LiveView views, displaying statistics in theStatistics views, configuring the ruleset in the Objects and Rules editor, and so on).

The client uses menus, buttons, and tabs for quick navigation, and there are context-sensitive menus available inmost views by right-clicking. For all views where values are displayed in columns, the column header row canbe right-clicked to view a list of the values that can be displayed. Values with a check mark in front of them arecurrently displayed. Columns can be resized and moved around by clicking and dragging in the column header row.

Starting the client will open the System Manager (see Section 8.2, “System Manager”), unless it has beenconfigured to connect directly to a system, in which case it will go directly to the System Overview (see Section 8.5,“System Overview”) for that system.

There are keyboard shortcuts to access many of the functions in the PacketLogic client. In the drop-down menus,the keyboard shortcuts for the choices there are shown next to the item. All available keyboard shortcuts are listedin Appendix B, Keyboard Shortcuts.

8.1. Command Line ModeThe client can be run in so-called command line mode. This allows scripting use of the client, specifically intendedfor generating statistics reports from scripts. When the client is started in command line mode, the followingarguments are available:

• --server=<IP-address> IP address to a PacketLogic system.

• --user=<User> User to use at login.

• --password=<Password> Password to use at login.

• --bookmark-file=<Path to bookmark file> Bookmark file to be used for export to PDF or CSV.

• --bookmark=<Bookmark> Bookmark to be used for export to PDF or CSV.

• --create-pdf Create PDF from specified bookmark. Requires that a bookmark is specified with --bookmark.

• --create-csv Create CSV from specified bookmark. Requires that a bookmark is specified with --bookmark.

• --template=<Path to report template> Create a report specified in the report template XML filegiven as argument (see the Report Studio Product Guide).

• --input-<Name of template input>=<Value> Enter the input values for the report template (seethe Report Studio Product Guide).

• --only-reports Only enable the report generation interface of the client.

Use plclient --help for a list of the available arguments on the command line.

Either --create-pdf or --create-csv can be used to generate statistics without opening the client(providing both will use only the one entered last on the command line will be used). The file created is named asthe bookmark from which the statistics are generated, with a .pdf or .csv suffix. If there are multiple bookmarkswith the same name, the first one found is used.


104

Note that --server, --user, and --password can be used to start the graphical client interface as usual,connecting directly using the authentication details specified, and bypassing the System Manager.

8.2. System ManagerTo connect to the PacketLogic, start the PacketLogic client. This will open the System Manager, where multiplePacketLogic systems can be defined, with a name, address, username, and password, and organized in a folderstructure. Defined folders and systems can be moved around in the folder structure using drag-and-drop. Right-clicking folders and systems also gives access to context-sensitive functions (adding, removing, and renamingfolders and systems, and importing or exporting the list of systems to a file).

Figure 8.1. The System Manager

The Default view selected is the client view opened on initial connection. By default, System Overview is selected.Once connected, the other views can be opened regardless of which is opened first.

To connect to a system, select it and click Connect, or simply double-click the system.

It is possible to circumvent showing the System Manager by selecting the checkbox Automatically connect tothis system on startup for a selected system. Starting the client will then connect to this system immediately. TheSystem Manager can then be accessed by clicking the System Manager button in the toolbar.

8.2.1. Advanced Options

Clicking the arrow by Advanced options unfolds additional configuration items.

8.2.1.1. Use Compression

Selecting Use compression means that the PacketLogic will use compression for the communication with theclient. This will reduce the bandwidth used, but may increase the CPU load on the PacketLogic in order to performthe compression.

8.2.1.2. Connecting to multiple PacketLogic systems

It is possible to open separate windows for each PacketLogic system to connect to. Simply open the SystemManager and connect to a new system. This will open a new window.


105

To combine and aggregate information from multiple PacketLogic systems, use the Synced systems option underAdvanced options in the System Manager. Synced systems is a list of addresses to PacketLogic systems, definedfor each entry in the System Manager. If this list is empty, the client connects to the single system as usual. Ifthere are systems listed in the Synced systems list, the client will connect to the entry and all the systems in theSynced systems list simultaneously, combining relevant information into a single view. Information that can notbe combined in a natural way is split into separate views per system.

The Local Hosts, ServiceObjects, Services, and any custom views are combined, so the aggregated informationfrom all systems are transparently aggregated into a single view for the information sent from all systems. Thisapplies only to LiveView. Resources and configuration shown applies only to the system defined by the entry inthe System Manager when connecting.

Synced systems must share the login account used, and must have the same objects and rules defined. This isintended for systems being proxied to the same proxy host.

8.2.1.3. Use different password for LiveView login

This allows the client to send one password to log in to the database, and another to log in to PLD (LiveView).This can be useful for deployments with external authentication mechanisms.

8.2.1.4. Use proxy if available

This allows the client to connect through a SOCKS5 proxy. For the checkbox to be selectable, a proxy mustpreviously have been configured in the Preferences in the Edit menu (Section 8.4.2.1, “Preferences”).

8.3. Status BarAt the bottom of the client in all views when logged in is a status bar, displaying the following information:

• Version shows the currently running PacketLogic firmware version. Holding the mouse pointer over this fieldwill display a tool tip with the firmware version and the version of the currently loaded ARM (applicationrecognition module for service definitions in DRDL). Double-clicking this field opens a window with detailson the currently loaded ARM.

• System ID shows the unique system identifier for the system.

• System shows the IP address on the Admin interface of the system.

• Username shows which user is currently logged on.

• Time shows the current time and date on the PacketLogic system. This shows N/A until the LiveView hasbeen opened.

8.4. Drop-Down MenusThe following menus are available in all client parts as drop-down menus. They appear when connected to aPacketLogic system.

8.4.1. File Menu

The File drop-down menu offers the following options:

• System Manager opens the System Manager (see Section 8.2, “System Manager”).

• Quick Connect opens a Quick Connect dialog to connect to a PacketLogic system.

• Reconnect opens a new client connection to the current PacketLogic system.

• Check for updates checks the Procera Networks server for a more current version of the client.


106

• Close Window closes the current client. If multiple clients are open, the remaining clients are unaffected. Ifno other clients are open, the client quits.

• Quit closes all clients.

8.4.2. Edit Menu

The Edit drop-down menu offers the following options:

• Objects & Rules contains a submenu with the following options to open the Objects & Rules editor (seeSection 8.10.1, “Objects & Rules Editor”):

• Open Without Stealing Resource opens the editor in the normal way, without locking the resource forexclusive use. This is the default way to open the editor.

• Steal Resource And Open obtains an exclusive lock on the Objects & Rules resource before opening it, toprevent any other sessions from saving changes to it. This can be useful when there are snoopers or customintegration scripts performing operations on the ruleset, causing it to reload at a high rate. This option requiresread and write permissions on the Resource and Objects & Rules resource.

• Open Read Only will open the Objects & Rules resource read-only, which has the following implications:

• No actions can be performed on the objects or rules.

• The view will not be affected by subsequent updates to the objects or rules made by another client or byAPI calls (such as snoopers or custom integrations).

• Channels (see Section 8.10.10, “Channel Editor”).

• Users opens the User Editor (see Section 8.10.2, “User Editor”).

• Log Levels opens the Log Levels Editor (see Section 8.10.11, “Log Levels Editor”).

• Host Triggers opens the Host Trigger Editor (see Section 8.10.3, “Host Trigger Editor”).

• Connection Protection Triggers opens the Connection Protection Trigger Editor (see Section 8.10.4,“Connection Protection Trigger Editor”).

• System Configuration opens the System Configuration Editor (see Section 8.10.12, “System ConfigurationEditor”).

• Preferences... opens the Preferences dialog (see Section 8.4.2.1, “Preferences”).

8.4.2.1. Preferences

The preferences dialog consistes of four tabs with different configurable settings.

In the System Overview tab, the following setting is available:

• Chart time interval (hours) configures the interval displayed in graphs shown in the System Overview. Thiscan be set to a number of hours ranging from one to 24.

In the LiveView tab, the following settings are available:

• Update interval (seconds) determines the interval with which the information in LiveView is updated, inseconds.

• Show transfer rates as determines the scaling of the transfer rates shown (kbps, Mbps, Gbps, or automatic).Automatic will make LiveView adapt the scale to the current levels.

• Number of decimals determines how many decimals shall be shown in the numbers shown in LiveView.


107

• Use reverse hostname lookup in the local hosts view, if checked, will make the client perform a DNS lookupfor each host in the Local Hosts view in LiveView.

• Use reverse hostname lookup in the connection view, if checked, will make the client perform a DNS lookupfor the hosts in a connection when viewing details for a connection in LiveView.

Caution: Use the reverse hostname lookup options with care. The DNS server must be able to handle the loadof requests from PacketLogic, and this load can be considerable. Overloading the DNS server may cause it tostop responding.

In the Statistics tab, the following settings are available:

• Home page determines the starting point for browsing statistics when the Statistics viewer is opened.

• Custom fonts, if checked, allows configuring the fonts used when viewing statistics. Fonts can be selected fortitle, label, and footer separately.

• Congestion line in line charts configures if line charts shall show a horizontal line for a certain percentage oflinkspeed. The percentage is configurable. The linkspeed is explicitly set as an attribute on a NetObject, andthe congestion line is shown for line charts of NetObjects where the linkspeed is set (for information on settingthe linkspeed attribute, see Section 8.10.1.2, “NetObject Editor”).

In the Advanced tab, the following settings are available:

• Language determines the language used by the client. Selecting System Language will make the client retrievethe language setting from the system.

• Check for updates on startup selects whether the client shall contact the Procera Networks server when startedto check for a newer version of the client.

In the Proxy tab, the following settings are available:

• Host is the name or IP address of the host acting as a SOCKS proxy.

• Port is the port used by the proxy

8.4.3. View Menu

The View drop-down menu has different options depending on whether the System Overview (see Section 8.5.5,“View Menu in System Overview”), LiveView (see Section 8.6.11, “View Menu in LiveView”), or Statistics view(see Section 8.8.10, “View Menu in Statistics”), is open.

8.4.4. Tools menu

The Tools drop-down menu offers the following options:

• Backup Manager opens the Backup Manager (see Section 8.10.5, “Backup Manager”).

• Resource Manager opens the Resource Manager (see Section 8.10.9, “Resource Manager”).

• File Manager opens the File Manager (see Section 8.10.6, “File Manager”).

• Log Viewer opens the Log Viewer (see Section 8.10.7, “Log Viewer”).

8.4.5. Help Menu

The Help drop-down menu offers the following options:

• About shows an information window about the client software itself, containing build date and protocol version(in the Mac OS X client, this is instead located in the PacketLogic Client drop-down menu).


108

• System Information shows information about the PacketLogic system to which the client is connected, withhost address, logged in user, running version, and System ID.

• Request Support opens the support form in a web browser, where a support request can be entered andsubmitted to Procera Networks technical support.

• Interactive Support opens an Internet Relay Chat (IRC) conversation with the support at Procera Networks.This is an informal support forum where there are people to ask most of the time, and questions are usuallyanswered quickly. To use the Interactive Support function, just enter a nick name of your choice and pressConnect. In the IRC window, enter text in the field at the bottom and press Enter to send the question in realtime to the support channel at Procera Networks.

8.5. System OverviewThe System Overview contains an overview of one or more systems. Which systems that are visible in the SystemOverview is governed by the proxy setup in the Resource Manager (see Section 8.10.9, “Resource Manager”).For details on proxying resources, see Chapter 11, Centralized Management. If the system to which the clientconnects is not connected by proxying the System Overview to more PacketLogic systems, the System Overviewonly shows the system itself.

The left-hand pane has a navigation tree, with three nodes: Systems, Totals Graphs, and Values.

8.5.1. Systems

Selecting the Systems node shows a list of all systems proxied to the same System Overview proxy host, withSystemID, address, last update from the system, and firmware version. For systems other than the one currentlyconnected, there is also a button in the Connect column to connect to that system.

In the Systems node, each system is shown with an individual entry denoted by the SystemID. Selecting a systementry shows an information pane about the system, with a system name (defined by the System Configuration valueSYSTEM_NAME), System ID, address, last update, firmware version, DRDL revision (signatures), an MD5 sumof the configuration data, and model name. Additionally, fields from the Channel Statistics in LiveView can beadded here by opening Channel Statistics in LiveView, right-clicking the desired channel interface, and selectingto add it to the System Overview.

Figure 8.2. The System Overview


109

Below the information pane, graphs of all values selected for System Overview in System Diagnostics aredisplayed. To add a value to the System Overview, right-click it in the System Diagnostics view and select Addto System Overview. To remove a value already in the System Overview, right-click the title bar of that value inSystem Overview and select Remove from System Overview.

The graphs shown in the System Overview display the last 24 hours of values (configurable in the View drop-down menu), and are refreshed once every minute. By moving the cursor over the graphs, a cursor displaying theexact value in each graph for a specific point in time is shown, along with the time for the value. When showing aminimum value, the box frame is colored green, and when showing a maximum value, the box frame is colored red.

8.5.2. Values

The Values node contains an entry for each value selected for System Overview in System Diagnostics. Selectinga value shows graphs for the value for each system available in the System Overview.

8.5.3. Totals Graphs

The Totals Graphs node shows graphs for the values selected for System Overview in System Diagnostics summedfor all systems available in the System Overview.

8.5.4. System Information

The System Information node shows system data for the PacketLogic system to which the client is connected.This includes inventory information, available sensor values for voltage, temperature, fan status, and other datadepending on the system.

8.5.5. View Menu in System Overview

The View drop-down menu in System Overview offers the following option:

• Main Toolbar selects whether the Main Toolbar shall be displayed (see Section 8.9, “Main Toolbar”).

8.6. LiveViewThe LiveView part of the client shows real-time information for the traffic flowing through the channel or channelsin the PacketLogic system, as well as some information regarding the PacketLogic system itself. The informationis divided into various views, available in a tree structure to the left.

By default, LiveView shows the Local Hosts view (see Section 8.6.2, “Local Hosts”).

Almost all information displayed in the various views can be graphed in real-time, by right-clicking the item in theview and selecting "Monitor Item". This brings up a view of real-time graphs for all values displayed for that item.

The real-time graphs displayed show the last 5 minutes of data and are refreshed every 5 seconds. The refresh rateis configurable (see Section 8.4.2.1, “Preferences”). By moving the cursor over the graphs, a cursor displaying theexact value for a specific point in time is shown, along with the time for the value.


110

Figure 8.3. Real-time graph of traffic for a NetObject

For the three topmost list views in the left-hand tree (Local Hosts, Service Objects, and Services) and any customviews, the items can be opened and expanded to go all the way into an individual connection. When an item isopened in this way, the tree structure in the left-hand pane displays the opened item as well. This item can then bekept in the tree for quick access. To close the opened item (and remove it from the tree), click the red X in the topright corner shown with the item, or right-click the item in the tree view to the left.


111

Figure 8.4. Detailed view of a connection

The detailed connection view shows the following information about the selected connection:

• Client address is the address of the host acting as client in the connection. By default, both resolved host nameand IP address are shown. This can be changed in the LiveView preferences (see Section 8.4.2.1, “Preferences”).

• Client port is the port used for the connection on the host acting as client in the connection.

• Server address is the address of the host acting as server in the connection. By default, both resolved host nameand IP address are shown. This can be changed in the LiveView preferences (see Section 8.4.2.1, “Preferences”).

• Server hostname is the host name seen in the connection by DRDL. This field is only shown for services wherethis property is set.

• Server port is the port used for the connection on the host acting as server in the connection.

• Protocol is the protocol used for the connection.

• Service is the name of the service generating the connection. A service can be an application or a protocol. Seethe document DRDL Signatures and Properties available in the File Manager in the Documentation folderfor a list of the available services.

• Base Service is the name of the service as identified by DRDL. If Base Service differs from Service, a virtualservice definition is providing the Service (see Section 4.4.2.4, “Virtual Services”).

• Shaping rules is a list of the shaping rules that apply to this connection.


112

• Priority is the priority number this connection is set to. For information on priority in PacketLogic, seeSection 5.2.2, “Priority”.

• VLAN In is the VLAN ID of the inbound packets of the connection. In case of multiple (nested) VLAN tags,which one to display can be configured with the system configuration value QINQ_ILEVEL (see Appendix A,System Configuration Values).

• VLAN Out is the VLAN ID of the outbound packets of the connection. In case of multiple (nested) VLAN tags,which one to display can be configured with the system configuration value QINQ_ILEVEL (see Appendix A,System Configuration Values).

• Server AS-Path is the AS path to the server of the connection (only visible if BGP is enabled, see Section 10.5,“Configuring BGP Support”).

• Client AS-Path is the AS path to the client of the connection (only visible if BGP is enabled, see Section 10.5,“Configuring BGP Support”).

• Start Time is the time the connection was initiated.

• Flags is a list of connection flags that apply to the current state of the connection. See Section 4.7.1.12,“FlagObjects” for details.

• Statistics rules is a list of the statistics rules that apply to this connection.

• Incoming Average Latency is the average latency for inbound packets in the connection.

• Outgoing Average Latency is the average latency for inbound packets in the connection.

• Incoming Drops is the number of dropped inbound packets in the connection.

• Outgoing Drops is the number of dropped outbound packets in the connection.

• MPLS Label In is the MPLS label seen on inbound packets in the connection.

• MPLS Label Out is the MPLS label seen on outbound packets in the connection.

• DSCP In is the value of the DSCP field found in inbound packets in the connection.

• DSCP Out is the value of the DSCP field found in outbound packets in the connection.

• Channel In is the ID of the channel on which the inbound packets in the connection arrive. Channel ID can bemapped to channel interface locations in the Channel Editor (see Section 8.10.10, “Channel Editor”).

• Channel Out is the ID of the channel on which the outbound packets in the connection are sent. Channel IDcan be mapped to channel interface locations in the Channel Editor (see Section 8.10.10, “Channel Editor”).

• Incoming Internal Quality is a percentage showing the quality of the packet transmission for inbound packetson the internal channel interface in the connection, based on packet drops and fragmentation (see Section 4.2.9,“Quality Measurement Algorithm” for details).

• Incoming External Quality is a percentage showing the quality of the packet transmission for inbound packetson the external channel interface in the connection, based on packet drops and fragmentation (see Section 4.2.9,“Quality Measurement Algorithm” for details).

• Outgoing Internal Quality is a percentage showing the quality of the packet transmission for outbound packetson the internal channel interface in the connection, based on packet drops and fragmentation (see Section 4.2.9,“Quality Measurement Algorithm” for details).


113

• Outgoing External Quality is a percentage showing the quality of the packet transmission for outbound packetson the external channel interface in the connection, based on packet drops and fragmentation (see Section 4.2.9,“Quality Measurement Algorithm” for details).

• Inside RTT is the roundtrip time for the TCP three-way handshake seen between the PacketLogic and the hoston the internal side in this connection.

• Outside RTT is the roundtrip time for the TCP three-way handshake seen between the PacketLogic and thehost on the external side in this connection.

• Tunnel level is the number of tunnel headers before the IP header of the connection shown (see Section 4.2.1.1,“Tunnel Levels and Types”).

• Outgoing TTL/Hop Limit is the last seen TTL/Hop Limit in the IP header of an outgoing packet in thisconnection.

• Seen per host outgoing TTLs/Hop Limits is the number of different values for TTL/Hop Limit seen for thelocal host in this connection.

• Transfer statistics shows the traffic statistics for this particular connection. The Current row shows the currentrate of inbound, outbound, and total (sum of inbound and outbound) traffic, and the Total row shows theaccumulated value for the lifetime of the connection.

• Service properties shows a listing of the service properties determined for the connection. The listing containsthe name of the property and the value. Service properties vary with connections and services.

8.6.1. Custom Views

Custom views allows defining what to see in LiveView, and in what way. A custom view consists of a set of filtersto define what connections to include in the view, and a distribution defining how to organize the aggregationof data.

Creating a custom view is done in the Custom View Editor (Section 8.10.13, “Custom View Editor”).

8.6.2. Local Hosts

The Local Hosts view displays real-time information about traffic, sorted based on the hosts generating the traffic.The Local Hosts view displays information for the NetObjects selected to be Visible NetObjects, plus an objectnamed <Ungrouped> (which contains all local hosts that are not included in any NetObject).


114

Figure 8.5. Local Hosts

Name The name of the list item

Incoming The inbound bandwidth of the item, after PacketLogic has appliedthe ruleset (packets are counted as they enter their queues).

Outgoing The outbound bandwidth of the item, after PacketLogic has appliedthe ruleset (packets are counted as they enter their queues).

Total The sum of Incoming and Outgoing.

Incoming CPS The number of inbound connections initiated per second.

Outgoing CPS The number of outbound connections initiated per second.

Total CPS The sum of In CPS and Out CPS.

Est. Connections The number of currently seen established connections (establishedmeans that there have been packets sent from both client and serverin the connection).

Unest. Connections The number of currently seen connections where there has been noresponse from one side.

Total Connections The total number of currently seen connections (established orunestablished).

In Int Quality The quality metric for the inbound packets on the internal channelinterface (see Section 4.2.9, “Quality Measurement Algorithm” fordetails).

Out Ext Quality The quality metric for the outbound packets on the external channelinterface (see Section 4.2.9, “Quality Measurement Algorithm” fordetails).


115

In Ext Quality The quality metric for the inbound packets on the external channelinterface (see Section 4.2.9, “Quality Measurement Algorithm” fordetails).

Out Int Quality The quality metric for the outbound packets on the internal channelinterface (see Section 4.2.9, “Quality Measurement Algorithm” fordetails).

To select which columns to display, right-click the title bar of the list view and leave the items to see checked,and uncheck the rest.

By default, hosts are shown with their IP addresses. To resolve host IP addresses into host names in the local hostsview, DNS resolution is configurable in Preferences available in the Edit drop-down menu. With this optionenabled, host names are displayed within parentheses next to the IP address.

Caution: Use the Enable Reverse Hostname Lookup option with care. The DNS server must be able to handlethe load of requests from PacketLogic, and this load can be considerable. Overloading the DNS server may causeit to stop responding.

Selecting an object in the Local Hosts view unfolds the object hierarchy, as defined in the NetObject (the built-in Ungrouped object does not contain a structure). The structure can be unfolded down to host level. Double-clicking a host opens a view of the existing connections for that host, separated by whether the host acts as clientor server in the connections and what protocol is used. This view unfolds further, down to individual connections.For asymmetric connections (connections where PacketLogic sees only one direction of the flow), the connectionis colored blue (or the color set for links on the host running the client). Unestablished connections are greyedout and parenthesized. Hosts affected by connection protection (see Section 4.8.2, “Connection Protection”) arecolored red.

Double-clicking a connection opens a detailed view of that connection, with all the information that PacketLogichas been able to extract from it.

8.6.3. Service Objects

The Service Objects view works just like the Local Hosts view described above, except that the traffic is sortedbased on Service Objects and services. The object structure can be unfolded down to individual services (suchas FTP or BitTorrent). Double-clicking a service will open a view where all connections matching that serviceare shown, separated by the client, server, or neither being local to the PacketLogic, and organized by protocol.For services, it is also possible to choose between ordering the connections based on the client or the server ofthe connection, by selecting it in the Group by: drop-down list in the top right corner. Just as in the Local Hostsview, details for individual connections can be shown and all levels of the hierarchy can be graphed in real-timeby right-clicking the item and selecting "Monitor Item".


116

Figure 8.6. ServiceObjects

For each displayed item, the following columns of information are available:

Name The name of the list item

Incoming The inbound bandwidth of the item.

Incoming % The inbound bandwidth of the item, as a percentage of the inboundbandwidth of the enclosing ServiceObject.

Outgoing The outbound bandwidth of the item.

Outgoing % The outbound bandwidth of the item, as a percentage of the outboundbandwidth of the enclosing ServiceObject.

Total The sum of Incoming and Outgoing.

Total % The total bandwidth of the item (incoming plus outgoing), as a percentageof the total bandwidth of the enclosing ServiceObject.

In CPS The number of inbound connections initiated per second.

Out CPS The number of outbound connections initiated per second.

Total CPS The sum of In CPS and Out CPS.

Connections The number of currently seen established connections (established meansthat there have been packets sent from both client and server in theconnection).

In Int Quality The quality metric for the inbound packets on the internal channel interface(see Section 4.2.9, “Quality Measurement Algorithm” for details).

Out Ext Quality The quality metric for the outbound packets on the external channel interface(see Section 4.2.9, “Quality Measurement Algorithm” for details).


117

In Ext Quality The quality metric for the inbound packets on the external channel interface(see Section 4.2.9, “Quality Measurement Algorithm” for details).

Out Int Quality The quality metric for the outbound packets on the internal channel interface(see Section 4.2.9, “Quality Measurement Algorithm” for details).

To select which columns to display, right-click the title bar of the list view and leave the items to see checked,and uncheck the rest.

There is a preinstalled ServiceObject tree Procera Networks Categories, which shows all services listed bythe type of traffic or application. Services that have not yet received a full categorization are gathered in theUncategorized object.

To see the list of connections in a ServiceObject, right-click the ServiceObject and select Show Connections.

8.6.4. Services

The Services view displays real-time information about traffic, sorted based on the service generating the traffic,regardless of their Service Object grouping. Just as in all other list views, items can be right-clicked to accessthe real-time graphing through "Monitor Item", and individual connections can be shown by double-clicking aservice name, expanding the displayed connection tree down to the individual connection, and double-clicking theconnection to show details for. For services, it is also possible to choose between ordering the connections basedon the client or the server of the connection, by selecting it in the Group by: drop-down list in the top right corner.

Figure 8.7. Services

Selecting a service in the Services view also displays a brief informative text about the traffic belonging to thisservice at the bottom of the view. Clicking More will open a dialog showing more information.


118

The Services view has the same columns available as the Service Objects view (see Section 8.6.3, “ServiceObjects”). The percentage columns in the Services view, however, show the percentage of the entire bandwidthfor Incoming, Outgoing, and Total, respectively, since there are no enclosing ServiceObjects in the Services view.

8.6.5. Categories

The Categories view displays real-time information about traffic, sorted based on the categorization of URLs (seeSection 4.2.7, “URL Categorization”).

Figure 8.8. Categories

8.6.6. Shaping Objects

The Shaping Objects view displays information for the Shaping Objects that exist in the system. The view issplit into three panes. The top pane shows incoming information for ShapingObjects, the middle shows outgoinginformation, and the bottom pane show bidirectional information.

Note: Information is displayed for both incoming and outgoing even if there are limits applied in only one direction.This is because traffic is accounted in both directions. Shaping, however, is only performed on the direction withlimits imposed.

Note: Immediately after a ruleset reload (pressing Save in the Objects & Rules Editor), ShapingObjects are shownin the Incoming/Outgoing panes even though they have bidirectional limits. This is because it may take a momentfor the client to receive the information that the object has bidirectional limits. After this moment, the object isshown correctly in the Bidirectional pane.

The view displays the following information:

Copies The number of copies existing. Copies are created by using Split By in a ShapingObject (seeSection 5.2.4, “Split By”).

Conn The number of connections using the shaping object

RX bps Bits per second received

TX bps Bits per second transmitted

RX pps Packets per second received


119

TX pps Packets per second transmitted

Drops The number of packets dropped

Marks The number of packets marked (by BROWN)

Max Lat. The longest latency added to a packet

Avg Q The average queue length

Max Q The maximum queue length

For information about ShapingObjects, see Chapter 5, PacketLogic Traffic Shaping.

8.6.7. Filtering RulesThe Filtering Rules view displays information for the filtering rules that exist in the system. The view displaysthe following information:

Hits/s The rate at which packets match the filtering rule

Hits total The number of packets that have matched the filtering rule

8.6.8. Filtering LogThe Filtering Log view displays the filtering log, with one line for each connection that has matched the filteringrule. Each line displays information on the rule in question, along with information on the connection that matched.The information shown depends on the log level set for the filtering rule.

At the bottom of the Filtering Log view, there are navigation buttons to go back and forward among the pages ofthe filtering log, and buttons to refresh and clear the log.

8.6.9. Rewrite LogThe Rewrite Log allows searching the rewrite log to see what connections have had their source IP rewritten aspart of CGN (see Section 4.3, “Carrier Grade Network Address Translation (NAT)”).

To create the rewrite log, ensure that the system configuration value REWRITE_LOG is set to True.

The rewrite log can be searched by entering a time frame, an internal IP address, an external IP address, ports,and IP protocol.

8.6.10. Channel StatisticsThe Channel Statistics view displays information on the channels in the system. The channels unfold to show theexternal and internal interfaces on the channel. The Channel Statistics view provides the following information:

Link The link state (for example 100 FD, which means 100Mbps full duplex)

RX packets The number of packets received on the interface

TX packets The number of packets transmitted on the interface

RX speed The rate at which packets are received on the interface

TX speed The rate at which packets are transmitted on the interface

RX errors The number of reception errors on the interface

TX errors The number of transmission errors on the interface

RX drops The number of packets dropped in reception


120

RX drops The number of packets dropped in transmission

In addition, several fields with counters for different error types are available (to view them, right-click the titlebar and select the values to add to the view).

8.6.11. View Menu in LiveView

The View drop-down menu in LiveView offers the following options:

• Main Toolbar selects whether the Main Toolbar shall be displayed (see Section 8.9, “Main Toolbar”).

• Pause stops updating the values in LiveView. Selecting it again starts updating the values again. When paused,the icon is framed.

• Create Custom View opens the Custom View Editor (see Section 8.10.13, “Custom View Editor”).

• Go To Host... opens a dialog where an IP address or subscriber name can be entered. The input field becomesgreen and the Go To Host button is enabled when a correct IP or a subscriber search string is entered. PressingEnter or clicking the Go To Host button will go to the entered host or subscriber in the Local Hosts view. Ifthe host is not found, the client informs about this.

• Force Statistics Write signals the statistics and connection log to be written to disk immediately. By default,the PacketLogic sends any statistics and connection logging data generated to the statistics system once perhour. Should an additional write be required before the next scheduled write, this option can be used. For moreinformation on statistics, see Chapter 7, PacketLogic Statistics.

8.7. System DiagnosticsFigure 8.9. System Diagnostics

The System Diagnostics view contains a number of subitems with diagnostics information for various parts andcomponents in the system. These items are called zones. For detailed information on the values displayed inSystem Diagnostics, please turn to Appendix C, System Diagnostics Values in the appendixes.

In addition to the zones, there are graphs of selected values (in Graphs) and a Message log with the messagesfrom generated alerts.

When the Graphs view is selected, any values that have had the option to be displayed in the summary selected areshown with real-time graphs. To remove a value from the summary, right-click in the graph and select RemoveGraph. Right-clicking the System Diagnostics node in the left-hand navigation tree gives an option to show allalert limits configured, and edit them.


121

Figure 8.10. Graphs in System Diagnostics

The values in the System Diagnostics view can be right-clicked, which gives access to the following functions:

Add to graphs Displays a real-time graph of the value in the Graphs view(see above).

Copy Text Copies the text in the field where the cursor is placed.

Copy Row To Clipboard Copies the entire row into the clipboard, to be pasted intoany text input.

Export Zone Values... Opens a dialog, where the values in the displayed zone canbe exported to file as comma-separated values (CSV).

Add to System Overview Adds the value to the System Overview for this system (seeSection 8.5, “System Overview” for details). This is onlyavailable at the top level for each value.

Reset Value Resets all accumulated counters for the value. This is onlyavailable at the top level for each value.

Alert Levels... Opens the Alert Limits editor, where limits for whenthe value shall trigger a System Diagnostics alert areconfigured. This is only available at the top level for eachvalue.

8.7.1. Alert Levels Editor

Figure 8.11. System Diagnostics Alert Level Editor


122

The Alert Limits editor configures limits for when a value is to trigger an alert. For information on how to monitoralerts, see Chapter 12, Monitoring PacketLogic. This is only available at the top level for each value.

Four values can be configured:

Minimum value The lowest value the Current/Total value can have before triggering an alert.

Maximum value The highest value the Current/Total value can have before triggering an alert.

Minimum rate The lowest rate the value can have before triggering an alert.

Maximum rate The highest rate the value can have before triggering an alert.

In addition to generating an alert, a script to run (so-called system diagnostics trigger) can be selected. A trigger is apython script which is executed when the configured limit is crossed. The drop-down list shows the trigger scriptsavailable to use. Trigger scripts can be uploaded using the File Manager (see Section 8.10.6, “File Manager”).

Furthermore, a comment can be entered which will be included in the alert.

8.7.2. Proxying System Diagnostics

System Diagnostics can also be proxied, which will show system diagnostics values for multiple systems in oneview. Expanding a value shows values for the individual systems, and their values are combined to an aggregatevalue in the top (non-expanded) level. For details, see Section 11.2, “System Diagnostics”.

8.8. StatisticsThe Statistics viewer provides easy access to the statistical data collected by PacketLogic. The Statistics view hasan intuitive interface, designed to mimic the behavior of a web browser. To this end, the Statistics view uses tabs(for keeping multiple views open, and in the sidebar for navigation), bookmarks, an address field, and a navigationthat is similar to that of a web browser. Text that is a hyperlink to another view is marked blue, and can be clickedto access that view or right-clicked to open in a new tab. There are also back and forward buttons to navigate backand forth among the statistics views that have been shown.

Figure 8.12. The root view of the Statistics Viewer

The initial view opened in the Statistics viewer of the client shows a bar chart of the StatisticsObjects configuredin the system.

Apart from the Statistics view where the start page is shown, there are tabs for navigation, bookmarks, and graphsin the sidebar. There are also tool buttons next to the address field above bar chart.


123

For detailed information about the statistics, see Chapter 7, PacketLogic Statistics.

8.8.1. The Navigation Tab

The Statistics viewer shows a specific statistics view in the main window, based on the following information:

• A time interval for which to display statistics. This can be selected in the calendar tool on the left. There arealso buttons in the Statistics viewer to go back or forward one time interval.

• A Distribution (selectable in a drop-down list in the Statistics viewer). This is the criterion on which thestatistics are based (such as Service or NetObject), as defined in a StatisticsObject (see Section 4.7.4.3,“StatisticsObjects”) used by a Statistics rule.

• A Data type (selectable in a drop-down list in the Statistics viewer), which defines what type of data (suchas throughput traffic, number of connections, or quality) that shall be shown in the graph. The types availablein the drop-down list depend on the types selected in the Fields configuration of the StatisticsObject (seeSection 8.10.1.15, “StatisticsObject Editor”).

• Ascending or descending sort order (Sort by), which determines in which order the items shall be displayed.

• A maximum number of results (Max results), which determines how many of the items that shall be displayed.

• Values, which determine what data to show for the value. What options that are available depends on whatfields are selected in the StatisticsObject gathering the statistical data.

• A chart type (bar, pie, percent bar, line, or stacked area chart), which determines how the statistics are shown.Bar charts display total metrics. Pie charts display total traffic volumes in proportions. Percent bar chartsdisplay segmented bar charts with the percentage of each segment. Line charts and Stacked Area Chartsdisplay the value over time. This can be selected by clicking the chart type button in the Statistics viewer orby entering a prefix in the Location field.

• Calculate average per subscriber, when selected, will show the graph with values averaged per subscriber.What constitues a subscriber in this context is defined by what NetObjects that have the attribute Object shouldbe considered a 'Subscriber' in Statistics set (see Section 8.10.1.2, “NetObject Editor” for setting attributeson NetObjects).

Additionally, there are options that depend on the chart type. Bar charts have the following options:

• Include <Others> will show an item with the accumulated value of all items not shown because the Maxresults option excluded them.

• Show duration for matches will show a bar chart listing the duration for which the values have been withinset limits during the interval. For more information see Section 7.1.10, “Listing Durations for Thresholds”.

Line charts have the following option:

• Show 95th percentile adds a horizontal line to the graph, indicating the value of the 95th percentile for thegraph. These values are based on the Incoming bps and Outgoing values. In case both values are graphed, thehighest of the two percentile values is shown.

8.8.2. Tool Buttons

The following buttons are available in the statistics viewer:

Go Back to the previous view in the statistics viewer


124

Go Forward to the next view in the statistics viewer

Go Up one level in the statistics viewer

Refresh the data displayed in the statistics viewer

Go Home in the statistics viewer

Select which Chart type to show of the current statistics view (choose from bar, pie, percentbar, line, and stacked area charts)

8.8.3. Full Screen Mode

Any chart can be shown in full screen mode (displaying the chart only) by using the keyboard combinationCtrl+Shift+F when the chart area is in focus. Press Esc to leave full screen mode.

8.8.4. Bar Charts and Percent Bar Charts

Bar charts show the accumulated total for the value in a list of items included. Clicking an item shows a bar chartfor the item clicked. Percent bar charts show accumulated total values (like bar charts), but show the ratio for eachitem as a percentage in the bar.

8.8.4.1. Tool Tips

Bar chart items have tool tips (displayed when holding the cursor over the item) providing additional information.A regular item shows a tool tip with the number of items below that item, for different distributions.

8.8.4.2. Include <Others>

If the checkbox on the bottom of the sidebar of the statistics viewer is checked, an item named <Others> isincluded in the list. This item holds the sum of all items not displayed, if the setting for max results does not showall existing items.

8.8.5. Pie Charts

Pie charts show the ratio between items, showing the value as well as the percentage of each item. There is a pagefor each value shown. Clicking an item (pie chart segment or legend) opens a pie chart for that item.

8.8.5.1. Tool Tips

Holding the cursor over a pie chart segment shows the percentage, name, and value of the item.

Holding the cursor over a value in the legend shows the number of subitems available in the item.

8.8.6. Line and Stacked Area Charts

Line and stacked area charts show the selected value over time.

For all stacked area charts or line charts, moving the cursor over the graphs displays a cursor showing the exactvalue for a specific point in time. When showing a minimum value, the box frame is colored green, and whenshowing a maximum value, the box frame is colored red.

Note: The Max results field limits the number of selectable values in the right-hand pane. If this is set to a numberlower than the current number of displayed items, the selected items are still shown in the graph. The values mustbe deselected before setting Max results lower.


125

8.8.6.1. 95th Percentile

In line charts (not stacked area charts), a horizontal line showing the 95th percentile can be shown, by checkingthe check box on the bottom right of the statistics viewer.

8.8.6.2. Zooming

Line charts and stacked area chart can be zoomed, by holding down Shift and dragging the cursor over the intervalto zoom.

8.8.6.3. Peak Data

If peak data is stored for a value (see Section 7.1.9, “Peak Analysis”), the data can be displayed by holding downCtrl and clicking the graph point for which to show peak data.

8.8.7. Location Field

The Location field shows the chart type and statistics criterion for the current statistics view. A statistics view canbe displayed by entering a statistics path directly in the Location field. A statistics path starts with the chart type,followed by a colon (:) (pie: for a pie chart, percentbar: for a percent bar chart, bar: for a bar chart, line: for aline chart, or stacked: for a stacked area chart). After the chart type, a path to the statistics criterion is entered.

The path consists of path elements, distribution types, and a data type. Each path element is followed by a questionmark (?) and a distribution type for that path element (an exception is the top-level path element which has nodistribution type), and path elements are separated by slash (/). At the end of the path there is a question mark (?)followed by the data type, which is what type of data shall be displayed (traffic or connections).

Examples:

line:/Traffic by net?/192-Net?NetObject/?datatype=Traffic shows the throughput trafficfor the NetObject 192-Net in the statistics in a line graph, for the time interval specified in the calendar tool.

bar:/Host and service?/10.1.2.3?Local Host/?datatype=Connections shows a bar chartof the number of connections for the services for the local host 10.1.2.3, for the time interval selected in thecalendar tool.

8.8.8. Calendar Tool

The calendar tool, displayed to the left in the Statistics viewer, changes the time interval for which the currentstatistics are shown. The interval can be selected from a drop-down list, and the date can be selected by clickingthe calendar. Right-clicking gives a shortcut to go to the current date.

8.8.9. Bookmark Manager

The bookmark manager, displayed below the calendar tool on the left in the Statistics viewer, shows a folderstructure of bookmarks. All bookmarks and functions available in the bookmark manager are also available fromthe bookmark menu.

Right-clicking a folder in the bookmark manager gives the following options:

Add Bookmark Opens the Add Bookmark dialog.

New Folder Creates a new folder in the current folder.

Open Folder in Tabs Opens all the bookmarks defined in the folder in one tab each inthe Statistics viewer.

Export Exports all the statistics views defined as bookmarks in the folderto PDF or CSV, either as one single file or a folder containing onefile for each bookmark.


126

Import Bookmarks Opens a dialog to select a file of exported bookmarks inPacketLogic Bookmarks (.plb) format to import.

Export Bookmarks Opens a dialog to export the bookmarks to a file in PacketLogicBookmarks (.plb) format.

Cut Cuts the current folder for pasting into another folder.

Copy Copies the current folder for pasting into another folder.

Paste Pastes the most currently cut or copied item (bookmark or folder)into the current folder.

Rename Renames the current folder.

Delete Deletes the current folder.

Right-clicking a bookmark gives the following options:

Open in Current Tab Opens the bookmark in the active tab in the Statistics viewer.

Open in New Tab Opens the bookmark in a new tab.

Export Exports a PDF or CSV file containing the statistics view definedin the bookmark. It is also possible to enter a range of pages toexport. When several bookmarks are exported, this is applied toeach bookmark.

Cut Cuts the bookmark for pasting into another folder.

Copy Copies the bookmark for pasting into another folder.

Rename Renames the bookmark.

Delete Deletes the bookmark.

Properties Opens the Edit Bookmark dialog.

8.8.9.1. Add/Edit Bookmark

The Add Bookmark and Edit Bookmark dialogs have the following fields:

Name is the displayed name of the bookmark. Locationis the path to the statistics view that the bookmarkdefines. Date contains drop-down lists for the timeinterval. The time interval can be fixed (meaning italways displays the same time interval, regardless ofwhen it is viewed), current (meaning it shows thecurrent time interval for the time it is viewed), or last(meaning it shows the previous time interval relative tothe time it is viewed).

8.8.10. View Menu in Statistics

The View drop-down menu in Statistics offers the following options:

Main Toolbar Selects whether the Main Toolbar shall be displayed(see Section 8.9, “Main Toolbar”).


127

New Tab Opens a new tab in the Statistics Viewer.

Close Tab Closes the current tab. Not available if there is onlyone tab open.

Back Goes Back to the previous view in the statisticsviewer.

Forward Goes Forward to the next view in the statisticsviewer.

Up Goes Up one level in the statistics viewer.

Reload Refreshes the data displayed in the statistics viewer.

Home Returns to the starting view in the statistics viewer.

Previous Date Interval Goes back one time interval in the statistics viewer.

Next Date Interval Goes forward one time interval in the statisticsviewer.

Bar Chart Selects to display the current statistics view as a barchart (the icon is framed if a bar chart is currentlydisplayed). The option is disabled if there is no barchart to display for the current statistics.

Pie Chart Selects to display the current statistics view as a piechart (the icon is framed if a pie chart is currentlydisplayed). The option is disabled if there is no piechart to display for the current statistics.

Percent Bar Chart Selects to display the current statistics view as apercent bar chart (the icon is framed if a bar chart iscurrently displayed). The option is disabled if there isno bar chart to display for the current statistics.

Line Chart Selects to display the current statistics view as a linechart (the icon is framed if a line chart is currentlydisplayed). The option is disabled if there is no linechart to display for the current statistics.

Stacked Area Chart Selects to display the current statistics view as astacked area chart (the icon is framed if a stacked areachart is currently displayed). The option is disabled ifthere is no stacked area chart to display for the currentstatistics.

Add Guide Line... Add a horizontal line to the graph at a configurableY axis value.

Remove Guide Lines... Remove a horizontal guide line.

Manage Compare URLs

Show Trend Lines in Line Chart Selects to show calculated trend lines for the lines ina line graph.

Find Opens a search field at the bottom of the Statisticsviewer. Entering a string in the search field searches


128

the current statistics view for the string. If a searchstring is found, buttons to find the next and previousmatches are shown.

Full Screen Mode Shows the current graph in full screen

Show Location Bar Toggles whether the location bar (with the graph URLand the navigation buttons) shall be visible.

Show Page Navigation Bar Toggles whether the page navigation bar (at thebottom of the graph view) shall be visible.

8.8.11. Bookmarks Menu

In the Statistics viewer, there is also a Bookmarks drop-down menu, with the following options:

Add Bookmark Opens the Add Bookmark dialog, with an additionalFolder field to determine where to store thebookmark.

Edit Bookmarks Opens an editor where bookmarks can be edited andmoved between folders.

Add all Tabs as Bookmark Folder Opens a dialog to save all tabs currently open to afolder of bookmarks.

The menu also contains the actual bookmarks defined.

8.9. Main ToolbarThe main toolbar is available at the top of the client window, and provides quick access to frequently used options.

Open the System Manager (see Section 8.2, “System Manager”)

Open the Objects & Rules editor (see Section 8.10.1, “Objects & Rules Editor”). Clickingand holding the button shows several available modes.

Open the User editor (see Section 8.10.2, “User Editor”)

Open the Host Trigger editor (see Section 8.10.3, “Host Trigger Editor”)

Open the Backup Manager (see Section 8.10.5, “Backup Manager”)

Open the File Manager (see Section 8.10.6, “File Manager”)

Open the Log Viewer (see Section 8.10.7, “Log Viewer”)

Open the Connection Search dialog (see Section 8.10.8, “Connection Search”)

Pause (stop updating) the real-time information in LiveView (only available in LiveView)


129

8.10. Editors and ManagersThis section describes the various editors and managers that are available from the toolbars and menus.

8.10.1. Objects & Rules Editor

The Objects & Rules Editor is where the ruleset for traffic management in PacketLogic is viewed, created, andmaintained. For an in-depth description of the available objects and rules, see Section 4.7, “Objects and Rules”.

Figure 8.13. The Objects & Rules Editor

The Objects & Rules Editor can be opened in default mode by clicking the Objects & Rules button in the toolbar.Also available from the Edit menu are three options on how to open the Objects & Rules Editor (these optionscan also be reached by clicking and holding the Objects & Rules button in the toolbar):

Open Without Stealing Resource Opens the editor without locking the resource forexclusive use. This is the default way to open theeditor.

Steal Resource And Open Obtains an exclusive lock on the Objects & Rulesresource before opening it, to prevent any othersessions from saving changes to it. This can be usefulwhen there are snoopers or custom integration scriptsperforming operations on the ruleset, causing it toreload at a high rate. This option requires read andwrite permissions on the Resource and Objects &Rules resource.

Open Read Only Will open the Objects & Rules resource in read onlymode, which has the following implications:

• No actions can be performed on the objects orrules.


130

• The view will not be affected by subsequentupdates to the objects or rules made by anotherclient or by API calls (such as snoopers or customintegrations).

The Objects & Rules Editor contains a toolbar (not visible in read only mode), a tree structure containing theobjects and rules in the ruleset, and a display pane to show the object, item, or rule currently selected.

Right-clicking objects and items gives direct access to relevant functions for the selected object or item. Objectscan be moved in their respective object trees using drag and drop.

For NetObjects, the icon representing the NetObject in the tree view has an eye if the NetObject is configuredto be a visible NetObject (shown in the Local Hosts view). NetObjects can be made visible in each NetObject(the Object visible checkbox).

For Filtering Rules, Shaping Rules, and Statistics Rules, there is a checkbox for each item. A checked box meansthat rule is enabled. This is also available directly in each Filtering and Shaping Rule (the Rule enabled checkbox).

8.10.1.1. Toolbar Buttons

The following buttons are available in the toolbar in the Objects & Rules Editor (not visible in read only mode):

Create a new object or item

Save the edited ruleset

Cut the selected object or item

Copy the selected object or item

Paste the object or item last cut or copied

Move the selected filtering rule up in the ruleset (only available when viewing filtering rules)

Move the selected filtering rule down in the ruleset (only available when viewing filteringrules)

In read and write mode, there is a File menu and an Edit menu in the Objects & Rules Editor.

The File menu offers the following options:

New Create a new object or item (depending on where in the objecthierarchy the current selection is).

Save Save the current ruleset.

Roll Back Changes Reverts all changes made in the Objects & Rules Editor since the lasttime it was saved.

Steal Resource Get an exclusive lock on the Objects & Rules resource, to preventany other sessions from saving changes to it. This can be usefulwhen there are snoopers or custom integration scripts performingoperations on the ruleset, causing it to reload at a high rate. Thisoption requires read and write permissions on the Resource andObjects & Rules resource.


131

Import Template... Prompts for an XML file with object and rule definitions to importto the ruleset (see Section 8.10.1.1.1, “XML Import/Export”).

Export Template... Exports selected objects and rules to an XML file, which can thenbe used to import rules and objects (see Section 8.10.1.1.1, “XMLImport/Export”).

Save & Close Saves the current ruleset and closes the Objects & Rules Editor.

Close Closes the Objects & Rules Editor without saving changes.

The Edit menu offers options to cut, copy, and paste selected items or objects.

In read only mode, only the File menu is available, and only contains an option to close the editor.

8.10.1.1.1. XML Import/Export

Parts of the objects and rules can be exported to an XML file. When exporting, a dialog allows selecting whatobjects and rules shall be included in the export. Importing takes all the definitions in the selected XML file andadds to the current ruleset. Note that the changes are not active until the ruleset is saved after import.

8.10.1.2. NetObject Editor

The NetObject editor shows the items in the NetObject, a text field containing the name of the NetObject,and a free-text comment field where additional information about the object can be added, and a checkbox todetermine if the NetObject is visible in the Local Hosts view. Context-sensitive right-click menus allows addingor deleting items and subobjects, renaming objects and subobjects, setting the object as visible, setting link speedand attributes, and cut/copy/paste.

Selecting an item in the left-hand tree shows the definition of the item. For details see Section 4.7.1, “Object Typesfor Traffic Identification”.

8.10.1.2.1. Link Speed Editor

The link speed editor is opened by right-clicking a NetObject and selecting the Link Speed... option. This opensa dialog where incoming and outgoing link speed can be defined. These values are used to display horizontal linesindicating the link speed in line and stacked area charts for the NetObject.

8.10.1.2.2. Attribute Editor

The attribute editor is opened by right-clicking a NetObject and selecting the Attribute Editor option.

8.10.1.3. PortObject Editor

The PortObject editor shows the items in the PortObject, a text field containing the name of the PortObject, and afree-text comment field where additional information about the object can be added. Context-sensitive right-clickmenus allows adding or deleting items and subobjects, renaming objects and subobjects, and cut/copy/paste.


8.10.1.4. ProtocolObject Editor

The ProtocolObject editor shows the items in the ProtocolObject, a text field containing the name of theProtocolObject, and a free-text comment field where additional information about the object can be added.Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects andsubobjects, and cut/copy/paste.



132

8.10.1.5. ServiceObject Editor

The ServiceObject editor shows the items in the ServiceObject, a text field containing the name of theServiceObject, and a free-text comment field where additional information about the object can be added. Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects and subobjects, andcut/copy/paste.

Selecting an item in the left-hand tree shows a column view, where all selected services are in the right-handcolumn, and all services available to select are in the left-hand column.

8.10.1.6. TimeObject Editor

The TimeObject editor shows the items in the TimeObject, a text field containing the name of the TimeObject,and a free-text comment field where additional information about the object can be added. Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects and subobjects, and cut/copy/paste.


8.10.1.7. VlanObject Editor

The VlanObject editor shows the items in the VlanObject, a text field containing the name of the VlanObject, anda free-text comment field where additional information about the object can be added. Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects and subobjects, and cut/copy/paste.


8.10.1.8. PropertyObject Editor

The PropertyObject editor shows the items in the PropertyObject, a text field containing the name of thePropertyObject, and a free-text comment field where additional information about the object can be added.Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects andsubobjects, and cut/copy/paste.


8.10.1.9. FlagObject Editor

The FlagObject editor shows the items in the FlagObject, a text field containing the name of the FlagObject, and afree-text comment field where additional information about the object can be added. Context-sensitive right-clickmenus allows adding or deleting items and subobjects, renaming objects and subobjects, and cut/copy/paste.


8.10.1.10. TunnelLevelObject Editor

The TunnelLevelObject editor shows the items in the TunnelLevelObject, a text field containing the name ofthe TunnelLevelObject, and a free-text comment field where additional information about the object can beadded. Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects andsubobjects, and cut/copy/paste.


8.10.1.11. TunnelTypeObject Editor

The TunnelTypeObject editor shows the items in the TunnelTypeObject, a text field containing the name ofthe TunnelTypeObject, and a free-text comment field where additional information about the object can be


133

added. Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects andsubobjects, and cut/copy/paste.


8.10.1.12. MPLSObject Editor

The MPLSObject editor shows the items in the MPLSObject, a text field containing the name of the MPLSObject,and a free-text comment field where additional information about the object can be added. Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects and subobjects, and cut/copy/paste.


8.10.1.13. RewriteObject Editor

The RewriteObject editor shows the items in the RewriteObject, a text field containing the name of theRewriteObject, and a free-text comment field where additional information about the object can be added. Context-sensitive right-click menus allows adding or deleting items and subobjects, renaming objects and subobjects, andcut/copy/paste.

Selecting an item in the left-hand tree shows the definition of the item. Selecting an item in the left-hand treeshows the definition of the item. For details see Section 4.7.4.1, “RewriteObjects”.

8.10.1.14. ShapingObject Editor

Figure 8.14. ShapingObject in the Objects & Rules Editor


134

The ShapingObject editor contains the following elements:

Object name: A text field with the name of the ShapingObject.

Split by: A drop-down list where it is selected how theShapingObject shall be split (see Section 5.2.4, “SplitBy”).

Subscriber NetObject: A NetObject containing all subscribers as dynamicitems, used to determine the list of subscribers forpurposes of splits and fairness.

BROWN connection fairness (Advanced Options): A checkbox that determines if per-connectionfairness is applied in the ShapingObject.

Virtual queueing (Advanced Options): A checkbox that determines if the ShapingObjectshall use virtual queueing (meaning packets are neveractually queued, only selectively dropped by theAQM).

Byte counter (Advanced Options): A checkbox that determines if the ShapingObjectholds a byte counter, used for quota management inthe PSM

Weighted Fair Queueing This is a list of percentages assigning how muchcapacity (as a ratio of the ShapingObject limits)priority levels 4 through 9 are allowed to consume(see Section 5.6.5.3, “Weighted Fair Queueing”).

Host Fairness (Advanced Options): A drop-down list to select if and what type ofhost fairness is applied in the ShapingObject (seeSection 5.6.5.2, “Host Fairness”).

Max Connections (Advanced Options): An incrementable field setting the maximum numberof connections allowed to exist simultaneously in theShapingObject.

Show bandwidth rates in: A drop-down list where it is selected what scale theconfigured limits are displayed in.

Limits: Specifies the limits imposed on the traffic in theShapingObject, along with settings for latency goaland queue size. Limits can be specified for inboundand/or outbound traffic, or for the bidirectional sumof traffic. When a limit is selected, Volume BasedShaping (VBS) limits can be added.

Edit VBS A button that opens the VBS editor, which definesVBS limits for the internal VBS controller (seeSection 5.5, “Shaping Counters”).

Comment: A free-text field where additional information aboutthe object can be added.

For more information on the meaning of these settings, see Chapter 5, PacketLogic Traffic Shaping.

8.10.1.15. StatisticsObject Editor

The StatisticsObject editor is divided into four tabs, each containing specific settings. In addition, theStatisticsObject editor contains the following items:


135

Object name: A text field with the name of the StatisticsObject.

Comment: A free-text field where additional information about the object can be added.

8.10.1.15.1. Fields

The Fields tab defines what aspects of the connection that shall generate statistics. For each aspect Daily Sumand Graph Point can be selected.

Note: Graph Point values consume considerable resources compared to Daily Sum. Ensure that Graph Point isused only where necessary.

Figure 8.15. Fields in a StatisticsObject in the Objects & Rules Editor

8.10.1.15.2. Distribution

The Distribution tab defines by which criteria the statisics data shall be organized, determining how it can bebrowsed.

Figure 8.16. Distribution in a StatisticsObject in the Objects & Rules Editor

8.10.1.15.3. Limits

The limits tab defines how much data a value must accumulate to be included in statistics.


136

Figure 8.17. Limits in a StatisticsObject in the Objects & Rules Editor

8.10.1.15.4. Aggregation

The aggregation tab contains one setting; a checkbox which, if checked, will store the data of this StatisticsObjecton the aggregation system (defined as the Aggregation resource in the Resource Manager.)

Figure 8.18. Aggregation in a StatisticsObject in the Objects & Rules Editor

For more information on these settings, see Chapter 7, PacketLogic Statistics.


137

8.10.1.16. Filtering Rule Editor

Figure 8.19. Filtering rule in the Objects & Rules Editor

The Filtering Rule editor contains the following elements:

Rule name A text field with the name of the Filtering rule.

Rule enabled A checkbox determining if the rule is active.

Action A drop-down list where it is selected what action therule shall apply.

Do not process additional rules A checkbox determining if rule evaluation shallterminate when this rule matches.

Rewrite Object (only shown when action is Rewrite) A drop-down list that determines what RewriteObjectshall be applied to the traffic matching the rule.

Divert Label (only shown when action is Divert) A text area where one or more divert labels to use areentered, comma-separated (see Section 6.9, “TECH:Divert”). Leading and trailing whitespace in eachlabel is stripped. More than one divert label means thedivert is chained.

Inject Data (only shown when action is Inject or Divert) A text area defining the content that is injected intoconnections matching the rule (see Section 6.3.6,“Inject”).

Logging (Advanced Options) A drop-down list that determines what level oflogging the rule generates.

Monitor Interface (Advanced Options) A drop-down list that determines what monitoringshall be applied to the traffic matching the rule (seeSection 6.4, “Monitor”).

Trigger (Advanced Options) A drop-down list that determines what Filteringtrigger shall be set off when the rule matches (seeChapter 13, Triggers).

Conditions A list of traffic identification objects that traffic mustmatch to match the rule.


138

Comment A free-text field where additional information aboutthe rule can be added.

For more information on the meaning of these settings, see Chapter 6, Filtering.

8.10.1.17. Shaping Rule Editor

Figure 8.20. Shaping Rule in the Objects & Rules Editor

The Shaping Rule editor contains the following elements:

Rule name A text field with the name of the Shaping rule.

Rule enabled A check box determining if the rule is active.

Priority An incrementable field where it is selected whatpriority the rule shall apply to matching traffic.

Exclusive (Advanced Options) A check box that determines if the Shaping rule shallmatch exclusively.

Conditions A list of traffic identification objects that traffic mustmatch to match the rule.

Comment A free-text field where additional information aboutthe rule can be added.

For more information on the meaning of these settings, see Chapter 5, PacketLogic Traffic Shaping.


139

8.10.1.18. Statistics Rule Editor

Figure 8.21. Statistics Rule in the Objects & Rules Editor

The Statistics Rule editor contains the following elements:

Rule name A text field with the name of the Statistics rule.

Rule enabled A check box determining if the rule is active.

Enable connection log A check box determining if connection logging is performedas part of this rule.

Conditions view A list of traffic identification objects that traffic must matchto match the rule.

Comment A free-text field where additional information about the rulecan be added.

Selecting the StatisticsObjects item under the rule in the sidebar of the editor makes it possible to linkStatisticsObjects to the rule. The editor displays a list of available StatisticsObjects, and arrow buttons are usedto select or deselect StatisticsObjects.


140

Figure 8.22. Linking StatisticsObjects to a Rule

For more information on these settings, see Chapter 7, PacketLogic Statistics.

8.10.2. User EditorThe User Editor is where users are added and their access permissions configured.

The User Editor contains a toolbar, a list of users, and a view of the selected user's permissions. There are twocategories of permissions: Database permissions and LiveView permissions. There is also a Host Access list,where the IP addresses of the hosts from which the user is allowed to connect can be entered.

Figure 8.23. The User Editor

Right-clicking a user gives direct access to relevant functions for the selected user (cut, copy, change password,rename, and delete).

8.10.2.1. Database Permissions

Database permissions control what configuration settings are available to the selected user, and can be None, ReadOnly, or Read & Write.

Aggregation Regulates if the user is able to aggregate statistics.


141

Backups Regulates if the user is able to create (Read) andrestore (Write) backups.

Channel Management Regulates if the user is able to view (Read) and edit(Write) channel names and link modes.

CommitLog Regulates if the user is allowed to view (Read) andadd to/clear (Write) the commit log

Connection Log Regulates if the user is able to store connection logs.

Connection Protection Triggers Regulates if the user can view (Read) and manipulate(Write) connection protection triggers.

Dynamic Ruleset Regulates if the user is allowed to view (Read) andmanipulate (Write) the dynamic parts of the ruleset.

File Server Regulates if the user is able to list (Read) the filesin the file manager, and if he is able to upload andchange (Write) the files.

Host Triggers Regulates if view (Read) and manipulate (Write) thehost triggers.

Logs Regulates if the user is able to read (Read) logs andclear (Write) logs.

Resource Regulates if the user is able to modify properties inthe Resource Editor.

Rules & Object Configuration Regulates if the user is able to view (Read) and edit(Write) the objects and rules.

StatReader Regulates if the user is able to view (Read) thestatistics.

StatWriter Regulates if the user is able to store (Write) thestatistics.

StatWriter Backup Regulates if the user is able to store (Write) thestatistics on the backup.

System Configuration Regulates if the user is able to view (Read) and edit(Write) system configuration values.

System Diagnostics Regulates if the user can view (Read) the SystemDiagnostics data and if he can change (Write) the alertlimits.

System Overview View (Read) and manipulate (Write) the SystemOverview.

User Management Regulates if the user is able to view (Read) and edit(Write) other users and their permissions.

LiveView permissions control which views the user has access to in the client and are either enabled or disabled.

8.10.2.2. LiveView Permissions

The following features can be toggled on or off:

Category details


142

Category view

Channel stats view Regulates whether the user can see the ChannelStatistics view.

Connection detail properties Regulates whether the user will be able to seeproperties for connections.

Connection details Regulates whether the user will be able to seeinformation about an individual connection.

Dynamic Objects Governs API connectivity to add, list or removedynamic objects.

Expanded NetObjects Regulates if the user will be able to see IP addressesin the Local hosts view.

Firewall log view Regulates if the user can see the Filtering Log view.

Firewall view Regulates if the user can see the filtering rules view.

Generic Surveillance Regulates whether the user can use LiveView at all.

Host details Regulates whether the user can view details abouthosts.

Service details Regulates whether the user will be able to see detailedinformation about different services, such as FTP.

Services view regulates if the user can see the Service Objects view.

Shaping view Regulates if the user can see the Shaping Objectsview.

Statistics view Not currently in use.

System administration Regulates if the user will be able to performadministrative tasks in LiveView (reload, reboot,force statistics write, and others).

System diagnostics Regulates if the user can use the SystemConfiguration Editor.

VBS Query Regulates if the user will be able to see the VBS view.

8.10.2.3. Host Access List

The host access list regulates from which host or hosts the user is allowed to connect to the PacketLogic. An emptylist means no access restriction is enforced. There are buttons to add and remove hosts from the host access list.

8.10.2.4. Inactivity

The inactivity timeout regulates if and after what time (in minutes) a user is logged out when no action is takenin the client.


The following buttons are available in the toolbar in the User Editor:

Add a new user.


143

Save the edited user configuration.

Cut the selected user

Copy the selected user

Paste the user last cut or copied

8.10.3. Host Trigger Editor

The Host Trigger Editor is where host triggers are added and their parameters configured. For further informationon triggers, see Chapter 13, Triggers.

The Host Trigger Editor contains a toolbar, a list of host triggers, and a view of the selected host trigger.

Figure 8.24. The Host Trigger Editor

The parameters that can be set for each trigger are:

Trigger type This defines the type of host trigger to configure (seeSection 13.2.1, “Host Trigger Types”).

Script to run The Python code to execute when the conditions inthe host trigger match. The scripts can be uploadedin the File Manager (see Section 8.10.6, “FileManager”).

Incoming The limit on inbound bandwidth.

Outgoing The limit on outbound bandwidth.

Incoming CPS The limit on inbound connections per second.

Outgoing CPS The limit on outbound connections per second.

Connections The limit on concurrent connections.

Unestablished Connections The limit on unestablished connections.


144

Seen TTLs/Hop Limits The limit on the number of seen TTL/HopLimit values (see Section 4.2.5, “TTL/Hop LimitTracking”)

In internal QoE The limit on the In internal Quality ofExperience (QoE) value (see Section 4.2.9, “QualityMeasurement Algorithm”)

Out internal QoE The limit on the Out internal Quality ofExperience (QoE) value (see Section 4.2.9, “QualityMeasurement Algorithm”)

In external QoE The limit on the In external Quality ofExperience (QoE) value (see Section 4.2.9, “QualityMeasurement Algorithm”)

Out external QoE The limit on the Out external Quality ofExperience (QoE) value (see Section 4.2.9, “QualityMeasurement Algorithm”)

Note: While all other limits set the trigger off when the value is above the set limit, QoE limits set the trigger offwhen the value is below the set limit.

Right-clicking a host trigger in the list gives direct access to relevant functions for the selected host trigger (rename,cut, copy, and delete).


The following buttons are available in the toolbar in the Host Trigger Editor:

Add a new trigger

Save the edited host trigger configuration

Cut the selected trigger

Copy the selected trigger

Paste the trigger last cut or copied

8.10.4. Connection Protection Trigger Editor

Figure 8.25. Connection Protection Trigger Editor

The connection protection trigger editor allows defining connection protection triggers. For details on triggers,see Chapter 13, Triggers. Each trigger consists of a Script to run. This is the Python code to execute when


145

the connection protection triggers. The scripts can be uploaded in the File Manager (see Section 8.10.6, “FileManager”).

8.10.5. Backup Manager

The backup manager is a tool to create, restore, download, and otherwise manage backups in the PacketLogicclient. The backups made in the client's backup manager consist of the ruleset, stored in an XML format withthe file extension .plb. Backups are automatically given names on the form date-time.plb (for example,20110419-12.18.plb).

Note: Backups only take resources stored locally. Resources that are set to Proxy are not included.

Figure 8.26. The Backup Manager

For information on how to take backups, see Section 10.1.2, “Taking a Backup in the Client”.


The following buttons are available in the toolbar in the Backup Manager.

Create a new backup

Restore the selected backup

Download the selected backup (transfers the backup file from the PacketLogic to the hostrunning the client).

Upload a backup (transfers a file from the host running the client to the PacketLogic)

Delete the selected backup

8.10.6. File Manager

The file manager is the tool where files stored on the PacketLogic are managed. Files in the File Manager aretypically Python scripts used for triggers and snoopers, license files, and the PacketLogic SNMP MIB.


146

Figure 8.27. The File Manager


The following buttons are available in the toolbar in the File Manager.

Upload a file to the File Manager (transfers a file from the host running the client to thePacketLogic)

Download a file from the File Manager (transfers a file from the PacketLogic to the hostrunning the client).

Delete the selected file from the File Manager

Refresh the contents of the File Manager

8.10.7. Log Viewer

The log viewer is where the logs kept by PacketLogic can be viewed and downloaded.

Figure 8.28. The Log Viewer


147


The following buttons are available in the toolbar in the Log Viewer.

Save the selected log file on the local file system

Refresh the Log Viewer

Copy the selected text to the clipboard

Search the logs for a text string

8.10.8. Connection Search

Connection search is where a search for all connections matching given criteria can be made. The search requiresat least one search criterion. For details on connection search, see Section 7.8, “Connection Search”.

Criteria available are:

Client The client's IP address or port, provided as exact match or range.

Server The server's IP address or port, provided as exact match or range,or the host name of the server.

Host IP address of client or server, provided as exact match or range.

Start time interval A time interval during which the connection was initiated.

End time interval A time interval during which the connection ended.

Service The service in question.

Protocol The protocol in question.

A search can contain one or no values for each criterion.

Figure 8.29. The Connection Search

There is a setting to define the maximum number of connections to display in the search result, a "Reset" buttonto reset the search (clearing any search criteria and setting the time interval to the default), an "Export" buttonto export the search result to a file (in text format with values separated by semicolon), and a "Search" button toperform the specified search.


148

For details regarding connections search, see Section 7.8, “Connection Search”.

8.10.9. Resource Manager

The Resource Manager controls where configuration for different resources is stored.

Figure 8.30. The Resource Manager

Each entry in the Resource manager is a resource in the database (see Section 4.4.5.2, “Resources”).

The settings to choose from are:

Local This means that the resource is stored and managed on the local PacketLogic only.

Proxy This means that the resource is stored on another PacketLogic. It is still viewed and managed on thelocal PacketLogic, but the operations are transparently sent to the other (proxy) PacketLogic.

For details on Proxy, see Chapter 11, Centralized Management.

8.10.10. Channel Editor

The Channel Editor contains a list of the channels in the system, and allows configuring the channels. The ChannelEditor has three tabs for different purposes:

The Physical Channels tab (Figure 8.31, “The Channel Editor, Physical Channels”) shows a list of the channels,their internal/external media, and their intended use (traffic, divert, monitor, or monitor/flowsync).

Channel use modes

None Channel is not used

Traffic Channel is used for traffic inspection, management, and forwarding.

Divert Channel is enabled for Divert. To use it in a filtering rule, include it in adivert label on the Divert Labels tab. For details on Divert, see Section 6.9,“TECH: Divert”.

Monitor Channel is enabled for Monitor. To use it in a filtering rule, include itin a monitor label on the Monitor Labels tab. This uses both channel


149

interfaces, one for each direction of the traffic. For details on Monitor, seeSection 6.4, “Monitor”.

FlowSync/Monitor The internal interface of the channel is used for FlowSync (seeSection 4.2.6, “Flow Synchronization”). The external interface of thechannel is enabled for Monitor. To use it in a filtering rule, include it ina monitor label on the Monitor Labels tab. This uses only one channelinterface for monitor, sending both directions of the monitored traffic onthat interface. For details on Monitor, see Section 6.4, “Monitor”.

Figure 8.31. The Channel Editor, Physical Channels

The Divert Labels tab (Figure 8.32, “The Channel Editor, Divert Labels”) allows configuring divert labels. Divertlabels are used as targets for filtering rules with action Divert. For details, see Section 6.9.3, “Divert Labels”.

Figure 8.32. The Channel Editor, Divert Labels

The Monitor Labels tab (Figure 8.33, “The Channel Editor, Monitor Labels”) allows configuring monitor labels.Monitor labels are used as targets for filtering rules with action Monitor. For details, see Section 6.4.3, “Label”.

Figure 8.33. The Channel Editor, Monitor Labels


150

8.10.11. Log Levels Editor

The Log Levels Editor contains settings for how much various parts of the system shall write to the logs.

Figure 8.34. The Log Levels Editor

8.10.12. System Configuration Editor

The System Configuration Editor contains the system settings. For each configurable value, there is a briefdescription, the default value, the current value (editable) and a button to restore the value to default. The changesare saved onto the PacketLogic system when the Save button is clicked. For configuration changes to take effect,a Reload Configuration must also be performed. Saving the changes only writes them from the client to thePacketLogic system. Reload Configuration is available from the File menu in the System Configuration Editor.

For descriptions of the values, see Appendix A, System Configuration Values.

Figure 8.35. The System Configuration Editor

8.10.13. Custom View Editor

The Custom View Editor allows creating custom views in LiveView. A custom view allows filtering the set ofconnections included in the view and organizing the navigation tree in which they are viewed. The filters aredefined in the Filters tab, and the distribution is defined in the Distribution tab.

The Custom View Editor can be opened from the View drop-down menu in LiveView. The Custom View Editorcan also be reached by right-clicking in the navigation tree in one of the other views and selecting Show CustomView. This opens the Custom View Editor with a preconfigured filter matching the node selected.


151

Figure 8.36. Custom View Editor, Filters

Figure 8.37. Custom View Editor, Distribution

CLI Menu

153

Chapter 9. CLI Menu9.1. IntroductionThis section governs all the different configuration options available in the PacketLogic Command Line Interface(CLI). The command line interface (CLI) is available on port 42002 via SSH to the Admin interrface or by usinga console cable connected to the console interface on the PacketLogic interface (for serial port specifications, turnto the hardware guide for the system).

9.1.1. Using the CLI

Login using pladmin as username with the configured password.

Choose Enable in the menu and use the same password again. Be sure to change this as soon as possible underthe System Administration -> Change Passwords Change Console Password option in the menu.

There is help available in the CLI, by entering "help" followed by the number of the option. There is also an indexavailable, showing all available options, by entering "index". In each submenu, there are also options to return tothe main menu, the parent menu, or to exit the CLI.

9.2. Configuration

9.2.1. Signatures

Signatures Manage the signatures with updates, rebuild the virtual services definitions and clear the string tablecache.

9.2.1.1. Update signatures

9.2.1.2. Virtual Services

Virtual Services The list displays the available virtual services definitions. The file names are the same as theywere when uploaded in the PacketLogic client. Select the files to use when building virtual services one by one.When ready use the option C to compile the virtual service signature. This will build all selected definitions andinstall and activate the resulting virtual services ARM. Definition files uploaded after the last virtual servicescompile have a "N" before the file name. Please note that the build process require a lot of system memory andthe execution time can sky rocket towards several minutes, especially if the system is low on memory. A warningmessage will be raised if the system is really low on memory to let you determine whether to go ahead and dothe build anyway or not.

9.2.1.3. Clear string table

Clear stringtable This option clears the string table, which lists service names. The string table is specific to acompiled signature set. When a signature is removed from the compiled signature set (by updating to a signaturebundle where a signature is removed, or by removing a virtual service definition), the string table should be clearedto be recreated with correct information.

9.2.2. Network Configuration

Network Configuration This menu contains options for configuring the different aspects of the network interfaces.This includes IP configuration for the admin/aux interfaces, interfaces for flow sync and monitor, ARP and routeinformation, link status, and chassis configuration.

CLI Menu

154

9.2.2.1. Show routing and arp table

This option displays the current routing table and ARP tables for Admin/AUX.

9.2.2.2. Admin interface

9.2.2.2.1. IP configuration

Admin IP Configuration This option sets the IP configuration on the Admin interface.

9.2.2.2.2. Admin Bonding

This option configures interface bonding. For an interface to be available to include in a bond, it must be unused.'s' selects the interfaces to include in the bond. 'p' selects the primary interface in the bond. 't' selects the methodto determine the operational status of the interfaces in the bond (mii, which uses internal hardware monitoring,and arp, which signals an arp target, entered as an IPv4 address). Both types have a configurable interval for theinterface monitoring. The interval is entered as a millisecond value.

9.2.2.2.3. Admin Bonding status

This option shows information about the current bonding configuration for this interface.

9.2.2.2.4. Duplex settings

Admin Duplex Settings This option sets the duplex settings of the Admin interface. Available settings are: Auto(default value) 100full (100 Full duplex) 100half (100 Half duplex) 10full (10 Full duplex) 10half (10 Half duplex)

9.2.2.2.5. Disable Admin

Disable the Admin port link By disabling the Admin port the network link will not be brought up and no trafficwill be forwarded to the machine at this port. If the AUX port is still enabled you can access that as usual, ifboth are disabled you have to connect via serial console to the PacketLogic system to do maintenance. Please becareful when using this feature.

9.2.2.3. Static routes

Static routes This option defines static routes. A static route consists of a network address in CIDR notation anda gateway for that network address.

9.2.2.4. Ping IP address

This option allows entering an IP address to send an ICMP echo request (ping) to, to verify IP connectivity. Thenumber of requests to send before terminating can also be entered.

9.2.2.5. Traceroute IP address

Traceroute IP address This option allows entering an IP address or hostname and will try to verify the intermediatesteps between the PL and the external address.

9.2.2.6. Chassis configuration

This option configures the chassis according to what modules are installed and how interfaces shall be used.Settings include:

• Chassis topology: This defines how the chassis is switched. Selecting the option shows the currently availableoptions.

• paddleboard: The hub slots (logical slots 1 and 2) hold passive fabric modules (paddle boards). This topologyis intended for the default configuration of the PL10005. This means passive fabric modules (paddle boards)in logical slots 1 and 2, FP modules in logical slots 3 and 4, and an SM module in logical slot 5. The FlowSync port is located on the RTM installed in logical slot 3.

CLI Menu

155

• paddleboard-front-flowsync: Same topology as the Paddleboard topology, but a front panel 10GE interfaceis used for Flow Sync (the Int interface on the FP module in logical slot 4), rather than a 1GE interface on an(optional) RTM. Note that this disables the 10GE channel otherwise available on the FP module in logicalslot 4.

• 2FM40: Intended for a system with IO modules in both node slots (logical slots 1 and 2), LB modules inlogical slots 3 and 4, and FPv2 modules. This is used for the 14-slot chassis.

• 2FM40-1.5: Intended for a system with IO modules in both node slots (logical slots 1 and 2), and LB modulesin logical slots 3-6, two SMv4 modules in logical slots 13 and 14, and FPv3 modules in the remaining slots.This is used for the PL10014.

• two-slot: Intended for the two slot chassis.

• 20k: Intended for the PL20000

• SM index: This is a non-configurable item, stating the index of the SM.

• SM installed number: This determines how many SM modules are installed in the chassis. In a system withmultiple SM modules, ensure all have this option set identically.

• FP 10GE port configuration: Each FP module has two 10GE interfaces in the front. Optionally, the FP modulecan be equipped with an RTM, providing two 10GE interfaces and ten 1GE interfaces. The two 10GE interfacesare only available in one of these locations. If the 10GE interfaces in the front are active, the ones in the RTMare disabled and vice versa. In a system with multiple SM modules, ensure all have this option set identically.The FP 10GE port configuration determines where the active 10GE interfaces are located. This can be one ofthree options:

• auto: Automatic selection. If an RTM is available, the 10GE interfaces on it are enabled, and the 10GEinterfaces in the front are disabled.

• faceplate: The 10GE interfaces in the front are enabled and the 10GE interfaces on the RTM are disabled,regardless of whether an RTM is available or not.

• rtm means that the 10GE interfaces on the RTM are enabled and the 10GE interfaces in the front are disabled,regardless of whether an RTM is available or not.

9.2.2.7. SFP status

Show linkstatus and presence of SFP modules for the SFP slots in the chassis.

9.2.2.8. Connection Sync

This option enables/disables connection synchronization (flow sync). Changing this setting restarts core serviceson PacketLogic.

9.2.2.9. Hostname

This option sets the host name used by this system.

9.2.2.10. Link status

This option lists speed, duplex settings, and link state for each interface that is not a channel interface.

9.2.3. NTP Configuration

This option allows configuring a Network Time Protocol (NTP) server. The NTP server will be used to synchronizethe time on the system.

CLI Menu

156

9.2.4. System Administration

System Administration This menu contains options and submenus for various administration tasks (such aspasswords, restarts, system information, mail, log, and backup configuration).

9.2.4.1. Mail

This menu configures PacketLogic to be able to send email. With a mailhub configured, PacketLogic will sendemails for:

• Alerts triggered by limits in system diagnostics

• Incidents relating to booting problems, hard drive problems, and RAID problems.

9.2.4.1.1. Scheduled mail

This option configures status emails to be sent hourly or daily, reporting the current state of the PacketLogic.

9.2.4.1.2. Configure mailhub

This option configures an SMTP server for PacketLogic to use to send email, along with authentication if theserver requires it. Also, email addresses where emails shall be sent are entered. To use a non-standard SMTP port,append :port to the server host name. Example: To send using port 123, enter: smtp.example.com:123

9.2.4.1.3. Single mail

This will create a single email reporting status for the PacketLogic and send it to the configured email addresses.

9.2.4.2. Change Passwords

This menu contains options to change passwords for the system-defined users, and to configure externalauthentication servers.

9.2.4.2.1. Change pladmin password

This option changes the password of the pladmin user. This is used to access the PacketLogic remotely using SSH.

9.2.4.2.2. Change admin password

This option changes the password of the admin user. This is the user used for the PacketLogic client and PythonAPI.

9.2.4.2.3. Change PSM administration

Change PSM administration password This option changes the password of the PSM administration user. This isthe user used for the PSM interfaces.

9.2.4.2.4. Change gsmafetch password

This option changes the password for SFTP access for the gsmafetch user. For details, see the documentation onGSMA Logging.

9.2.4.2.5. Change ftpaccess password

This option changes the password on a PSM for FTP access intended for CDR retrieval. For details, see thedocumentation on CDR.

9.2.4.2.6. Change enable password

This option change the "enable" password. This password is used to gain remote privileged access to the CLI toconfigure PacketLogic.

CLI Menu

157

9.2.4.2.7. Change console password

This option changes the password for console access. This is used for accessing the CLI with a serial connectionto the PacketLogic.

9.2.4.2.8. RADIUS authentication

This option configures RADIUS servers to query for authentication when login is attempted. Server configurationconsists of host (or IP), port, and shared secret. Multiple servers can be defined. If multiple servers are configured,they are tried in sequence. For client or API login, servers are asked until one responds. That response (accessgranted or denied) is used and no further servers are asked. For SSH login, each server is asked for access. Bydefault, PacketLogic falls back to try local authentication for client/API logins if no server responds or if accessis denied. This local fallback can be disabled as well. Local fallback always applies to SSH login and cannot bedisabled.

9.2.4.2.9. TACACS+ authentication

This option configures TACACS+ servers to query for authentication when login is attempted. Serverconfiguration consists of host (or IP), port, and shared secret. Multiple servers can be defined. If multiple serversare configured, they are tried in sequence. For client or API login, servers are asked until one responds. Thatresponse (access granted or denied) is used and no further servers are asked. For SSH login, each server is askedfor access. By default, PacketLogic falls back to try local authentication for client/API logins if no server respondsor if access is denied. This local fallback can be disabled as well. Local fallback always applies to SSH login andcannot be disabled.

9.2.4.3. Reload/Reboot

This menu contains options for restarting components, services, or the entire system.

9.2.4.3.1. Restart system

This will restart all userland processes, but not the engine/PLOS and thus not affect traffic. Do note that if systemconfiguration that affects engine has been changed, these changes do not take effect with a restart.

9.2.4.3.2. Reload core services

This will reload all PacketLogic software modules. For standalone appliance systems, traffic will stop for about2-5 seconds. For chassis systems, traffic is not affected. However, when the processes are running again the ruleseton the flow processors will be reloaded.

9.2.4.3.3. Reboot/Halt

This will reboot the entire system (for chassis systems this reboots the SM module). Depending on theconfiguration of the system it might take between 30-90 seconds before the system is fully operational again.

9.2.4.3.4. Reboot at

This option sets a time at which the system will reboot (or, in case of a chassis system, the SM module). Thesyntax is that of the UNIX "at" command. Examples: 03:00 is the next time the time is 3 am in the morning. 03:002004-04-07 is at 03:00 the year 2004 month 04 and day 07

9.2.4.3.5. Reboot chassis components

This option allows rebooting individual components in a chassis PacketLogic. Either a single processor on amultiprocessor module can be rebooted, or an entire module can be rebooted.

9.2.4.3.6. Restart individual services

This option allows selecting a service to restart. Available services are listed.

CLI Menu

158

9.2.4.4. Disable/Enable snoopers

This option disables or enables snoopers in PacketLogic. The snoopers are listed along with their current status.

9.2.4.5. Information

Some useful information about the system such as uptime and machineID.

9.2.4.5.1. Chassis inventory

This retrieves information from all installed modules in a chassis-based PacketLogic system. Note that thecommand can take time to complete while all modules are polled.

9.2.4.5.2. System information

This option displays information about the system such as version, CPU, memory, uptime, and configuration.

9.2.4.5.3. Top

Displays useful information about the processes running on the system using UNIX top.

9.2.4.5.4. Channel statistics

This option displays channel statistics for the channels available in the system. Individual channels can be selectedfrom a list of available channels, or a summary of all channels can be shown.

9.2.4.5.5. PSM

For a PSM system, this option shows information about the state of the PSM, including running state and the sizeof the tables.

9.2.4.5.6. Support bundle

This option collects configuration data for the system into a compressed and encrypted file, suitable as input datafor technical support.

9.2.4.6. RAID health information

This option shows the current status of the RAID volumes on the system.

9.2.4.7. Backup

This submenu contains options and submenus for configuring and creating backups and restoring them. Backupscan be made for configuration, logs, statistics, and connection log.

9.2.4.7.1. Backup PSM

Backup PSM Make backups of PSM. Either a single backup or scheduled daily. This uses the FTP or SSH protocolto upload the backups to a remote server.

9.2.4.7.1.1. Scheduled backup

Scheduled backup This will create backups every day at 3:20 and then upload to the configured backup server.The filename will contain distversion and a timestamp. Example: psm-hostname-110429204500.tar.gz

9.2.4.7.1.2. Select remote host

Select remote host Selects which remote host where log backups will be uploaded to.

CLI Menu

159

9.2.4.7.1.3. Single backup

Single backup This will create one single backup of current PSM settings and data and upload it to theconfigured backup server. The filename is a timestamp. Example: 20:45 at the 29th of April 2011 is psm-hostname-110429204500.tar.gz

9.2.4.7.1.4. Restore PSM backup

Restore backup Here you can restore a backup using the FTP or HTTP protocol to retrieve the backup. The filenameis usually something like psm-hostname-110429204500.tar.gz. The dist running has to be equal or newer thenthe backup file.

9.2.4.7.2. Backup statistics

This menu contains options for creating and restoring backups of statistics data.

9.2.4.7.2.1. Restore statistics

This option restores a backup of statistics data. The backup to restore can be retrieved using FTP or HTTP. Thebackup format in the backup must match the version on which it is restored. The restore operation will warnif this is not the case. Statistics backups consist of at least two files: A pl2stats file and a values01 file. Thepl2stats file contains information for the date in the backup. The values01 file contains the value data. The pl2statsfile is named as follows: pl2stats-date-index-timestamp.tar.gz The values01 file is named as follows: values01-timestamp-index.tar.gz Ensure that the timestamp field matches for the two files when restoring, and that bothfiles are available in the same directory. Restoring statistics data requires a restart of certain processes. Clientswill be disconnected. Traffic on the channels is not affected.


This option selects which remote host to upload backups to. If no remote host is configured, add one in the Remotehosts option in the System Administration menu.


This will create one single backup of yesterdays statistics and upload it to the configured backup server. Statisticsbackups consist of at least two files: A pl2stats file and a values01 file. The pl2stats file contains information forthe date in the backup. The values01 file contains the value data. The pl2stats file is named as follows: pl2stats-date-index-timestamp.tar.gz The values01 file is named as follows: values01-timestamp-index.tar.gz

9.2.4.7.2.4. Restore statistics (legacy)

This option restores a backup of statistics data. The backup to restore can be retrieved using FTP or HTTP. Thebackup format in the backup must match the version on which it is restored. The restore operation will warnif this is not the case. Statistics backups consist of at least two files: A pl2stats file and a values01 file. Thepl2stats file contains information for the date in the backup. The values01 file contains the value data. The pl2statsfile is named as follows: pl2stats-date-index-timestamp.tar.gz. The values01 file is named as follows: values01-timestamp-index.tar.gz Ensure that the timestamp field matches for the two files when restoring, and that bothfiles are available in the same directory. Restoring statistics data requires a restart of certain processes. Clientswill be disconnected. Traffic on the channels is not affected.

9.2.4.7.3. Backup connlog

This menu contains options for creating and restoring backups of connection logging (connlog) data.


This option will enable scheduled backups of the connection log to be made automatically (daily or hourly) anduploaded to the configured backup server. The filename will contain a timestamp and sequence number. Example:pl2connlog-2011-04-29-3.tar.gz

CLI Menu

160


Selects which remote host connlog backups will be uploaded to. To configure a host see the Remote Hosts optionin the System Administration menu.


This will create one single backup of yesterdays connlog and upload it to the configured backup server.The filename will contain the date for which the backup has data. Example: 23 of april 2004 ispl2connlog-040423.tar.gz

9.2.4.7.3.4. Restore connlog

This option restores a connlog backup. The backup can be retrieved using FTP or HTTP. The filename containspl2connlog, a time stamp, and a sequence number. Example: pl2connlog-2011-04-29-3.tar.gz The backup has tobe the same backup format as the PacketLogic it is restored on. The restore procedure will warn if this is not thecase. Restoring connection log data requires restarting processes, which means client connections are dropped.Traffic on channels is not affected.

9.2.4.7.4. Backup logs

This menu contains options to create backups of system log files. Backup files are uploaded to a configured serverusing FTP or SSH.


This option selects which remote host to upload backups to. If no remote host is configured, add one in the Remotehosts option in the System Administration menu.


This will create one single backup of the logs and upload it to the configured backup server. The filename willcontain the date for which the backup has data. Example: 23 of april 2004 is pl2logs-040423.tar.gz


This option will enable scheduled backups of the system log files to be made automatically (daily or hourly) anduploaded to the configured backup server. The filename will contain a timestamp and sequence number. Example:pl2logs-2011-04-29.tar.gz

9.2.4.8. Activate/Deactivate Channel

Note: This is not supported on PL10000/PL20000 systems.

This option enables the possibility to activate or deactivate one or more channels without using the graphical client.Displays the current status per channel and toggle between active and inactive state.

9.2.4.9. Logs

This menu contains options to view logs in the system, configure a remote syslog server, and configure the PCAPwriters.

9.2.4.9.1. Syslog

This option configures a syslog server to which this system can report logs. The facilities exported remotely are:

• kern.=notice (log for kernel messages, engine)

• auth.* (logins for ssh and client)

CLI Menu

161

• local1.* (Database Daemon)

• local2.* (Python scripts including snmp)

• local3.* (PacketLogic Daemon)

• local4.* (PacketLogic Statistics Daemon, statistics)

9.2.4.9.2. Log viewer

View local system logs.

9.2.4.9.3. PLPCAP

This menu contains options for the PCAP writer that handles the traffic from a filtering rule with "PCAP Writer"as monitor interface.

9.2.4.9.3.1. Remote upload

This option selects a remote host where PCAP files from the PCAP writer will be uploaded. If there are no hostsconfigured, configure them in the Remote hosts option in the System Administration menu.

9.2.4.9.3.2. Size and files

This option configures the size of the files the PCAP writer creates, and how many it keeps stored before rotatingthem.

9.2.4.9.4. PLPCAP-2

This menu contains options for the PCAP-2 writer that handles the traffic from a filtering rule with "PCAP-2Writer" as monitor interface.

9.2.4.9.4.1. Remote upload

This option selects a remote host where PCAP files from the PCAP-2 writer will be uploaded. If there are no hostsconfigured, configure them in the Remote hosts option in the System Administration menu.

9.2.4.9.4.2. Size and files

This option configures the size of the files the PCAP-2 writer creates, and how many it keeps stored before rotatingthem.

9.2.4.10. Timezone

This option sets the timezone of the system.

9.2.4.11. Statistics

This will allow you to enable/disable statistics and proxy functions.

9.2.4.11.1. Max allowed statistics buffers

This setting imposes a limit on how much disk space temporary statistics data sets are allowed to consume. Thedefault is 25GB. The statistics daemon can store temporary data sets on disk. These are used in case connectivity tothe statistics writer is lost, to ensure consistent data. Temporary buffers need to accommodate at least the amountof data generated by the statistics daemon during an hour, but to provide any fault tolerance they should be ableto accommodate more.

9.2.4.11.2. Statistics system without Storage Node

This option configures a statistics system to run without a separate storage node.

CLI Menu

162

9.2.4.11.3. IPFIX deamon

This option configures the IPFIX daemon. For details see Section 7.9, “IPFIX Export”.

9.2.4.11.4. Max allowed connlog

Connlog data can consume alot of disk space in a short amount of time. To prevent accidental loss of valuablestatistics data a maximum allowed disk space consumption can be used. The maximum allowed disk space isadhered to as a first resort, if the connlog data rises above the maximum allowed disk space used the data isremoved day by day until a more sane rate of data is stored on the devices. Eventually statistics data will alsobe removed but at a much slower pace than the connlog data. Enter the maximum disk space connlog data areallowed to consume in gigabyte.

9.2.4.12. Manage software raid

See the status of the RAID array and the state of the individual disks. Disks can also be added to or removedfrom the array.

9.2.4.13. SSH Banner

This option allows entering a text to be displayed upon SSH login.

9.2.4.14. SSHD Port

Configure SSHD to run on a different port thant the Procera Networks default port 42002

9.2.4.15. SSHD ACL

This option configures the Access Control List (ACL) of the SSH daemon on PacketLogic. The ACL determineswhat hosts are allowed to connect to PacketLogic with SSH. Hosts are subject to pattern expansion. Examples:*.co.uk allows access from all ".co.uk" domains, 10.0.95.? allows access from 10.0.95.[0-9], !*.com disallowsaccess from all ".com" domains.

9.2.4.16. Resource copy

Enables automatic copying of configuration from a remote system. Resource copy enables copying the resourcefor Users, Objects & Rules, or both from a remote PacketLogic system, by creating a backup of the remote resourceand restoring it on the local system. Resource copying also attaches to the remote resource and monitors it forchanges. When the remote resource is changed, a new backup of the resource is made and restored on the localsystem. Configuration consists of the IP address or host name of the remote system and a user account with readpermissions for the resource to copy, and read/write permissions for the Backup resource. Note that the pre-existinglocal resource will be overwritten.

9.2.4.17. SSH key

This option displays the public SSH key of the PacketLogic system, or creates one if it does not exist. A newkey can also be generated.

9.2.4.18. PSM

This option enables or disables the PSM.

9.2.4.18.1. Enable/Disable PSM

Enable/Disable PSM This option enables or disables the PSM.

9.2.4.18.2. PSM web interface ACL

PSM web interface ACL Add or remove IP addresses from PSM web interface white list ACL.

CLI Menu

163

9.2.4.18.3. Wipe PSM data

Wipe PSM data This will wipe the PSM data to restart populating the system.

9.2.4.18.4. PSM state change

Change the state of PSM A way to manually set the state of PSM, useful when doing setup or testing.

9.2.4.18.5. PSM Extensions

9.2.4.18.5.1. PSM Trigger

9.2.4.18.5.1.1. Enable/Disable PSM Trigger

9.2.4.18.5.1.2. Configure Sources

9.2.4.18.5.2. CMTS Poller

9.2.4.18.5.2.1. Enable/Disable CMTS Poller

9.2.4.18.5.2.2. Configure CMTSes

9.2.4.19. Remote Hosts

This option lists remote hosts configured and allows adding remote hosts. Remote hosts are used for whenPacketLogic shall upload data to a remote destination. A remote host consists of a protocol (SSH or FTP), IPaddress, a path on the remote host, a user name on the remote host, and a port.

9.2.4.20. Internal VBS

This option enables/disables the internal VBS.

9.2.5. License

License This is where the PacketLogic license can be viewed and downloaded. The license governs what modulesare enabled and controls other functionality that can be enabled/disabled in the system. The PacketLogic cannotbe used without a valid license.

9.2.5.1. View license

This option displays the license information for this system.

9.2.5.2. Download license

This option downloads the license file. The license can be downloaded directly from a Procera Networksdownload server via HTTP on port 80. If this is not possible, the license file can be manually downloaded fromhttp://194.153.91.40/pldownload/licenses/$MACHINEID.lic and then uploaded to "License upload" folder in theFile Manager in the PacketLogic client.

9.2.6. Updates

Updates Here you can update the system and read the changelog of our releases.

CLI Menu

164

9.2.6.1. Update firmware from own server

Performs a firmware update from a private ftp or web server. After a successful update the system will ask for areboot. The system can be rebooted immediately, not rebooted at all or have a time set to reboot at a later stage.When rebooting at a later stage the system will use the UNIX command "at". Example syntax for "at": 03:00 is thenext time the clock will be 3 am in the morning. 03:00 2004-04-07 is at 03:00 the year 2004 month 04 and day 07

9.2.6.2. Update firmware

This option performs a firmware update from Procera Networks master server (requires the PacketLogic system tohave access to the internet to connect to the Procera Networks server), or using a firmware uploaded to the clientfile manager. After a successful update the system will ask for a reboot. The reboot can be performed immediately,not reboot at all or set a time to reboot at a later stage. When rebooting at a later stage the system will use theUNIX command "at". Example syntax for "at": 03:00 is the next time the clock will be 3 am in the morning. 03:002004-04-07 is at 03:00 the year 2004 month 04 and day 07

9.2.6.3. Update notifications

Please note this will only work if the PacketLogic admin interface has access to the Internet. It will connect to aProcera Networks server. Once this is configured it will check for new version of the server software every nightand if a new one is available it will send an email.

9.2.6.4. Proxy

This option configures an HTTP proxy to be used when doing upgrades and for downloading license file.

9.2.7. Customisations

Customisations This menu contains any custom modules installed by Procera Networks' Professional Servicesteam. Any menus and commands found in this section are not covered by the standard Procera documentationor support.

9.2.7.1. Uninstall Modules

Uninstall Modules Remove an installed module from the system.

9.2.7.2. Install or Update Modules

Install/Update Modules Install new modules, or upgrade existing modules to a new version.

9.2.7.3. List installed Modules

List installed Modules

Common Proceduresin PacketLogic

165

Chapter 10. Common Procedures inPacketLogicThis section describes procedures commonly used in PacketLogic.

10.1. Backup and RestoreThere are two different ways to take a backup in PacketLogic: Using the client or using the CLI.

10.1.1. Client Backup Versus CLI Backup

The client backup and the CLI backup are not the same.

The CLI backup Takes the entire running configuration and writes to a backup file.Restoring a CLI backup will restore everything to the state in which thebackup was made.

The client backup Takes a backup of the PLDB Resources (see Section 4.4.5.2,“Resources”) and writes to an XML file with the suffix .plb. This filecontains the configuration settings from the resources selected to beincluded in the backup.

Backups made using the client can only be restored using the client, and backups made using the CLI can onlybe restored using the CLI. A backup made with the client can be identified by its file suffix, which is .plb. CLIbackups, on the other hand, are either .tar.gz or .tar.gz.gpg.

Note: In a proxied setup (that is, resources are proxied to a remote PacketLogic), the Backups resource must beset to the same proxy configuration as the other resources for the client backup to contain the resource contentsactually used. If it is not, the backup will contain the contents of the local database, which are not likely to becorrect. This does not affect CLI backups.

10.1.2. Taking a Backup in the Client

The client backup is made using the Backup Manager (see Section 8.10.5, “Backup Manager”), and consists ofthe ruleset and system configuration (resources).

Note: Client backups cannot be restored to a different release than the one they were made on. Substantial changesin version numbers may also cause problems.

To take a backup, perform the following steps:

1a: Open the Backup Manager, by clicking the Backup Manager button.

1b: Open the Backup Manager, by selecting it from the Tools drop-down menu.


166

2: Click the New Backup button to create a new backup.

3: A new item appears in the Backup Manager. This is the newly created backup. Itis automatically named with date and time.

4: To store the backup off the PacketLogic unit for safe keeping, select the newbackup and click the Download button. This will transfer the backup file from thefile system on the PacketLogic unit to the host where the client is running.

Note: Backups only take resources stored locally. Resources that are set to Proxy are not included.

10.1.3. Taking a Backup in the CLI

The backup in the CLI can either be a backup of configuration, logs, or statistics.

To take a backup, perform the following steps.

1. Log on to the PacketLogic using SSH on port 42002

Enter the pladmin password.

2. Select Enable (1).

Enter the enable password.

3. Select System Administration.

4. Select Backup

a. To take a backup of the configuration, select Backup config.

b. To take a backup of statistics, select Backup statistics.

c. To take a backup of the log files, select Backup logs.

5. If a backup host is not already configured, do so by selecting Configure backup host.

6. To take a single backup and send it to the configured backup host, select Single backup.

7. To set up scheduled backups to be taken automatically at regular intervals and sent to the configured backuphost, select Scheduled backup.

10.1.4. Restoring a Backup in the Client

Note: Client backups cannot be restored to a different release than the one they were made on. Substantial changesin version numbers may also cause problems.

To restore a backup in the client, perform the following steps:

1a: Open the Backup Manager, by clicking the Backup Manager button.


167

1b: Open the Backup Manager, by selecting it from the Tools drop-down menu.

2: Click the Upload button to upload the backup to restore to the PacketLogic. Thiswill transfer a file from the host running the client to the PacketLogic unit. Select thebackup file to upload (which shall be a .plb file)

3: A new item appears in the Backup Manager. This is the uploaded backup. Selectit by clicking on it.

4: To restore the backup, click the Restore button.

5: Select the resource or resources to restore, or All to restore the entire configuration.

10.1.5. Restoring a Backup in the CLIThe CLI allows restoring backups of either configuration or statistics. Make the backup to restore available so thatit can be accessed from the PacketLogic using FTP or HTTP.

To restore a backup in the CLI, perform the following steps:

1. Log on to the PacketLogic using SSH on port 42002. Enter the pladmin password.

2. Select Enable (1). Enter the enable password.

3. Select System Administration.

4. Select Backup

5. a. To restore a backup of the configuration, select Backup config

b. To restore a backup of statistics, select Backup statistics

6. a. To restore a backup of the configuration, select Restore backup

b. To restore a backup of the configuration, select Restore statistics

7. When restoring a backup, userland processes will need to be restarted, and any client connections will be lost.Traffic flow is not affected.

8. Enter the URL to the backup file to restore, using FTP or HTTP.

10.2. Updating PacketLogicThis section describes how to update the PacketLogic software.


168

1. Log on to the PacketLogic using SSH on port 42002. Enter the pladmin password.

2. Select Enable (1). Enter the enable password.

3. Select Updates (6).

4. Select Update

Version information will be retrieved for the current protocol version and displayed. Depending on whatreleases newer than the one installed are available, there are options to choose which version to download andinstall.

5. Enter the letter corresponding to the version to install (E for Early Deployment or G for General Deployment),or Q to leave the Update menu without updating, and press Enter.

If there are multiple choices available, they are displayed. Enter the number corresponding to the versionto install and press Enter. The download will start. The software is installed, and a backup of the currentconfiguration is made.

6. Next, a prompt asking for when to reboot is displayed. Type R to reboot immediately or D to enter a futurepoint in time, and press Enter. To not reboot (meaning it will have to be done manually later for the updateto take effect), type M and Enter.

If a reboot is performed, the connection to the PacketLogic will be closed.

10.2.1. PL10000/PL20000 Update Measures

The PL10000/PL20000 requires more steps for the entire platform to be updated. The above procedure will updatethe firmware installed on a single SM module. For a PL10000/PL20000 platform, perform the following additionalsteps:

1. Repeat the procedure in Section 10.2, “Updating PacketLogic” for each SM module installed in the chassis,and reboot them.

2. Reboot all FP and LB modules in the system, using the "Reboot chassis components" CLI option described inChapter 9, CLI Menu. Choose to reboot the entire boards holding FPs and LBs. This will cause the FPs andLBs to retrieve new firmware from the SMs.

10.2.2. Updating signatures

10.2.2.1. About Signature updates

Signature updates are needed to allow the PacketLogic to recognise new Internet applications and protocols andkeep recognising applications already known, when protocols change. If shaping or filtering policies are beingapplied to various applications and application categories, it is important that these are correctly recognised.Signature updates are issued weekly and are made available on the Procera Networks download website. Signatureupdates can be performed at any time, as there is no traffic interruption during the updates. Please note, though,that Virtual Services are recompiled after each signature update. If there are many Virtual Services defined andused, the compilation could take a minute or more, with increased memory consumption. It is recommended toperform signature updates during off-peak hours if there are many Virtual Services and the PacketLogic is runningwith high load.

10.2.2.2. Ways to update the signatures

Signature bundles are normally published on the PacketLogic downloads site and could be downloadedautomatically or downloaded manually followed by manual upload to PREs or PICs. In some cases signaturebundles are provided by support (temporary bundles), to fix an urgent issue or add a new service without waitingfor weekly update. Such bundles would not be available for download from the Procera Networks downloadswebsite and are provided by Procera Networks representatives.


169

The PacketLogic system needs to have a new signature bundle on disk, before it can be unpacked, loaded intothe engine. Normally, signature updates are performed using CLI. Access to GUI interface may be required insome cases, see below.

There are four alternative methods to load a new signature bundle to the PacketLogic system:

• Have PRE or PIC automatically download a signature bundle from Procera Networks downloads site (seeSignature update method 1).

This is the easiest way, used when the system has access to the Internet from the Admin port. The IP addressconfigured on the Admin port needs to be either directly routable or access the Internet through NAT.

• Upload a new signature bundle to the PacketLogic system manually using the PacketLogic client. Signaturebundles may be downloaded from Procera Networks downloads site using a web browser. (see Signature updatemethod 2).

This procedure is used when PRE has no access to the Internet, due to Admin port IP not being routed on theInternet or being firewalled from it completely. This method is also used when installing a bundle not availablevia Procera Networks download site (temporary bundles).

• Download the signature bundle from a user supplied URL (see Signature update method 3).

This procedure is used in the same cases same as in the second option above, but when the use of the PacketLogicclient is not possible or not desired for signature bundle upload. An example would be situations when there isa group of users having access to CLI, but no access to the PacketLogic client. This procedure requires a server(either HTTP or FTP) where the signature bundle can be uploaded.

• Download the signature bundle from the configured folder on a user provided server (see Signature updatemethod 4).

This option is the combination of the first and third options above, where a new signature bundle is downloadedfrom a predefined server, but an internal one. This procedure is typically used when the PacketLogic systemhas no access to the Internet, due to Admin port IP not being routed on the Internet or being firewalled from itcompletely. It is also possible to use this method to install a bundle not available from the Procera Networksdownload site (temporary bundles).

10.2.2.3. Signature Update Procedures

Download a signature bundle from the Procera Networks downloads site.

1. Connect to the CLI of the PacketLogic system (ssh –p 42002 pladmin@ip_address)

2. Select Enable

3. Select Signatures

4. Select Update signatures

5. Select Procera Networks download site

6. Select a signature bundle with the most recent date (files are names in the following format: signatures-NUMBER-DATE.tar.lzma.gpg) by typing the associated number.

7. Enter y to agree to download the selected signature bundle

8. Press space or any other key when the download is finished to apply the new signatures.

Here is an example showing messages indicating a successful signature update:


170

* Decrypting signaturesgpg: Signature made Tue Oct 29 08:01:23 2012 MSK using DSA key ID 60924A62gpg: Good signature from "Netintact PL2 (Netintact PL2 key) <[email protected]>"

* Extracting signatures

* Enabling new signaturesSignatures successfully installed

* Updating Procera Networks CategoriesReloading ruleset

Press any key to continue.

Upload a new signature bundle to PRE manually via GUI interface. Signature bundlesmay be downloaded from Procera Networks downloads site using a web browser.

1. Open the signatures section of the Procera Networks downloads website (http://download.proceranetworks.com/signatures/)

2. Find a section matching to major.minor version of the firmware installed on the unit being updated (13.1, 14.0,14.1)

3. Click Download in the section corresponding to the firmware version and save the file. When the downloadis complete, verify that the file matches signature*.tar.lzma.gpg pattern. Some browsers are known to remove".gpg" or ".lzma" parts. If this is the case, rename the file, so its name ends with ".tar.lzma.gpg".

4. Open the PacketLogic client and connect to the unit being updated.

5. Open the File Manager and upload the downloaded signature bundle to Upgrade files folder in the File Manager.


7. Select Enable



10.Select L) Locally uploaded file

11.Select the number of the file uploaded in the PacketLogic client. If multiple signature bundles were uploadedto the Upgrade files folder in the File Manager, all of them would be listed in this step.





http://download.proceranetworks.com/signatures/



171



Download bundle from a user supplied URL

1. Open the signatures section of the Procera Networks downloads website (http://download.proceranetworks.com/signatures/)

2. Find a section matching to major.minor version of the firmware installed on the unit being updated (13.1, 14.0,14.1)

3. Click Download in the section corresponding to the firmware version and save the file. When the downloadis complete, verify that the file matches signature*.tar.lzma.gpg pattern. Some browsers are known to remove".gpg" or ".lzma" parts. If this is the case, rename the file, so its name ends with ".tar.lzma.gpg".

4. Upload the signature bundle file previously downloaded from Procera Networks downloads website or receivedfrom a Procera Networks representative) to an HTTP or FTP server reachable from Admin IP of the PacketLogicsystem being updated.

5. Connect to the CLI of the Procera unit (ssh –p 42002 pladmin@address-of-pre)

6. Select Enable



9. Select I) Install from temporary URL and insert the URL of the signature file (like the following examples:

http://www.my-internal-hostname.net/procera/signature-NUMBER-DATE.tar.lzma.gpg

ftp://user:[email protected]/procera/signature-NUMBER-DATE.tar.lzma.gpg


Connecting to ftp.my-internal-hostname.net (10.0.0.100:21)[Download progress is displayed]









172

Download the signature bundle from the configured folder on a user provided server


2. Select Enable



If a server is already configured from which the signatures can be downloaded and option O) is available inthe menu, proceed to 7.

5. Select C) Change default download URL and enter a URL pointing to a folder in the following format:

http://www.my-internal-hostname.net/procera-updates/

ftp://user:[email protected]/procera-updates/

Please note that only folders are allowed to be specified. The system would always look forsignatures.tar.lzma.gpg file in the specified folder.

6. Put a signature bundle in the location specified in the previous step.

7. Choose O) Own download site


Connecting to www.my-internal-hostname.net (10.0.0.100:80)

[Download progress is displayed]






10.3. Enabling SnoopingThis section describes how to configure PacketLogic to perform snooping. For details on DHCP and RADIUSsnooping, see Section 6.4, “Monitor”.

1. DHCP or Radius Snooping

In the Objects & Rules editor, add the following:


173

1. A PortObject. For DHCP snooping, include ports 67 and 68. For Radius snooping, include ports 1645, 1646,1812, and 1813.

2. A ProtocolObject with UDP included.

3. A Filtering rule with the above objects as criteria, and with the appropriate Monitor Interface (for DHCPselect the DHCP Snooper, for Radius select the Radius Snooper). Set the action to Accept. If there are severalFiltering rules, consider the placement of the rule in the list and the Quick attribute (for details, see Section 6.1,“Maintaining Filtering Rules”).

2. SIP Snooping

1. Create a ServiceObject containing the Services SIP, SIP pickup, SIP RTCP, and SIP RTP.

Figure 10.1. ServiceObject

2. Create a filtering rule with the ServiceObject above as condition. Set the action to Accept, and the MonitorInterface to SIP snooper. If there are additional criteria to the SIP traffic to snoop, add conditions for them aswell (such as NetObjects or TimeObjects).

Figure 10.2. Filtering rule

3. When the rule starts to extract information about the SIP traffic detected, the information will be available inthree places:

a. Entries in the Python log, available in the Log Viewer.


174

Figure 10.3. Python log

The SIP snooper extracts basic information about SIP traffic from the monitored traffic and sends it tothe syslog daemon. The information is represented by a comma separated format, containing the followinginformation:

• Time (as a unix timestamp including milliseconds)

• Source IP address

• Source port

• Destination IP address

• Destination port

• From (Caller)

• To (Callee)

• Method

• Request URI

• Code

• Call ID

• Call sequence number

• Reason

Example: The following is an example entry from the SIP snooper, as found in the Python Programs login the Log Viewer:

Mar 28 01:15:54 pl2 python: sipdata:1175037354.29,10.1.1.1,5060,192.168.1.2,5060, """foo"" <sip:[email protected]>;tag=b56e6e",<sip:[email protected]>,,,100, [email protected],2 INVITE,Trying

The example above contains the following information:


175

• Time: 1175037354.29

• Source IP: 10.1.1.1

• Source port: 5060

• Destination IP: 192.168.1.2

• Destination port: 5060

• From: """foo"" <sip:[email protected]>;tag=b56e6e"

• To: <sip:[email protected]>

• Method:

• Request URI:

• Code: 100

• Call ID: [email protected]

• Call sequence number: 2 INVITE

• Reason : Trying

b. Dynamic NetObjects, containing the hosts found in the SIP traffic, sorted by SIP register.

Figure 10.4. Dynamic NetObjects

c. System Diagnostics values.


176

Figure 10.5. System Diagnostics

10.4. Capturing TrafficThere are two methods to capture traffic:

• Capturing traffic from a specific application or protocol on the host running the application. This isrecommended when there is a known application used on the network, for which there is not yet a signature.This is described in Section 10.4.1, “Capturing Traffic for a Specific Application” below.

• Capturing traffic for all traffic PacketLogic is unable to identify on PacketLogic itself. This is the only way tocapture unknown traffic when it is not known what generates the traffic. Optionally, it is possible to narrowthe capture to a host, subnet, port or similar criteria. This is described in Section 10.4.2, “Capturing UnknownTraffic in PacketLogic” below.

Send the traffic capture files to a Procera Networks representative, and the DRDL signature developers will usethe captures to create signatures for identifying the traffic captured.

10.4.1. Capturing Traffic for a Specific Application

The recommended tool to capture traffic on the client/application side is Wireshark (for information and download,see http://www.wireshark.org).

Follow the instructions below to create traffic captures useful for analysis.

1. Close ALL applications that might generate network traffic.

2. Start Wireshark

3. Select Options from the Capture menu (or press Ctrl+K) to open the Capture Options. Select the networkinterface to capture from and ensure that the option Enable network name resolution is unchecked (to avoidreverse lookup of IP addresses). Optionally set options for the output files.

http://www.wireshark.org


177

Figure 10.6. Capture Options

4. Click Start to start capturing traffic.

5. Start the application for which to capture traffic. Packets will appear in the Wireshark window.

Figure 10.7. Traffic being captured

6. Use the application normally, but try to do it slowly. Wait a few seconds between every action. Login, wait afew seconds. Search, wait a few seconds, and so on.

7. Document what is done (Send message, file transfer, login, and so on.)


178

8. Close the application being captured. Stop the capture by selecting Stop from the Capture menu, or pressingCtrl+E.

9. Save the capture file in PCAP format by selecting Save from the File menu, or pressing Ctrl+S. Create at leasttwo, but preferably four or five files like this. With the options set up, a new capture can be started by simplychoosing Start from the Capture menu.

Notes

• If the protocol has a login procedure (with username and password), create dumps with at least two differentusernames with different passwords.

• If the procedure captured includes downloading a file or accessing a particular resource, access different files/resources in each dump.

• If the procedure captured includes sending a message or creating something, be as random as possible in whatcontent is entered.

• Try to make the capture long enough that the interesting content is not drowned out by other network traffic. Itis not necessary, however, to make the capture very large in size, since it is the very beginning of the connectionthat is used to identify it. As a rule of thumb, a capture of over 1000 packets should suffice.

• If there is sensitive information in the capture in the form of usernames, passwords, or other items of informationthat are to be kept confidential, remember to encrypt the capture before sending it or anonymizing the traffic byusing non-sensitive information when using the application for which traffic is captured.

10.4.2. Capturing Unknown Traffic in PacketLogic

To create PCAP files for unidentified (Unknown) traffic in PacketLogic, follow the instructions below:

1. Connect to the PacketLogic using the client.

2. Open the Objects & Rules editor.

3. Create a ServiceObject (Figure 10.8, “Create ServiceObject”).

Figure 10.8. Create ServiceObject

4. Add an item to the ServiceObject (Figure 10.9, “Add items”).


179

Figure 10.9. Add items

5. Select "Being Analyzed" and "Unknown" (Figure 10.10, “Select services”). Also, if there is traffic that shouldbe identified as a signature already available in PacketLogic but is being shown as Unknown, include thatsignature in the ServiceObject.

Figure 10.10. Select services

6. Create a FlagObject with the items 'Untracked' flag must be excluded and 'Beginning' flag must be included(Figure 10.11, “Create FlagObject”).

Figure 10.11. Create FlagObject


180

7. Create a Filtering rule. Add the created ServiceObject and FlagObject as conditions with Equals as operator,"Accept" as action, and a PCAP writer as monitor interface (Figure 10.12, “Create a filtering rule”). Optionally,if a specific host and/or port is known to generate the traffic of interest, add a Host NetObject and PortObjectwith the applicable items as well.

Figure 10.12. Create a filtering rule

8. Place the filtering rule at the top of the list and enable the "Quick" property.

9. Remember to save the ruleset when done.

When the capture is ready, it is available in the File Manager for download. The capture file can also beautomatically uploaded to a remote host. The host and upload method (ftp or ssh) is specified using the CLI,with the option System Administration $\Rightarrow$ Logs $\Rightarrow$ PLPCAP. This also has an optionto specify how many and how large files the PCAP writer shall create. Files are made available once they areclosed, which happens either when the configured file size is reached (in which case another new file is openedfor the remainder of the capture) or when the filtering rule is disabled.

10.5. Configuring BGP Support1. Configure the BGP server to allow the PacketLogic as a BGP neighbour for the AS number that the PacketLogic

will use (see below).

2. In case the BGP server is more than one hop from the Administration interface on the PacketLogic, the BGPserver must have eBGP multihop enabled.

3. Open the System Configuration editor in the PacketLogic Client by selecting it in the Edit menu.

4. Enable BGP support by setting the System Configuration value BGP_ENABLED to True.

5. Configure the AS number that the PacketLogic shall use for itself by setting the System Configuration valueBGP_MYAS to the appropriate value. This must be a different number than that of the BGP server, and it isrecommended to select a private AS number in the range 64512-65535. PacketLogic using its own private ASnumber is necessary in order to enable eBGP (as opposed to iBGP, which would be enabled if PacketLogicand the BGP server are in the same AS).

6. Configure the BGP server to use for retrieving BGP information, by entering the IP address of the BGP serveras the System Configuration value BGP_SERVER.

7. Optionally, configure the System Configuration value BGP_PATH_CUTOFF if the AS path shall betruncated. The default value of 0 (zero) means that the path is not truncated. A non-zero value means that theAS path is truncated to the configured number of hops.


181

8. Optionally, set the System Configuration value BGP_COMMUNITY_ENABLED to True if BGPcommunities are to be shown in LiveView and review the setting of BGP_MAX_COMMUNITIES.

9. Reload the configuration by selecting Reload Configuration... from the File menu in the System Configurationeditor.

BGP should now be available, which can be seen by drilling down into a connection and seeing that the AS pathis visible for the connection. Also, BGPObjects are available in the Objects & Rules editor. For information onBGP and AS paths, see Section 4.2.8, “Border Gateway Protocol (BGP)”.

10.6. Password Reset1. Connect to the serial console of the PacketLogic

2. When prompted for a password, enter the system ID of the PacketLogic system.

3. This resets the enable password to the factory default.

4. With the reset password, log in to the CLI on the serial console to reset any other passwords needed in theCLI menu.

10.7. Configuring Aux to be bonded with AdminThis procedure serves as an example of bonding configuration. On platforms where there are unused interfacesthe process is simpler.

1. Connect to the PacketLogic system with SSH or serial console to access the CLI.

2. Go to the Network Configuration menu.

For systems with available interfaces to add to the bond, steps 3 through 6 can be skipped. Proceed with step 7.

3. Go to the AUX interface(s) menu.

4. Select option Interfaces.

5. Select to remove the Aux interface for the physical interface that is to be bonded with Admin. Typically thereis only one to choose from.

6. Go back to the Network Configuration menu.

7. Go to the Admin interface menu.

8. Select option Admin bonding.

9. Press s to select interfaces for the bond.

10.Press p and enter the interface to use as primary.

11.Press t to select bonding type. Type mii means the physical interfaces are monitored for status and link, andfail over when an error state is detected. Type arp relies on an external system to which ARP signals are sentto determine interface state. The ARP target needs to be entered as an IPv4 address.

12.Press w to store the new configuration and exit the configuration.

Centralized Management

183

Chapter 11. Centralized ManagementThis section describes the functions to enable centralized management that are available in PacketLogic.

Centralized management involves two different roles that PacketLogic units in the setup can assume. For thepurposes of this description, they are called central and local PacketLogic units, with the following definitions:

• A central PacketLogic, in this context, stores resources (statistics, a ruleset, or any other resource) and providesthem for one or more local PacketLogic units to read when needed.

• A local PacketLogic, in this context, uses the resources stored on a central PacketLogic.

These settings are configured with the Resource Manager in the PacketLogic client (see Section 8.10.9, “ResourceManager”). The configuration in the Resource Manager is performed on the local PacketLogic, the centralPacketLogic needs no configuration except to ensure that the user used to set up the Proxy configuration has theappropriate permissions on the central PacketLogic.

For recommendations on how to use the centralized management features in PacketLogic, see Section 11.4,“Recommended Use”.

11.1. ProxyCaution: Proxying resources should only be done between systems of the same major version. Trying to proxy aresource to a system with a different major version installed may cause the system to fail.

Proxying resources means that a local PacketLogic completely defers the task of storing a resource (such as theruleset) to another PacketLogic. Once this is set, a client connecting to the PacketLogic that has a resource proxywill not see that the resource is not stored locally. There is no copy of the resource stored on the local PacketLogic.The deferred transactions are transparent to both sides:

• To the client connecting to the local PacketLogic, it will appear as if the resource is handled locally. The onlyway to tell that it is not is by looking at the Resource Manager.

• To the central PacketLogic storing the resource, the transactions to store and read the resource will appear as ifcoming from a client, even though they are coming from another PacketLogic.

Note: Set up scheduled backups of the proxied resource in the central PacketLogic. Should networkcommunications between the local PacketLogic and the central PacketLogic fail, the local PacketLogic will notbe able to re-read the proxied resource. In this case, a backup to restore to the local PacketLogic is essential toensure operation.

Note: For backups on the local PacketLogic to work, the Backup resource must also be set to proxy. Otherwisethe backup taken will be of the local database content, which is not the running configuration.

11.1.1. Proxy Configuration

To set a resource to Proxy, perform the following steps:

1: Open the Resource Manager, by selecting it from the Tools menu.


184

2: Select the applicable resource in the list. Click Edit.

3: Select Proxy from the Mode drop-down list.

4: Enter the IP address of the central PacketLogic in the Proxy address field, andthe user name and password of a user with correct permissions in the Proxy userand Proxy password fields.

5: Click OK in the Editing Resource dialog.

6: The proxied resource will now have mode Proxy and status Proxy ready if it hasconnected successfully to the remote system.

7: Click OK in the Resource Manager.

11.1.2. System Overview

The System Overview is an additional feature when using proxied resources. To see general system informationabout several systems in the System Overview of a client, set the System Overview resource to Proxy. AllPacketLogic systems proxying the System Overview resource to the same central PacketLogic will see each other'sSystem Overview information.

To enable System Overview, set the System Overview resource as Proxy, by following the procedure described inSection 11.1.1, “Proxy Configuration”. If a separate PacketLogic is used for statistics storage, it is recommendedto use the statistics system as a central point for System Overview proxying.

For information on configuring the values shown in the System Overview, see Section 8.5, “System Overview”.

11.2. System DiagnosticsSystem Diagnostics can also be proxied. When System Diagnostics are proxied, the proxying systems and thesystem to which they proxy are all shown in the System Diagnostics view. The systems can be separated byexpanding the values, and the top level presents aggregated values.


185

Figure 11.1. Proxied System Diagnostics

Configuring System Diagnostics to proxy values is done in the Resource Manager by setting the SystemDiagnostics resource to proxy, with IP address and user information for the intended proxy master.

Figure 11.2. Proxying System Diagnostics in Resource Manager

Note: Alert levels can only be set on the top level of a system diagnostics value. For values combined withproxying, this means alert levels will apply to the aggregated value.

11.3. Resource CopyResource copying is another option for keeping certain configuration synchronized. Resource copying creates abackup of a remote resource (currently the Users and Rules & Objects resources are supported) and restores itlocally. Resource copying also attaches to the remote resource to receive notifications of when the remote resourceis changed. When it is, a new backup is made of the remote resource and restored locally.

Resource copying means the configuration data is available locally even if the connection to the remote systemis lost, making it more resilient. Note, however, that if the connection is lost changes on the remote system arenot applied to the local system.

Using resource copying for the Objects & Rules also means that when the resource is changed on the remotesystem, the ruleset is recompiled on the local system.

Resource copying is configured in the CLI (Chapter 9, CLI Menu), in System Administration -> Resource copy.


186

11.4. Recommended UseEven though any resource is available to configure as a Proxy resource, there are a few well-defined recommendedscenarios:

• Proxied ruleset. This is useful to define central rules and objects to apply in an entire network with severaldeployed local PacketLogic units.

• System Overview. This is useful to get a quick overview of selected system diagnostics values from severalPacketLogic systems. See Section 11.1.2, “System Overview” for instructions on configuring System Overview.

• System Diagnostics. This is useful to view diagnostics for several PacketLogic systems.

To use centralized management for other resources, it is recommended to consult with the local PacketLogictechnical contact before proceeding, to avoid unwanted side-effects. For centralizing user management andauthorization, it is recommended to use the external authentication mechanisms (see Section 4.4.5.3, “ExternalAuthentication Sources”).

Monitoring PacketLogic

187

Chapter 12. Monitoring PacketLogicThis section describes the various mechanisms available for monitoring the status of PacketLogic. PacketLogickeeps track of a set of values, described in Appendix C, System Diagnostics Values. These values can be monitoredin the following ways:

• Viewing them in the System Diagnostics view in the Surveillance part of the PacketLogic client interface(Section 8.7, “System Diagnostics”).

• Retrieving them with an SNMP management station, after setting up SNMP on the PacketLogic (see Chapter 9,CLI Menu).

• Retrieving them with a Python script using the PacketLogic Python API for custom handling.

Additionally, PacketLogic can actively inform an administrator of values exceeding their thresholds. For eachvalue in System Diagnostics, alert limits can be configured by right-clicking the value and selecting the optionAlert limits option. In the Alert Limits editor, values can be defined for when the value shall generate an alert.Also, a comment can be added that will be included in the messages sent when the alert is generated. Once thealert limits are defined, the alerts can be provided in several different ways:

• When connecting to the LiveView part using the PacketLogic client, any alerts generated are shown as popupmessages. This also acknowledges the alert.

• An email can be sent informing the recipient that the alert has been generated. This must be configured in theCLI, in the Mail configuration in the System Administration menu (see Chapter 9, CLI Menu).

• SNMP traps can be sent to a management station configured to receive traps, after setting up SNMP on thePacketLogic (see Chapter 9, CLI Menu).

Once an alert limit is exceeded, an alert is generated and sent out to the configured alert destinations. Once the alertis sent, it is not sent again until a client has logged on to the PacketLogic and has seen and ackowledged the alert.

12.1. Performance IndicatorsThis section lists a number of System Diagnostics values and how they relate to the performance of thePacketLogic. Recommendations are made for how to monitor them. The values are listed per zone (that is, thesection in the System Diagnostics tree view in the PacketLogic client LiveView in which the value exists).

12.1.1. Connection

Table 12.1.

Value Recommended range Monitoring

Attempts refused (resources) Zero Trap

Connections allocated from LRU Low, non-rising Monitor

Create attempts inbound N/A Monitor

Create attempts outbound N/A Monitor

Current count < MAX_CONNECTIONS Monitor

Current established count < 60% of MAX_CONNECTIONS Monitor

Attempts refused (resources) The number of attempts to create a connection thathave been refused because there was no room in thedata structure holding connections. This means nofurther connections can be created, and attempts to do


188

so are simply refused. This is caused by the numberof connections exceeding the System Configurationvalue MAX_CONNECTIONS.

Connections allocated from LRU The number of connections that have been allocatedin the connection data structure by reusing the entryof the least recently used connection, rather thanallocating an empty available entry. This means thedata structure is actually fully used, and this is a lastmeasure to be able to actually allocate the connection.Allocating from LRU is not in itself a problem, sincethe connection entry that is reused most likely is dueto be removed anyway, but it is a first indicationthe connection structure is running out of space.This value can be monitored for observation. Anincreasing trend of this value can imply that thenumber of connections is rising to a level whereconnections can be refused.

Create attempts inbound The number of attempts to create an inboundconnection. This value can be monitoredfor observation. Extreme values can consumeconsiderable resources in the system.

Create attempts outbound The number of attempts to create an outboundconnection. This value can be monitoredfor observation. Extreme values can consumeconsiderable resources in the system.

Current count The number of connections in the system.This is limited by the System Configurationvalue MAX_CONNECTIONS. This value can bemonitored for observation. A trend in this valuetowards the limit can imply that the number ofconnections is rising to a level where connections canbe refused.

Current established count The number of established connections in the system(established means both hosts in the connectionhave transmitted packets in the connection).This is limited by the System Configurationvalue MAX_CONNECTIONS. This value can bemonitored for observation, a level below 60 % ofMAX_CONNECTIONS is safe. A trend in this valuetowards the limit can imply that the number ofconnections is rising to a level where connections canbe refused.

12.1.2. Connsync

Note: This zone is only relevant if flow sync is being used (see Section 4.2.6, “Flow Synchronization”).

Table 12.2.


Connections actively syncing Non-zero Trap


189


Received packets withincompatible version

Zero Trap

Received packets with incorrectethernet type

Zero Trap

Received packets with own engine-id

Zero Trap

Updates for mismatching ARM Zero Trap

Connections actively syncing The number of connections for which flow syncmessages are being sent. A non-zero value is anindication flow sync is working.

Received packets with incompatible version The number of flow sync messages received that areincompatible with the flow sync protocol used. Thisindicates that there are differences in the versions onthe systems flow syncing.

Received packets with incorrect ethernet type The number of packets received that are of a differentethernet type than the flow sync protocol. Thisindicates there is other traffic flowing on the flowsync network.

Received packets with own engine-id The number of flow sync messages received with anengine-ID matching the engine-ID of the receivingengine. This should not occur unless there are errorsin the flow sync network.

Updates for mismatching ARM The number of flow sync update messages receivedfrom a flow sync peer with a different ApplicationRecognition Module (ARM) than the receivingengine. This indicates that the peers do not have thesame signature bundle installed. In normal operationthis should be zero, but there may be non-zero valuesaround the time when multiple flow syncing peers areupdating signature bundles.

12.1.3. DRDL

Table 12.3.


Analyzed bytes > 0 Trap

Child allocation failures 0 Trap

Properties used (256) N/A Monitor

Properties used (32) N/A Monitor

Property allocation failures (256) 0 Trap

Property allocation failures (32) 0 Trap

Analyzed bytes The number of bytes that have passed through theDRDL analyzer. A rate of zero (0) indicates thatDRDL is not processing traffic at all at the moment.


190

This should be non-zero at all times when thePacketLogic is analyzing traffic.

Child allocation failures The number of times DRDL has failed to allocatea child connection. A non-zero value can causeimprecise service recognition.

Properties used (256) The number of properties allocated largerthan 32 bytes. If this reaches the limitconfigured by the system configurationvalue SERVICE_PROP_POOLSIZE_256, propertyallocation fails and properties may not be setcorrectly. This value can be monitored to observetrends. Note that 256 byte properties are allocated ifthe pool for 32 byte properties is full.

Properties used (32) The number of properties allocated smaller thanor equal to 32 bytes. If this reaches thelimit configured by the system configurationvalue SERVICE_PROP_POOLSIZE_32, propertyallocation fails and properties may not be setcorrectly. This value can be monitored to observetrends. Note that if the 32 byte pool space runs fullbut there is space available in the larger pools, a largerproperty is allocated instead of failing.

Properties used (64) The number of properties allocated between 33and 64 bytes in size. If this reaches thelimit configured by the system configurationvalue SERVICE_PROP_POOLSIZE_64, propertyallocation fails and properties may not be setcorrectly. This value can be monitored to observetrends. Note that if the 64 byte pool runs full but thereis space available in the 256 byte pool pools, a largerproperty is allocated instead of failing. Also, smallerproperties use space in the 64 byte pool if the 32 bytepool is full but the 64 byte pool is not.

Property allocation failures (256) The number of times a property did not getallocated because there was no space in the256 byte property pool. This value should bezero. If it is not, the system configurationvalue SERVICE_PROP_POOLSIZE_256 should beraised.

Property allocation failures (32) The number of times a property did not get allocatedbecause there was no space in the 32 byte propertypool (or any of the larger pools). This value shouldbe zero. If it is not, the system configuration valueSERVICE_PROP_POOLSIZE_32 should be raised.

12.1.4. Dynamic Ruleset

Table 12.4.


IPs in table < 60% of MAX_DYNAMIC_IPS Monitor


191


Failed inserts (too many dynamicitems)

0 Trap

Number of unique subscribernames

< 60% ofMAX_DYNAMIC_IP_NAMES

Monitor

Too many unique subscribernames failures

0 Trap

IPs in table The number of dynamic items.

Failed inserts (too many dynamic items) The number of attempts to insert dynamic items havefailed. A non-zero value means the items that didnot get inserted will not match the intended rulescorrectly. This is an indication that there are moredynamic items than the configured limit (systemconfiguration value MAX_DYNAMIC_IPS).

Number of unique subscriber names The number of unique names on named dynamicitems (subscribers).

Too many unique subscriber names failures The number of attempts to add a named dynamic item(subscriber) with a new name that have failed becausethe existing unique subscriber names were already atthe limit defined by MAX_DYNAMIC_IP_NAMES.

12.1.5. General

Table 12.5.


Active visible netobject poolexhausted

Zero Trap

Active visible NetObjects < 60% ofMAX_FULL_VISIBLE_NETOBJECTS

Monitor

Visible netobject pool exhausted Zero Trap

Visible NetObjects < 60% ofMAX_VISIBLE_NETOBJECTS

Monitor

CPU Usage (0) < 80% on average over an hour Monitor

Hosts < 60% of HOST_NUM_HOSTS Monitor

Memory used < 85% Monitor

Active visible netobject pool exhausted The number of attempts to create an active(full) visible NetObject (a visible NetObjectthat contains hosts) when this is not possible,because the data structure for holding activevisible NetObjects is full. This should always bezero. The number of active visible NetObjectsis limited by the System Configuration valueMAX_FULL_VISIBLE_NETOBJECTS.

Active visible NetObjects The current number of active (full) visible NetObjects(visible NetObjects that contain hosts). This numberis limited by the System Configuration value


192

MAX_FULL_VISIBLE_NETOBJECTS. This valuecan be monitored for observation. An increasing trendtowards the configured maximum may require thelimit to be raised.

Visible netobject pool exhausted The number of attempts to create a visible NetObject(whether it contains hosts or not) when thisis not possible, because the data structure forholding visible NetObjects is full. This shouldalways be zero. The number of visible NetObjectsis limited by the System Configuration valueMAX_VISIBLE_NETOBJECTS.

Visible NetObjects The current number of visible NetObjects (whetherthey contain hosts or not). This number islimited by the System Configuration valueMAX_VISIBLE_NETOBJECTS. This value can bemonitored for observation. An increasing trendtowards the configured maximum may require thelimit to be raised.

CPU Usage (0) The CPU usage of the first processor or core in thesystem. This is useful to monitor to observe trends ongeneral system load. CPU usage can have peaks upto 100\%, but an hourly average is recommended tobe below 80%.

Hosts The number of hosts stored in the data structure forhosts. This is limited by the System Configurationvalue HOST_NUM_HOSTS. This value can bemonitored. An increasing trend towards theconfigured maximum may require the limit to beraised.

Memory used The amount of memory used. This is useful tomonitor to observe trends on general system load.This should be below 85%.

12.1.6. Load Balancer

Note: This zone is only applicable on PL10000/PL20000 systems.

Table 12.6.


Active flow processors All FPs Monitor

RX bytes external N/A Monitor

RX bytes internal N/A Monitor

Active flow processors A list of the indexes of the flow processing CPUs availablefor the load balancer to distribute traffic over. All flowprocessors should be listed. If any flow processor is not,the absent processors should be investigated.

RX bytes external The number of bytes received on external channelinterfaces by this load balancer. This value can bemonitored to observe trends.


193

RX bytes internal The number of bytes received on internal channelinterfaces by this load balancer. This value can bemonitored to observe trends.

12.1.7. Packet Processing

Table 12.7.


CPU Load < 60% on average over an hour Monitor

Free memory (bytes) N/A Monitor

Packets left in pool > 30% of the available packet pool Trap

RX drops Zero Trap

RX packets N/A Monitor

TX drops Zero Trap

TX packets N/A Monitor

CPU Load The load on the processors performing packet and flowprocessing. A packet processing CPU with a very high load maycause packet drops. Note: CPU load does not affect latency.CPU usage can have peaks up to 100%, but an hourly averageis recommended to be below 60%. This is useful to monitor toobserve trends on packet processing load.

Free memory (bytes) The available memory on the packet processor CPU. This valuecan be monitored to observe trends. A consistently low valuemay indicate that the PacketLogic needs to be equipped withmore packet processors.

Packets left in pool The space available in the data structure used for packets.On PLOS (non-PL10000/PL20000) systems, this is defined bythe System Configuration value PACKET_POOL_SIZE. OnPL10000/PL20000 systems, this value is per packet processingCPU and is internally defined. For FP modules with 4GB ofRAM per CPU (8GB per module), the size is 131072 packetsper CPU. For FP modules with 8GB of RAM per CPU (16GBper module), the size is 262144 packets per CPU.

RX drops The number of packets dropped because the receiving buffer isfull. This should not occur.

RX packets The number of packets received. This is useful to monitor toobserve trends.

TX drops The number of packets dropped because the transmitting bufferis full. This should not occur.

TX packets The number of packet transmitted. This is useful to monitor toobserve trends.


194

12.1.8. PLDB Statwriter

Table 12.8.


Dataset Values<PLDB_STATISTICSFS_MAX_VALUES_DATASET

Monitor

Dataset, Total Write time< 50minutes

Monitor

Dataset Values Dropped 0 Trap

Dataset Values The number of statistics values in the current dataset.This must not exceed the configured maximum(defined by the System Configuration valuePLDB_STATISTICSFS_MAX_VALUES_DATASET),or values will be dropped. This value can be observedto monitor trends, especially when changes are madeto StatisticsObjects and Statistics rules.

Dataset, Total Write time The time it took to complete writing the previousdataset. This should be considerably lower than anhour, to ensure the write can complete before thenext begins. This value can be monitored to observetrends.

Dataset Values Dropped A set of counters for values being dropped for variousreasons. These should all be 0.

12.1.9. PLSD

Table 12.9.


Failed CPS updates 0 Trap

Values created < PLS_MAX_VALUES Monitor

Values in dataset < PLS_MAX_VALUES Monitor

Values not created (Cacheexhausted)

0 Trap

Invalid Connection messages 0 Trap

Failed CPS updates Indicates that connections were created after a datasetwas sent for writing, but before a new was created.This will manifest itself as slight dips in CPS graphsaround the turn of an hour (throughput graphs are notaffected). This should be 0.

Values created The number of values created from the traffic seen.This should be below the configured maximum(system configuration value PLS_MAX_VALUES).This value can be monitored to observe trends.

Values in dataset The number of values that go in the dataset(essentially the values created that exceed theconfigured thresholds in the StatisticsObjects).


195

Values not created (Cache exhausted) The number of values that did not get createdbecause the limit defined by PLS_MAX_VALUESwas exceeded. This should be 0.

Invalid Connection messages

12.1.10. IPv4

Table 12.10.


Fragment allocation failures 0 Trap

Packets refused (too manyfragments)

N/A Monitor

RX bytes N/A Monitor

Fragment allocation failures The number of times PacketLogic failed to allocatebuffer space for a fragment. This can be an indicationthat the packet pool is being depleted. This shouldalways be 0.

Packets refused (too many fragments)

RX bytes The number of bytes processed by packet processorCPUs. This value can be monitored to observe trends.

12.1.11. TCPv4

Table 12.11.


Fragment allocation failures 0 Trap

Packet allocation failures 0 Trap

Old bytes N/A Monitor

Fragment allocation failures The number of times PacketLogic failed to allocatebuffer space for a fragment. This can be an indicationthat the packet pool is being depleted. This shouldalways be 0.

Packet allocation failures The number of times a packet could not be allocatedin the internal packet pool. This should be zero (0). Ifit is not, the packet pool may need to be adjusted.

Old bytes The number of bytes in connections that existedbefore PacketLogic started analyzing the traffic(that is, PacketLogic has not seen the start of theconnections). Such connections will be accounted asUntracked by DRDL. This value can be significantimmediately after boot, but should recede after awhile (how long depends on the nature of the traffic.If there are many long-lived connections, the valuewill stay high accordingly).


196

12.1.12. Ruleset

Table 12.12.


Too many matching statistics rules 0 Trap

Nodes in BGP-tree > 1000 Trap

Number of added subscribers < 60% ofMAX_DYNAMIC_IP_NAMES_ENGINE

Monitor

Subscriber allocation failures 0 Trap

Too many matching statistics rules A connection matches too many statistics rules (thelimit is defined by the system configuration valueMAX_STATISTICS_RULES_PER_CONNECTION),and the connection will not be accounted correctly inall of them. This should be zero (0). If it is not, theruleset pertaining to statistics should be reviewed orthe system configuration value raised.

Nodes in BGP-tree The number of nodes in the current BGP tree(an internal data structure for obtaining AS pathinformation for connections). If BGP is configuredand a BGP server is connected, this should generallybe above 1000 to indicate comprehensive BGPinformation is available.

Number of added subscribers The number of named dynamic items (subscribers)that match a rule.

Subscriber allocation failures The number of times a named dynamic item(subscriber) could not be added to the rulesetbecause the number of existing named dynamic itemsin the ruleset was already at the limit imposedby MAX_DYNAMIC_IP_NAMES_ENGINE. Thismeans the subscribers that could not be added will notmatch rules correctly.

12.1.13. Shaping

Table 12.13.


BROWN per connection drops N/A Monitor

BROWN per host drops N/A Monitor

Host fairness data allocationfailures

0 Trap

Object copies <SHAPING_MAX_SPLITTED_OBJECTS

Monitor

Queue size N/A Monitor

Shaping object queue full N/A Monitor

Too many dynamic objects 0 Trap

Too many dynamic objects in rule 0 Trap


197


Too many matching rules0 Trap

Too many objects in a rule 0 Trap

BROWN per connection drops The number of packet drops performed by theBROWN algorithm to enforce connection fairness.This value can be monitored to observe trends.

BROWN per host drops The number of packet drops performed by theBROWN algorithm to enforce host fairness. Thisvalue can be monitored to observe trends.

Host fairness data allocation failures

Object copies The number of object copies that exist in the ruleset.Object copies are the copies that are made whena ShapingObject uses a split. This value can bemonitored to observe trends.

Queue size The number of packets enqueued. This value can bemonitored to observe trends.

Shaping object queue full The number of times PacketLogic attempts toenqueue a packet when a queue is full. This resultsin the packet being dropped. This value can bemonitored to observe trends.

Too many dynamic objects The number of failed attempts to create adynamic object. This should always be zero(0). If it is not, the system configuration valueSHAPING_SPLITTED_OBJECTS must be raised orrule matching may become less accurate.

Too many dynamic objects in rule The number of failed attempts to add a dynamicobject to a rule condition. This should always bezero (0). If it is not, the system configuration valueSHAPING_MAX_HOSTS_PER_RULE should beraised, or rule matching may become less accurate.

Too many matching rules The number of times a connection hasmatched more rules than allowed by thelimit defined by the system configuration valueSHAPING_MAX_RULES_PER_CONNECTION.This should always be zero (0). If it is not, theconfiguration value should be raised or rule matchingmay become less accurate.

Too many objects in a rule The number of times a rule has contained too manyobjects. This should always be zero (0). If it is not,contact Procera Networks technical support.

12.1.14. Shaping counter

Table 12.14.


Active counters > 0 Trap


198


Updates received > 0 Trap

Updates crossing granularityboundary received

> 0 Trap

Active counters The number of counter that exist.

Updates received The number of counter updates received from theengine(s).

Updates crossing granularity boundary received The number of counter updates received fromthe engine(s) that exceed the limit set bySHAPING_COUNTERS_GRANULARITY_SHIFT.These updates will be sent to clients who haverequested counter updates.

12.2. Configuring an SNMP ManagementStationThis section describes the configuration needed to use SNMP with PacketLogic on a management station using thenet-snmp tool package on Linux. For information on net-snmp, see http://net-snmp.sourceforge.net/. This sectiondoes not cover installation of net-snmp.

12.2.1. Installing the PacketLogic MIB

PacketLogic supports the standard SNMPv2-MIB and a proprietary MIB named PACKETLOGIC-MIB. TheSNMPv2-MIB is included in the installation of net-snmp. The PACKETLOGIC-MIB must be installed onto themanagement station. The PACKETLOGIC-MIB is available for download from the PacketLogic using the FileManager in the client (see Figure 12.1, “Downloading the PACKETLOGIC-MIB”).

Figure 12.1. Downloading the PACKETLOGIC-MIB

Download the file to a location in the file system where net-snmp stores MIB files (for example /usr/local/share/snmp/mibs/). This will enable the use of the text strings for the OIDs available in the PACKETLOGIC-MIB.

12.2.2. Example: Polling a Value Using snmpget

To retrieve the value for channelActive.1 (whether channel 1 is active), using SNMP v2c, from a PacketLogicwith IP address 10.1.2.3 and a configured community string of "community" run the following command on themanagement station:

http://net-snmp.sourceforge.net/


199

user@management_station:~$ snmpget -v 2c -c community 10.1.2.3 PACKETLOGIC-MIB::channelActive.1

This shows the following output:

PACKETLOGIC-MIB::channelActive.1 = INTEGER: active(1)

This shows that the channel is active.

For v3, assuming that a user with name "user" and authentication key "authkey" is configured in the PacketLogicSNMP configuration, use the following command:

user@management_station:~$ snmpget -v 3 -u user -A authkey -l authNoPriv 10.1.2.3 PACKETLOGIC-MIB::channelActive.1


PACKETLOGIC-MIB::channelActive.1 = INTEGER: active(1)

12.2.3. Example: Polling a Set of Values Using snmpwalk

To retrieve all values under connectionCreateAttemptsInbound, using SNMP v2c, from a PacketLogic withIP address 10.1.2.3 and a configured community string of "community" run the following command on themanagement station:

user@management_station:~$ snmpwalk -v 2c -c community 10.1.2.3 PACKETLOGIC-MIB::connectionCreateAttemptsInbound


PACKETLOGIC-MIB::connectionCreateAttemptsInboundVal.0 = Counter64: 0 PACKETLOGIC-MIB::connectionCreateAttemptsInboundMom.0 = Gauge32: 0 PACKETLOGIC-MIB::connectionCreateAttemptsInboundMax.0 = Gauge32: 0

For v3, assuming that a user with name "user" and authentication key "authkey" is configured in the PacketLogicSNMP configuration, use the following command:

user@management_station:~$ snmpwalk -v 3 -u user -A authkey -l authNoPriv 10.1.2.3 PACKETLOGIC-MIB::connectionCreateAttemptsInbound


200


PACKETLOGIC-MIB::connectionCreateAttemptsInboundVal.0 = Counter64: 0 PACKETLOGIC-MIB::connectionCreateAttemptsInboundMom.0 = Gauge32: 0 PACKETLOGIC-MIB::connectionCreateAttemptsInboundMax.0 = Gauge32: 0

12.2.4. Setting up a Trap Server

Ensure that the management station is configured as a trap server in the PacketLogic SNMP configuration. ForSNMP v2c, no further configuration is necessary, and a trap server displaying traps received on standard error canbe started using the following command (note that running the trap server snmptrapd in default mode normallyrequires root privileges on the management station):

management_station:/home/user# snmptrapd -f -C -Le -m SNMPv2-MIB:PACKETLOGIC-MIB 2008-09-03 10:10:58 NET-SNMP version 5.2.5 Started.

To receive traps using SNMP v3, a user must be created matching a user in the PacketLogic SNMP configuration.If a user with user name "user" and authentication key "authkey" is configured on PacketLogic, create a file withthe following contents:

createUser user MD5 authkey

To start the trap server using the configuration above (assuming the file was named snmptrapd.conf andplaced in the /tmp directory), use the following command:

management_station:/home/user# snmptrapd -f -C -c /tmp/snmptrapd.conf -Le -m SNMPv2-MIB:PACKETLOGIC-MIB


2008-09-03 10:10:58 NET-SNMP version 5.2.5 Started.

When a trap received, the following is displayed:

2008-09-03 10:23:07 pl.your.net [UDP: [10.1.2.4]->[10.1.2.3]:43006]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (1220429500) 141 days, 6:04:55.00 SNMPv2-MIB::snmpTrapOID.0 = OID: PACKETLOGIC-MIB::pl2TrapSystemStatsAlert PACKETLOGIC-MIB::pl2TrapThreshold = Gauge32: 5


201

PACKETLOGIC-MIB::pl2TrapValue = Gauge32: 7 PACKETLOGIC-MIB::pl2TrapOid = OID: PACKETLOGIC-MIB::generalClientsVal.0

The example above shows a trap generated because the value generalClientsVal (the number of currently connectedclients) had the value 7 and an alert limit configured to 5.

For further processing of SNMP traps, refer to the documentation for the SNMP management station software used.

12.3. Built-In SNMP TrapsThere is a set of SNMP traps that the PacketLogic system will issue without having an alert limit set. These are:

Disk usage When the system disk (pl2) reaches 80% usage or any of the data or statistics partitionsreach 90% usage, an mteTriggerFired from the DISMAN-EVENT-MIB is sent.

Example (pl2 exceeding 80%):

DISMAN-EVENT-MIB::sysUpTimeInstance 0:0:00:06.03SNMPv2-MIB::snmpTrapOID.0 DISMAN-EVENT-MIB::mteTriggerFiredDISMAN-EVENT-MIB::mteHotTrigger.0 dskTableDISMAN-EVENT-MIB::mteHotTargetName.0DISMAN-EVENT-MIB::mteHotContextName.0DISMAN-EVENT-MIB::mteHotOID.0 UCD-SNMP-MIB::dskErrorFlag.1DISMAN-EVENT-MIB::mteHotValue.0 1UCD-SNMP-MIB::dskPath.1 /pl2UCD-SNMP-MIB::dskErrorMsg.1 /pl2: less than 20% free (= 81%)

Triggers

203

Chapter 13. TriggersThis section describes triggers and their use.

13.1. IntroductionTriggers are Python scripts executed when certain user-defined criteria are met. These Python programs can bedesigned to perform highly customizable actions, such as:

• Add a host meeting certain criteria to a NetObject, so that it complies to the rules for that NetObject.

• Send email to an administrator when events requiring attention take place.

The scripts can be created and edited on any computer. It is not necessary to have Python or the PacketLogicPython API installed, since PacketLogic itself executes the trigger scripts when they are set off (although it is anadvantage, in order to test that the script parts work).

13.2. Host TriggersHost trigger criteria are defined in the Host Trigger Editor in the client (see Section 8.10.3, “Host Trigger Editor”).The selected trigger will execute each time an entity exceeds the configured values. A limit of 0 for a criterion(equivalent to not adding that criterion in the Host Trigger Editor) disables that criterion. Setting all limits to 0(equivalent to not adding any conditions in the Host Trigger Editor) is a special case which creates a trigger forthe existence of an entity (see Section 13.2.2, “The "Exist" Trigger”).

Note: For an entity to set off a host trigger, it must be or exist in a visible NetObject. NetObjects are set as visible inthe Objects & Rules editor in the PacketLogic client (see Section 8.10.1, “Objects & Rules Editor”). The exceptionis hosts in the Ungrouped NetObject which automatically contains all hosts not included in any other NetObject.The Ungrouped NetObject is always implicitly visible.

The criteria available to set for a host trigger to be set off are:

• Traffic speed, in- or outbound

• Number of connections per second, in- or outbound

• Number of concurrent connections

• Number of unestablished connections

• Number of seen TTL values (see Section 4.2.5, “TTL/Hop Limit Tracking”)

Note: This limit type does not work with trigger types NetObject or NetObject Child (see Section 13.2.1, “HostTrigger Types”), as the value cannot be aggregated. A limit on the number of seen TTL limit on NetObject orNetObject Child triggers is ignored.

• Quality of Experience values (see Section 4.2.9, “Quality Measurement Algorithm”)

Note: While all other limits set the trigger off when the value is above the set limit, QoE limits set the triggeroff when the value is below the set limit.

13.2.1. Host Trigger Types

The entity whose values are compared to trigger limits is defined by the trigger type:

Host The trigger executes for any host for which all configured conditionsare true.

Triggers

204

Host in NetObject The trigger executes for any host in the designated NetObject forwhich all configured conditions are true.

NetObject The trigger executes if the aggregated values for the designatedNetObject fulfills all configured conditions.

Note: This trigger type does not work with limits on the number of seenTTL values, as those cannot be aggregated. A limit on the number ofseen TTL limit on a trigger of this type is ignored.

NetObject Child The trigger executes for the aggregated values in any child object ofthe designated NetObject.

Note: This trigger type does not work with limits on the number of seenTTL values, as those cannot be aggregated. A limit on the number ofseen TTL limit on a trigger of this type is ignored.

13.2.2. The "Exist" Trigger

Setting all conditions to zero (equivalent of not adding any conditions in the Host Trigger Editor in the PacketLogicclient) is a special case which creates a trigger that will be set off when a host exists. If the trigger type specifiesa NetObject, the trigger is set off if a host exists in that NetObject.

13.3. Filtering TriggersFiltering trigger criteria are defined by the conditions in a filtering rule. If a trigger is selected in the definition ofa filtering rule, the trigger will be set off each time a connection matches the rule.

13.4. System Diagnostics TriggersSystem diagnostics triggers are executed when a system diagnostics alert is set off, and a system diagnostics triggeris selected for the alert limit.

13.5. Connection Protection TriggersConnection protection triggers are executed when connection protection is enabled. For details on connectionprotection, see Section 4.8.2, “Connection Protection”.

13.6. Using, Adding and Modifying TriggersExamples of trigger scripts are included with PacketLogic. These are found in the File Manager (see Section 8.10.6,“File Manager”) in the client, in the folders Host Trigger Files, Filtering Trigger Files, System DiagnosticsTriggers, and Connection Protection Trigger Files. As soon as a Python script is uploaded to those folders, itis made available in the selection list for the relevant triggers. This allows creating and modifying triggers easily.

13.6.1. Example: Using a Trigger

1. Connect to the PacketLogic system using the client.

2. Open the Objects & Rules Editor.

3. Add a PropertyObject with Server Hostname www.google.com.

4. Add a Filtering rule with the PropertyObject created above as a PropertyObject condition. In the AdvancedOptions of the rule, select the fwtrigger_print_to_log trigger.

Triggers

205

5. Check the filtering ruleset. If there are filtering rules that may match before this rule and have the Quickattribute, move this rule to the top of the list and enable the Quick attribute. Save the ruleset.

6. Open a web browser and enter the address www.google.com (this assumes that traffic from the local host passesthrough the PacketLogic).

7. In the Objects & Rules editor, disable or delete the rule created, and save the ruleset (this is to prevent this testfrom generating too many log entries).

8. Open the Log Viewer and click the Python Programs log. There should be entries similar to the following:

Connection triggered: 10.1.2.3:1040<->208.42.75.168:80

13.6.2. Example: Modifying an Existing Trigger

1. Connect to the PacketLogic system using the client

2. Open the File Manager

3. Select the folder Filtering Trigger Files

4. Select the file fwtrigger_add_to_netobject.py

5. Click the Download button, and select a place on the local file system to download the file to.

6. Open the file, using any text editor. The contents of the file are as follows:

""" Adds the client_ip to OBJECTNAME

Shows how to use self.pldb.object_get to retrieve the id of a NetObject. """

OBJECTNAME = "/NetObjects/Trigger/Add To NetObject"

class Trigger(FirewallTrigger): def trigger(self): obj = self.pldb.object_get(OBJECTNAME) if obj is None: print "Couldn't find object '%s'" % OBJECTNAME return self.pld.dyn_add(obj.id, self.client_ip)

The first few lines, enclosed in triple quotes, is comment text describing the trigger. After this, the actual codestarts with the definition of the variable OBJECTNAME. This variable is the name of the object path where the IPof the host setting off the trigger shall be added to. Change this to "/NetObjects/Trigger Test". Savethe file, giving it a new name, such as trigger_test.py (the file can actually be saved with the same name,but uploading it will then replace the default script, which is not recommended when testing functionality).

7. In the File Manager, select the folder Filtering Trigger Files and click the Upload button. Select the filetrigger_test.py that was saved in the step above. PacketLogic will confirm that the file is uploaded.

8. Close the File Manager and open the Objects & Rules Editor.

9. Create the NetObject "Trigger Test".

Triggers

206

10.Add a NetObject with the IP address of the local host (this assumes that the traffic from the local host passesthrough PacketLogic).

11.Add a Filtering rule with the NetObject containing the local host IP as a Host NetObject condition. In theAdvanced Options of the rule, select the trigger_test trigger, which is now available in the drop-down list.

12.Add a Shaping Rule with an unlimited Shaping Object, using the Trigger Test NetObject as a Host NetObjectcondition. Be sure to create a new Shaping Object for this.

13.Check the filtering ruleset. If there are filtering rules that may match before this rule and have the Quickattribute, move this rule to the top of the list and enable the Quick attribute. Save the ruleset. The IP of the hostfrom which this was done will be added as a dynamic item in the NetObject Trigger Test as soon as PacketLogicdetects a connection from it (this will not be visible in the client, since dynamic items are not shown there).Any output from the script will be in the Python Programs log in the Log Viewer.

14.Check the Shaping Objects view, while continuing to generate network traffic from the local host. The ShapingObject created for the Shaping Rule above should now show connections matching, since the local host hasbeen added to the Trigger Test NetObject, which is the only criterion to the Shaping Rule.

15.Disable or delete the created rules and objects and save the ruleset.

13.7. Trigger DefinitionsThe trigger scripts have a simple set of required items:

• They must contain a class definition called Trigger, which is a subclass of and inherits from one of the baseclasses HostTrigger, FirewallTrigger, SysdiagTrigger, or ConnProtTrigger.

• The Trigger class must have a method defined, named trigger, called with the object itself. The trigger methodis executed when the trigger conditions are met (for a filtering trigger, this is when the filtering rule conditionsare met. For a host trigger, this is when the limits set in the Host Trigger Editor are exceeded. For a systemdiagnostics trigger, this is when the alert limit is passed).

• The Host Triggers may also have a method called reset, also called with the object itself. This method is executedwhen the values specified in the Host Trigger Editor decrease to below the set thresholds.

13.7.1. Trigger Attributes

There are several attributes available in the triggers. These can be accessed using self.attribute_name,where attribute_name is one of the following (note that some attributes are available only in either theFirewallTrigger or HostTrigger base class):

• pld, a scaled-down version of the PLD class for connecting and communicating with packetlogicd, the realtimepart of PacketLogic. The full PLD class can be found in the pld package of the PacketLogic Python API. Fromthe pld attribute in the trigger, the following methods are available:

• dyn_add(self, object_ID, IP_address) - Adds the IP address as a dynamic item to theNetObject specified by the object ID (integer).

• dyn_remove(self, object_ID, IP_address) - Removes the dynamic item with the given IPaddress from the NetObject specified by the object ID (integer).

The object ID parameter used in the dyn_add and dyn_remove methods above is the numerical ID of theNetObject. This can be retrieved using the pldb.object_get method described below.

• pldb, a scaled-down version of the Ruleset resource. The full Ruleset resource can be found in the pldb packageof the PacketLogic Python API. From the pldb resource in the trigger, the following method is available:

Triggers

207

• object_get(name) - Returns an object from the ruleset hierarchy, specified by the path (string).Example: "/NetObjects/Corporate". If the specified object is not found, the method returns None.

The object is returned with this command, so it is usually assigned to a variable, as below:

obj = self.pldb.object_get("/NetObjects/Corporate")

This returns an object from the ruleset in the variable obj. Ruleset objects have the following attributesavailable:

• obj.id - The numerical ID of the object

• obj.fullpath - The full path of the object, including the name (for example, "/NetObjects/Corporate")

• obj.name - The name of the object, excluding the path (for example, "Corporate")

13.7.1.1. Filtering Trigger Attributes

Connection, in this context, is the connection that matches the filtering rule that sets off the trigger. Client andserver are as defined by the connection definition used in PacketLogic (see Section 4.4.10, “Client/Server versusSource/Destination” for details).

• server_ip - The IP address of the server in the connection.

• client_ip - The IP address of the client in the connection.

• server_port - The port number of the server in the connection.

• client_port - The port number of the client in the connection.

• protocol - The IP protocol number of the protocol used in the connection (for example, 6 for TCP or 17for UDP).

• flags - The full bitmask containing the flags for the connection. Some commonly used flags have separateattributes for convenience (see below).

• client_is_local - Boolean stating whether the flag Client is local is set for the connection.

• server_is_local - Boolean stating whether the flag Server is local is set for the connection.

• untracked - Boolean stating whether the flag Untracked is set for the connection.

• flowsync - Boolean stating whether the flag Flowsynced is set for the connection.

• established - Boolean stating whether the flag Established is set for the connection.

For details on the connection flags, see Section 4.7.1.12, “FlagObjects”.

13.7.1.2. Host Trigger Attributes

These attributes are the values for the host that sets off the host trigger. Forwarded data and forwarded speed arethe values after PacketLogic has applied its rules. All attributes except connprot and ip are returned in a tuple,where the first value is for established connections and the second for unestablished traffic.

• bytes - Total transferred data for the host, in bytes.

This is reset when the host has not had any connections for five seconds.

• speed - Current transfer speed for the host.

Triggers

208

• bytes_fwd - Forwarded transferred data for the host, in bytes.

• speed_fwd - Forwarded transfer speed for the host.

• connections - Number of concurrent connections for the host.

• cps - Number of connections per second generated for the host.

• connprot - Whether connection protection is active for the host (boolean).

• ip - IP address of the host.

13.7.1.3. Connection Protection Trigger Attributes

These attributes are available to the trigger when it executes:

• name - The name given to the trigger.

• addresses - A list of IP addresses (IPv4 as well as IPv6) that are affected by connection protection.

13.7.2. Debugging Triggers

When writing any non-trivial trigger, it is helpful to watch any log and debugging output it produces. The triggerswrite output as well as error messages in the python log. This can be accessed by connecting to the PacketLogicrunning the trigger, opening the Log Viewer, and selecting the Python Programs log. Note that this log file containsoutput and error messages from all Python scripts executing, such as all snoopers and triggers.

To watch the printouts as they are written, it can be useful to use the console interface, however. Connect to thePacketLogic system on port 42002 using SSH. Enter the System Administration -> Logs -> Log Viewer menu.Enter the number corresponding to the python.log file. Press F (capital letter) to follow the file as it is written.This provides a live view of the trigger code output and error messages.

13.7.3. Trigger Code Skeletons

This section provides code skeletons for writing triggers.

13.7.3.1. Filtering Trigger Code Skeleton

class Trigger(FirewallTrigger): def trigger(self): # Add the code to execute when the trigger is set off. pass # Empty blocks are not permitted. # The pass statement can be removed as soon as there is code to execute.

13.7.3.2. Host Trigger Code Skeleton

class Trigger(HostTrigger): def trigger(self): # Add the code to execute when the trigger is set off. pass # Empty blocks are not permitted. # The pass statement can be removed as soon as there is code to execute.

Triggers

209

def reset(self): # Add the code to execute when the trigger is reset. pass # Empty blocks are not permitted. # The pass statement can be removed as soon as there is code to execute.

13.7.3.3. System Diagnostics Trigger Code Skeleton

class Trigger(SysdiagTrigger): def trigger(self): # Add the code to execute when the trigger is set off. pass # Empty blocks are not permitted. # The pass statement can be removed as soon as there is code to execute. def reset(self): # Add the code to execute when the trigger is reset. pass # Empty blocks are not permitted. # The pass statement can be removed as soon as there is code to execute.

13.7.3.4. Connection Protection Trigger Code Skeleton

class Trigger(ConnProtTrigger): def trigger(self): # Add the code to execute when the trigger is set off. pass # Empty blocks are not permitted. # The pass statement can be removed as soon as there is code to execute. def reset(self): # Add the code to execute when the trigger is reset. pass # Empty blocks are not permitted. # The pass statement can be removed as soon as there is code to execute.

Triggers

System Configuration Values

211

Appendix A. System ConfigurationValuesA.1. IntroductionThis section describes the system configuration values available in PacketLogic. The system configuration valuesare viewed and modified in the System Configuration Editor in the PacketLogic client (see Section 8.10.12,“System Configuration Editor”).

The system configuration values are divided into sections according to the function they relate to. Values thatare changed from the default are marked in bold, and the sections in which changed values exist are also markedin bold.

For each value, the system configuration shows a brief description, default, minimum, and maximum values, andthe current value. A button to reset the value to the default is next to the current setting of the value. Informationis shown on when the value was last changed and by whom. The Requires field lists the components that needto be restarted for a change in the value to take effect.

A.1.1. Restart Levels

For each restart, perform the following actions (restart commands are available in the CLI, see Chapter 9, CLIMenu for details):

Restart Engine On PL10000/PL20000 systems, restart the flowprocessors using the Reboot chassis componentscommand. On all other systems, use the Reload coreservices command.

Restart PacketLogicd Use the Restart system command.

Restart PLSD Use the Restart system command.

Restart LB Only applicable on PL10000/PL20000 systems.Restart the load balancers using the Reboot chassiscomponents command.

Restart PLDBD Use the Restart system command.

Specific for PLOS platform Indicates that the value only applies to non-PL10000/PL20000 traffic management systems (not statisticssystems).

Specific for PL10k platform Indicates that the value only applies to PL10000/PL20000 systems.

A.2. BGPBGP_ALLOW_IBGP_WITH_PREPEND Allow iBGP connection to BGP-peer/server.

BGP_MYAS will be prepended to each AS-path."

BGP_COMMUNITY_ENABLED determines if BGP communities are used.

BGP_ENABLED determines if BGP is enabled on the system (default:false).


212

BGP_MAX_COMMUNITIES is the maximum number of BGP communitiesaccepted in an update from the BGP server.If this limit is exceeded, the overflowingcommunities are not used or displayed, andthe system diagnostics value BGP/Numberof community updates received that exceedPL_CONFIG_BGP_MAX_COMMUNITIES isincremented.

BGP_MYAS is the Autonomous System (AS) number thePacketLogic will use to identify itself incommunication with the BGP server (default: 65000).

BGP_PATH_CUTOFF is the number of prefixes PacketLogic will truncatea BGP path to. Zero (0) means that the path is nottruncated at all (default: 0).

BGP_SERVER is the IP address of the BGP server from which toretrieve BGP paths (default: 192.168.1.2)

BGP_TCP_MD5_PASSWORD BGP TCP MD5 password (RFC2385)

A.3. CategoriesCATEGORIES_URL_TABLE_SIZE Maximum number of URLs, in millions, in the lookup

table. A value of 0 disables Categories.

CATEGORIES_URL_UPDATE_INTERVAL Interval, in seconds, between URL updates.

A.4. Connection HandlingCONNECTION_UPDATE_INTERVAL is the interval at which connection information is

updated (default: 5 seconds).

CONNPROT_THRESHHOLD is the total number of connections persecond that are allowed before connectionprotection is enabled. Do not combine thiswith SHUNT_CONNECTION_FAILURES. Fora description of connection protection, seeSection 4.8.2, “Connection Protection”

MAX_CONNECTIONS is the maximum number of simultaneously accountedconnections. Note that this should be the same onstatistics systems as on the PacketLogic from whichthey retrieve statistics data.

MAX_CONNECTION_HOSTNAMES Maximum number of connection hostnames

REDIRECT_HDR_DIVISOR Divisor for the fraction of the total number ofconnections that are allowed to be rewritten as partof NAT. For example, 50 means 1/50th, so 2% ofconnections can be rewritten.

REWRITE_LOG Log connection rewrites

SHUNT_CONNECTION_FAILURES determines if new connections that are unableto allocate resources shall be shunted (forwardeddirectly without being accounted in LiveView


213

or statistics and without being subjected to anyrules). Shunted traffic is accounted in the systemdiagnostics values Shunted bytes (connection createfailure) and Shunted packets (connection createfailure) in the Connection zone. Do not combinethis with connection protection (see Section 4.8.2,“Connection Protection”

TCPV4_TTL is the time to live, in seconds, for established TCPconnections.

TCPV4_TTL_ASYMMETRIC is the time to live, in seconds, for asymmetricconnections.

TCPV4_TTL_BEING_ANALYZED is the time to live, in seconds, for connections beinganalyzed.

TCPV4_TTL_UNTRACKED is the time to live, in seconds, for untracked TCPconnections.

TCP_KEEP_RSTD_FLOWS defines whether PacketLogic shall keep a connectionin the internal connection table even after it has beenreset (a packet with the RST bit has been seen).This can be useful when there are applications thatcontinue to transmit packets after a connection is reset

TCP_OUTOFSYNC_SEGMENTS_LIMIT Number of TCP segments to buffer before marking aconnection as out of sync

TCP_SEGMENT_TTL TTL in seconds for segmented connections

TCP_TTL_CLOSED TTL in seconds for closed TCP connections

TRIGGER_ON_CONNPROT_HOSTS Send triggers when hosts are hitting connectionprotection

TTL_TRACKING_CLEAR_ON_DYNCHANGE Clear TTL/Hop Limit tracking when a host is movedto different netobject(s)

TTL_TRACKING_SERVICE_OBJECT_PATH Service object path for which outgoing TTL/HopLimit should be tracked

UDP_TTL TTL in seconds for UDP connections

A.5. ConnsyncCONNSYNC_ENABLED determines if flow (connection) synchronization is used

(default: false). For information on flow synchronization, seeSection 4.2.6, “Flow Synchronization”.

CONNSYNC_UDP_ENABLED Enable flow (connection) synchronization for UDP flows

A.6. DRDLCONNECTION_PROP_BUFFERS determines the number of temporary buffers available

to DRDL. These buffers are used to store valuesthat span multiple packets, while waiting for themto become complete. The usage of these buffers is


214

shown by the value Number of buffer allocationfailures in the Drdl zone in System Diagnostics.For a description of System Diagnostics values, seeAppendix C, System Diagnostics Values. For anoverview of System Diagnostics, see Section 8.7,“System Diagnostics”.

DRDL_ASYMMETRIC_ENABLED determines if DRDL shall make use of signatures forasymmetric service recognition.

DRDL_ENABLED determines if PacketLogic shall use DRDL to classifythe service used by connections (default: true).

DRDL_MAX_VS_ARM_SIZE Maximum size for compiled Virtual Services files

DRDL_SLICE_STATE_STRUCTURES Maximum number of DRDL slice_state structures.Set to 0 for same as MAX_CONNECTIONS.

DRDL_TAINT_STORE_SIZE Size of store used for DRDL port tainting. SeeSection 4.4.2.5, “Port Tainting”.

DRDL_UCAP_MAXFILES UCAP: Maximum number of files to save with packetcaptures of unknown connections

DRDL_UCAP_PKTQUEUES UCAP: Maximum number of current connections totrack for connections marked as unknown by DRDL.Set to 0 to turn feature off

DRDL_XFB_ENABLED determines if PacketLogic analyzes connections interms of behaviour (default: true). For information onflow behaviour, see Section 4.7.1.12, “FlagObjects”

SERVICE_CHILD_POOLSIZE is the number of allowed child connections waiting.Note that child connections are allocated by LeastRecently Used (LRU), and that timeouts are alsohandled with LRU, so a full child pool can be normal.

SERVICE_DNS_POOLSIZE Maximum number of DNS records

SERVICE_KVSTORE_POOLSIZE Maximum number of DRDL Key-Value store entries

SERVICE_PROP_POOLSIZE_2048 Maximum number of service property strings of size2048

SERVICE_PROP_POOLSIZE_256 is the number of slots reserved in memory for storingservice properties larger than 32 bytes.

SERVICE_PROP_POOLSIZE_32 is the number of slots reserved in memory for storingservice properties smaller than 32 bytes.

A.7. DebuggingLINKLEVEL_CYCLE_THR is the number of cycles before triggering debug output.

OUTPUT_CONNPROT_HOSTS determines if hosts that hit the connection protection limit arelogged to the engine log as 'connprot: Limiting connectionsfrom 10.1.2.3' (default: false). For a description of connectionprotection, see Section 4.8.2, “Connection Protection”

UNALIGNED_ACCESS defines whether unaligned memory accesses are allowed.


215

A.8. DivertDIVERT_HB_MAX_LOST is the maximum number of consecutive heartbeat

packets allowed to be lost on a divert channel beforethat divert channel is disabled.

DIVERT_HB_MS Number of milliseconds between heartbeat packets tothe divert channel

DIVERT_HB_RECOVERY is the number of consecutive heartbeat packets thatmust pass a divert channel before it is enabled, afterstart of after being disabled by lost heartbeat packets.

DIVERT_IPV6_ENABLED Enable diverting IPv6 packets. Third party devicesmight not support IPv6 and may thus not forwardthem.

DIVERT_L3_TTL_INC the number to increment the IPv4 TTL by when apacket is sent on the divert channel in L3 mode.

DIVERT_MAX_PROXY_CONNECTIONS Maximum number of simultaneously proxiedconnections

DIVERT_NUM_HOSTS is the number of hosts to store connection informationfor to use for divert channels.

DIVERT_TTL_TERMINATED Time (seconds) that connections are rememberedafter being terminated, needed to ensure that packetsstill in flight on a divert channel are handled correctlywhen received back

A.9. FilteringFW_MAX_LOG is the maximum number of log entries that the filtering log will keep stored. For

information on the filtering log, see Section 6.7.1, “Filtering Log View”

FW_SYSLOG determines if filtering logging is sent to syslog (default: false). For a description, seeSection 6.7.2, “Sending the Filtering Log to Syslog”

A.10. GeneralPLRC_LIVEVIEW_RX_SIZE Size of the buffer used to send data from PLD to PLRCD

PLRC_LIVEVIEW_TX_SIZE Size of the buffer used to send data from PLRCD to PLD

SYSDIAG_SNMP_LOCAL_ONLY Only export local system sysdiag values to SNMP.

SYSTEM_NAME is the name of the system as it appears in the SystemOverview (see Section 8.5, “System Overview”)

A.11. LiveViewHOST_ADD_UNESTABLISHED determines whether hosts with only unestablished

connections are added to the internal hosts table.A host being added to the hosts table means it isshown in LiveView under Local Hosts, and that it isaccounted on NetObjects it belongs to in statistics.


216

This can be useful if there are a substantial numberof unestablished connections that are long-lived (suchas unidirectional UDP and multicast). Note that thismakes the impact of attacks based on a high numberof connection initiations more severe, since hosts arecreated for all connection initiations.

HOST_NUM_HOSTS is the maximum number of hosts accounted.

HOST_NUM_NETOBJECTS is the maximum number of NetObjects an IP addressis visible in simultaneously in the Local Hosts View.

LIVEVIEW_MAX_VIEWS Maximum number of concurrent connection views

MAX_FULL_VISIBLE_NETOBJECTS is the maximum number of visible NetObjectscontaining active hosts allowed to existsimultaneously.

MAX_VISIBLE_NETOBJECTS is the maximum number of visible NetObjectsallowed to exist simultaneously.

PLD_CLIENT_SEND_RINGBUF_MEGS Size in MB of the ringbuffer in PLD and PLRCD usedto transmit data to one non-PLSD client. There is onefor each connected and authenticated client.

PLD_REAPER_RINGBUF_MEGS Size in MB of each ringbuffer in PLD used to receivedata from a reaper. There is one for each reaper (flowprocessor).

PLD_REAPER_SEND_RINGBUF_MEGS Size in MB of each ringbuffer in PLD used to transmitdata to a reaper. There is one for each reaper (flowprocessor).

PLRC_REAPER_RINGBUF_MEGS Size in MB of each ringbuffer in PLRCD used toreceive data from a reaper. There is one for eachreaper (flow processor).

A.12. Low Level FiltersSHUNT_DOT1Q contains a comma-separated list of VLAN IDs to shunt. IDs can be

entered as single IDs (100) or ranges (100-200). Note that in case apacket has multiple VLAN IDs (Q-in-Q), the system configurationoption QINQ_ILEVEL defines which level of VLAN nesting isused to evaluate the filter.

SHUNT_EOMPLS defines whether Ethernet-over-MPLS (EoMPLS) packets shall beshunted (True/False).

SHUNT_ETHERTYPES contains a comma-separated list of ethertypes to shunt.Ethertypes can be entered as single values (0x0800) or ranges(0x8100-0x9100). If a packet has multiple ethertypes, the filterwill evaluate all of them.

SHUNT_IPV4 contains a comma-separated list of IPv4 addresses to shunt.IPv4 addresses can be entered as single addresses (192.168.1.15),network addresses (192.168.2.0/24), or ranges of addresses(192.168.3.100-192.168.3.200).

SHUNT_IPV4_EXTRA1 Extra config line to SHUNT_IPV4


217









SHUNT_IPV6 contains a comma-separated list of IPv6 addresses to shunt. IPv6addresses can be entered as single addresses (1::1), networkaddresses (2::2/24), or ranges of addresses (3::0-4::ffff).

SHUNT_L4_PROTO contains a comma-separated list of layer 4 protocols to shunt.Protocol numbers can be entered as single values (6) or ranges(17-19).

SHUNT_MONITOR_IFACE can be used to define a different interface to use for packetsmonitored by the shunting facility than the default monitor port.

SHUNT_MPLS contains a comma-separated list of MPLS labels to shunt. Labelscan be entered as single labels (100) or ranges (123-130). Notethat in case a packet has multiple MPLS labels, the systemconfiguration option MPLS_ILEVEL defines which level ofMPLS label nesting is used to evaluate the filter.

A.13. Packet HandlingALLOW_FWD_ON_INJECT defines whether packets in a connection matching a

filtering rule with an Inject action are forwarded.

ALWAYS_FORWARD determines if packets are to be forwarded before theruleset is loaded (default: true).

E10K_RX_ERROR_TIMEOUT Time duration in milliseconds after TX laser enablingbefore we treat RX symbol errors as an error

E1K_BYPASS_ENABLED determines, for systems with Intel E1K PCI-expressNetwork Interface Cards (NICs), if bypass shall beenabled (default: true)

E1K_LOL_ENABLED determines if Loss of Link is enabled. This onlyworks on Intel PCI-Express fibre (not SFP) NICs(default: false).

ECN_FULL_SHAPING Enable ECN for all shaping objects

ECN_SUPPORT Enable ECN support (RFC3168) for shaping objectsthat are split by local host, split by subscriber and splitby connection

FORWARDING_DISABLED If set no received packets are transmitted. Flowsync,divert and monitor packets are still transmitted.


218

FORWARD_IPFRAGMENTS_BLINDLY determines if fragmented IP packets shall beforwarded without connection tracking (whichrequires fragment reassembly) (default: false)

FP_AUTOMATIC_REBOOT determines if a flow processing CPU shall beautomatically restarted if it is not functioningproperly (default: enabled).

IPV4_EXPOSE_FRAGMENT_VIOLATIONS determines if a log message should be printed in theengine log when a packet is refused due to too manyfragments for one IP header. This is also accounted inthe system diagnostics value

IPV4_MAX_FRAGMENTS_PER_HEADER is the maximum number of fragments allowed for asingle packet. If more fragments than this value areseen for a single IP header, the packet is refused.When this occurs, the system diagnostics value

IPV4_TUNNELING Enable generic IPv4 tunneling support

IPV6_ICMPV6_GENERATION determines if an ICMPv6 response is sent when anincorrect IPv6 packet is seen. Otherwise the incorrectpacket is silently dropped.

IPV6_ICMPV6_GENERATION_PPS IPv6 ICMPv6 packet generation rate (pps/thread)

IPV6_TEREDO Enable Teredo support (RFC4380)

IPV6_TUNNELING Enable generic IPv6 tunneling support (RFC2473)

IP_FRAGMENTS is the number of fragmented IP packetssimultaneously possible to defragment.

LB_ACTIVE_FP is the number of flow processors currently used bythe load balancer.

LB_BLACKLIST_ENABLED determines if the load balancer in a PL10000/PL20000 system shall use granular blacklisting(see Section 4.4.1.2, “Load Balancer Blacklisting(PL10000/PL20000)”

LB_BLACKLIST_TIMEOUT determines the timeout before a bucket is removedfrom the blacklist.

LB_DROP_BLACKLISTED determines if packets belonging to a blacklistedbucket shall be dropped. By default the packets areshunted.

LB_FABRICS_ALLOW Bitmask of switch fabrics that are allowed to be usedfor heartbeats and traffic towards Flow Processors.Fabric 1 is bit 0 (value 1) Fabric 2 is bit 1 (value 2)

LB_HB_BYPASS_DROP_THRESHOLD is the number of lost consecutive heartbeat packetsfrom the load balancer to a flow processor that willcause the load balancer to disable that flow processor.

LB_HB_GRACE is the number of consecutive heartbeat packets fromthe load balancer to a flow processor that must passbefore a disabled flow processor is re-enabled.


219

LB_HB_RATE is the rate per second at which heartbeat packets aresent from the load balancer to flow processors.

LB_NUM_FP is the number of flow processors available to loadbalance over (only applicable in multi-flow processorsystems).

LB_REBALANCE_INERTIA defines the threshold before the load on the threads ina flow processing CPU is rebalanced. The value is apercentage of PPS. If the load (in PPS) on any threadexceeds the load of the thread with the lightest loadplus the LB_REBALANCE_INERTIA percentage,the load balancer recalculates to distribute the loadmore evenly.

LOL_RX_ERROR_REACT Allow Loss of Link (Light) propagation to treat RXsymbol errors like loss of signal

MAX_REAPERS is the number of engines (flow processing CPUs)PLD listens to for connection information. Fora PL10000/PL20000 system, this should be totalnumber of FP CPUs (two per module) divided bynumber of installed SM modules.

MPLS_CONTROL_WORD_PRESENT Defines if MPLS traffic contains a four byte controlword. If enabled, all MPLS traffic is assumed tocontain the control word which is skipped whenreading the enclosed packet.

PACKET_ACCOUNTING_MODE_L3 Ignore size of L2 header when accounting packetlength in layer 3+.

PACKET_INSPECT_MTU is the maximum size (in bytes) of packets thatwill be inspected. Packets larger than this valuewill be directly forwarded, and not included inLiveView data or statistics, and will not be affectedby any rules. For non-PL10000/PL20000 systemsthis value is rounded up to nearest kilobyte due toplatform limitation. Also note that there is a platform-dependant limitation on how large packets can bereceived on a channel interface. Packets larger thanthat are dropped.

PACKET_POOL_SIZE is the size of the packet pool internally inPacketLogic.

PACKET_RESERVE is the number of reserved packets for interfacedrivers.

PBUF_PAGES is the number of 256MB memory segments to allocatefor packet buffers on PL10000/PL20000 systems.

PLOS_BALANCER_QUEUE_LENGTH Maximum number of packets that each CPU can haveenqueued for processing from load balancing (onlyvalid on appliances)

PLOS_BALANCER_USE_5TUPLE Enable load balancing based on a hash of theconnection 5-tuple (best for inspected tunnels)


220

instead of the internal IP address (best for split bysubscriber provisioning)

PLOS_OLPROT_BACKOFF_ENABLED Enable overload protection backoff. Ifenabled, PLOS will try to reenablepacket processing after a minimum ofPLOS_OLPROT_CHECK_INTERVAL seconds haspassed.

PLOS_OLPROT_CHECK_INTERVAL How often (in seconds) PLOS should check foroverload. Setting this to 0 will disable overloadprotection.

PLOS_OLPROT_THRESHOLD is the number of linklevel RX drops per1000 packets that are allowed before triggeringPLOS overload protection. This also assumes thatPLOS_OLPROT_ENABLED is set to True (default:5). This is only applicable for systems running PLOS.

TCPV4_SEGMENT_FACTOR Number of TCP segment headers allocated,multiplied by MAX_CONNECTIONS.

TUNNELING_ACCOUNT_HEADERS Include header size of lower level tunnels whenaccounting packet length inside tunnels

TUNNELING_GRE_SUPPORT Enable GRE tunneling support

TUNNELING_GTP_C_PORT Destination port for GTP-C traffic

TUNNELING_GTP_SUPPORT Enable GTP tunneling support

TUNNELING_GTP_U_PORT Destination port for GTP-U traffic

TUNNELING_L2TP_PORT L2TP port

TUNNELING_L2TP_SUPPORT Enable L2TP tunneling support

TUNNELING_MAX_LEVEL Maximum number of tunnel levels to go through

TUNNELING_SUB_LEVEL The tunnel level subscribers are expected at

TUNNEL_CTXS Number of simultaneous tunnel contexts

A.14. Queue SyncEXT_QUEUESYNC_ENABLED determines if external Queue Synchronization is

to be enabled or disabled. Set this to True toenable queue synchronization with other PacketLogicsystems. For information on Queue Synchronization,see Section 5.6.2, “Queue Synchronization”.

EXT_QUEUESYNC_IFACE defines the interface name to use for external QueueSynchronization. Enter eth0 to use Admin, or eth1 touse Aux. For information on Queue Synchronization,see Section 5.6.2, “Queue Synchronization”.

EXT_QUEUESYNC_REMOVE_TIME Remove timeout time, in ms, before QSync peer isremoved from peer table and sysdiag values. Defaultis two weeks."


221

EXT_QUEUESYNC_SEND_BUFFER_MEGS is the size of the send buffer for external QueueSynchronization.

EXT_QUEUESYNC_STATUS_INTERVAL Status packet send interval in ms

EXT_QUEUESYNC_TIMEOUT_TIME Timeout time, in ms, before QSync peer is marked astimed out

EXT_QUEUESYNC_USE_NAME determines whether queue sync identifies theShapingObjects to synchronize by name or bydatabase ID. If this is False, meaning the objects areidentified by ID, the systems between which objectsare synchronized must share the Objects & Rulesresource by means of proxy. If this is True, it issufficient that the objects are named identically on thedifferent systems.

QUEUESYNC_AIMD_THRESHOLD controls the inertia of for increasing availablebandwith in queue sync. Larger number meansquicker increase in synced available bandwidth. Setto 0 to disable (default:0). For more information, seeSection 5.6.2.1, “Tuning the Queue SynchronizationAlgorithm”

A.15. RulesetDYNAMIC_IPS_INMEMORY Keep dynamic netobject items in memory only.

MAX_DYNAMIC_IPS is the maximum number of unique IP addresses usedas items in dynamic NetObjects.

MAX_DYNAMIC_IPS_ENGINE_PERCENTAGE is the maximum portion of dynamic IP addressesthat are used in rules. A setting higher than 100%is needed if dynamic IP addresses are to be usedin more than one condition type (client/server/localNetObject).

MAX_DYNAMIC_IP_NAMES is the maximum number of unique names usedfor named dynamic items (also known as dynamicNetObjects or subscribers). If this value is set tozero (0), the limit is defined by the value ofMAX_DYNAMIC_IPS.

MAX_DYNAMIC_IP_NAMES_ENGINE dis the maximum number of unique names usedfor named dynamic items (also known as dynamicNetObjects or subscribers) in engine. If this value isset to zero (0), the limit is defined by the value ofMAX_DYNAMIC_IP_NAMES.

MAX_DYNAMIC_NATCFG_ENGINE Maximum number of dynamic NAT configs addedfor Dynamic NetObject in engine (0 means dynamicNAT config is disabled)

MAX_DYNAMIC_RULES_PER_NO determines how many rules a NetObject containingdynamic items can match. This includes all typesof rules. Also note that rules not using a NetObjectcondition will affect how rules are counted towards


222

this limit. As a rule of thumb, this value can be set to 2* (number of rules that match on dynamic items) * 2(if they are host NetObject conditions) + (2 * numberof other rules / 30) due to how the limit is calculated.

MPLS_ILEVEL is the level of MPLS label nesting that the ruleset williterate over when matching MPLSObjects and whendefining MPLS shunt ranges with SHUNT_MPLS.

QINQ_ILEVEL is the level of VLAN ID nesting the ruleset willtraverse to select the ID to match to and when definingVLAN shunt ranges with SHUNT_DOT1Q. Level0 means use the outermost ID, level 1 means theone inside the outermost, and so on. If a packet hasfewer VLAN IDs than this value, the correspondingconnection will be considered as having a VLAN IDof 0 (zero) (default: 0).

RESET_PPPOE_CONNECTIONS determines if PPPoE connections are reset (default:false).

RULESET_BGP_ALWAYS_REHASH determines if the ruleset is re-evaluated every timethere is a BGP table update is received from the BGPserver (default: true).

RULESET_DIVERT_ON_FIRST_ONLY Prevent starting to divert packets after the first packetin a connection. Ruleset reloads may still cause divertchanges mid-connection.

RULESET_DYNIP_ALWAYS_REHASH determines if the ruleset is re-evaluated every timedynamic IPs are added or removed (default: true).

RULESET_FILTER_NEW_BEHAVIOUR Enable allowing multiple filtering rules to apply (seeSection 6.2.1, “Allowing Multiple Filtering Rules toApply”)

RULESET_PROPOBJECT_MAX_COMPLEXITY determines the maximum complexity allowed inPropertyObjects (default: 5000). For informationon PropertyObjects, see Section 4.7.1.11,“PropertyObjects”

RULESET_REWRITE_ON_FIRST_ONLY determines if packet rewriting shall be allowed onlyon the first packet in a connection, to avoid unwantedbehavior by rewriting packets in the middle of aconnection.

RULESET_URL_TABLE_SIZE Maximum number of URLs, in millions, in the lookuptable.

A.16. ShapingPRIO_EMPTY_ACK determines if TCP ACK packets with no data in

the packet are prioritized. This means that fortraffic matching a rule assigning priority X, theempty TCP ACK packets in those flows will getpriority X-1. This is generally a good idea toprevent that a link congested in one direction


223

slows down the other direction as well (default:true). This should not be used in conjunction withSHAPING_PRIO0_FASTLANE.

PRIO_RETRANSMISSION determines if retransmissions (as determined by TCPsequencing) shall be prioritized.

SHAPING_BLUE_HOLD_TIME Blue hold time in ms

SHAPING_COUNTERS_GRANULARITY_SHIFT determines how much traffic shall be counted in aShapingObject with a byte counter enabled beforesending an update to the VBS controller. This isexpressed as a shift value, equivalent of a power of 2.The default value is 18, giving a granularity thresholdof 256kB (218). For details, see Section 5.5, “ShapingCounters”.

SHAPING_COUNTERS_MAX is the maximum number of shaping counters(ShapingObjects with byte counter enabled) that mayexist simultaneously.

SHAPING_COUNTERS_SUBSCRIBER_SEND_ALL Send all counters for a subscriber when one of itscounters crosses granulaity boundary.

SHAPING_DSCP_MAP DSCP values used for marking. Example: 10,12 willmark packets sent without borrowing with 10, packetsthat borrow from the second object will be marked 12.DSCP values are between 0 and 63, 255 means keepexisting DSCP

SHAPING_DSCP_MARKING DSCP marking support

SHAPING_HOSTFAIRNESS_IPV6_PREFIX_LEN Prefix length used for IPv6 host fairness

SHAPING_MAX_RULES is the maximum number of shaping rules, includingvirtual rules created by using 'Split by NetObject'.

SHAPING_MAX_RULES_PER_CONNECTION is the maximum number of shaping rules allowed toapply to one connection.

SHAPING_MAX_SPLITTED_OBJECTS determines the maximum number of objects createdby using Split By Local Host, Subscriber, orConnection in a ShapingObject.

SHAPING_OBJECTS_PER_CONN determines the maximum number of ShapingObjectsany one connection may exist in.

SHAPING_OR_BORROWING determines how packets are accounted whenborrowing is used. If this is False, only the object thatdequeues a packet accounts it. If this is False, onlythe object that dequeues a packet accounts it. If thisis True, all objects that enqueue the packet (that is,all objects in a rule) also account the packet. Settingthis to True facilitates setting up shaping policies forminimum guaranteed/maximum allowed bandwidth.

SHAPING_PRIO0_FASTLANE enables the priority 0 fast lane feature in TrafficShaping. For details, see Section 5.2.2.1, “Priority 0


224

Fast Lane”. This should not be used in conjunctionwith PRIO_EMPTY_ACK.

SHAPING_QUEUE_FACTOR determines the size of the queues in Shaping Objects.For details, see Section 5.6.6, “Fine-tuning theShaping System”

SHAPING_QUEUE_GOAL is the amount of latency (in milliseconds) thatPacketLogic adds to packets enqueued in ShapingObjects. For details, see Section 5.6.6, “Fine-tuningthe Shaping System”

A.17. StatisticsPLDB_STATISTICSFS_MAX_SUBS Maximum number of subscribers stored in statistics

PLDB_STATISTICSFS_MAX_VALUES is the maximum size of the global index of thestatistics file system.

PLDB_STATISTICSFS_MAX_VALUES_DATASET is the maximum sum of values in all datasets receivedby the database daemon on the statistics system.

PLDB_STATREADER_PEERS List of Statreader Peers (user:passwd@host),delimited by ';'

PLDB_STATWRITER_GRACE_PERIOD is the period, in seconds, that the statistics writer inthe database daemon on the statistics system will waitbetween receiving a dataset and writing it to disk.

PLD_PLSD_CONN_THRESHOLD_IN sets the threshold (in bytes) for how much data mustbe transferred inbound by a connection during anupdate interval for it to be stored as statistics forNormal priority distribution levels (for a descriptionof priority in StatisticsObjects, see Section 7.1.11,“Priority”

PLD_PLSD_CONN_THRESHOLD_OUT sets the threshold (in bytes) for how much data mustbe transferred outbound by a connection during anupdate interval for it to be stored as statistics forNormal priority distribution levels (for a descriptionof priority in StatisticsObjects, see Section 7.1.11,“Priority”

PLS_CHANNELSTATS_ENABLED determines if channel statistics are collected.

PLS_CONNLOG_REINDEXING_ENABLED Enable reindexing for connection logging data. Diskusage for connlog data will decrease if reindexing isdisabled.

PLS_CONNLOG_SEARCHABLE_CRITERIAS Comma-separated list of searchable criteriain connlog: SERVER CLIENT CLIENTPORTSERVERPORT PROTOCOL STARTTIMEENDTIME SERVICE SERVERHOST HOSTVNO SERVER_IPV6 CLIENT_IPV6 HOST_IPV6(empty list equals all criterias)

PLS_DISK_DUMP_INTERVAL Interval with which PLSD dumps to diskbuffer. PLS_DISK_DUMP_INTERVAL must be


225

a multiple of PLS_MIN_FREQUENCY andPLS_DUMP_INTERVAL must be a multiple ofPLS_DISK_DUMP_INTERVAL

PLS_MAX_VALUES is the maximum number of values in a dataset for onestatistics daemon running on the statistics system.

PLS_MAX_VALUE_DEPTH is the maximum depth allowed for a statistics value.

PLS_MIN_FREQUENCY is the minimum sampling frequency for line graphsin statistics.

PLS_PRIORITY_THRESHOLD is a percentage of the cache for statistics valueson the statistics system. When the cache usageexceeds this threshold, only values stemming fromStatisticsObject distribution levels with priority set toHigh will be created. Values from distribution levelswith priority set to Normal will not be created.

PLS_RINGBUF_MEGS is the size in MB of the statistics daemon receivingring buffer.

PLS_STATISTICS_ENABLED determines if statistics shall be collected.

SNMP_LOG_REWRITES Enable logging rewritten connection data to SNMPagent

STATISTICS_MAX_RULES_PER_CONNECTION is the maximum number of statistics rules any oneconnection is allowed to match. Exceeding thisvalue will generate an alert for the value Toomany matching statistics rules in the Ruleset zonein System Diagnostics (see Appendix C, SystemDiagnostics Values).

Keyboard Shortcuts

227

Appendix B. Keyboard ShortcutsThis section lists all keyboard shortcuts available in the PacketLogic client interface. Note that there are platform-specific variations to keyboard shortcuts. For example, in Mac OS X the Apple key is used consistently insteadof the Ctrl key. In cases where there are specific platform-dependant variations on keyboard shortcuts, they arelisted below.

B.1. General ShortcutsFor all dialogs where a Cancel button exists, the Esc key is a shortcut for the Cancel button.

B.2. Main InterfaceIn the main interface, the following keyboard shortcuts are available:

Ctrl+M Open the System Manager

Ctrl+Alt+R Reconnect

Ctrl+Shift+W Close Window

Ctrl+Q Quit

Ctrl+Shift+C Quick connect

For all list views, the following keyboard shortcuts are available:

Down Move selection down.

Up Move selection up.

Left or - Close one expanded level.

Right or + Expand one level.

Enter Open selected item (corresponds to double-click).

Del or Backspace (Mac) Removes the selected item (when applicable).

Space Toggles checkboxes checked/unchecked.

F2 Opens a dialog to rename the selected item. Enter sets thenew name, Esc cancels

To open a general-purpose search field in any list view or statistics bar chart view, press \textbf{Ctrl+F} or simplystart typing the search string.

When the search field is open, the following keyboard shortcuts are available:

Esc Close the search field.

F3 or Ctrl+G Go to the next match.

Shift+F3 Go to the previous match.

B.3. Backup ManagerThe following keyboard shortcuts are available in the Backup Manager:

Keyboard Shortcuts

228

Ctrl+N Create a new backup.

Ctrl+W Close the Backup Manager.

B.4. File ManagerThe following keyboard shortcuts are available in the File Manager:

Ctrl+W Close the File Manager.

Del Delete the selected file.

B.5. Log ViewerThe following keyboard shortcuts are available in the Log Viewer:

Ctrl+S Save the selected log file on the local file system.

Ctrl+W Close the Log Viewer.

Ctrl+C Copy the selected text to the clipboard.

Ctrl+A Select all text in the displayed log file.

Ctrl+F Search the logs for a text string.

B.6. System ManagerEsc Closes the System Manager.

B.7. Objects & Rules EditorThe following keyboard shortcuts are available in the Objects & Rules Editor:

Ctrl+N Add a new object.

Ctrl+I Add a new item in the current object.

Ctrl+S Save the edited ruleset.

Ctrl+W Close the Objects & Rules Editor.

Ctrl+X Cut the selected object, rule, or item.

Ctrl+C Copy the selected object, rule, or item.

Ctrl+V Paste the most recently cut or copied object, rule, or item.

Ctrl+Up Move the selected filtering rule up in the list.

Ctrl+Down Move the selected filtering rule down in the list.

Right Add the selected service or Shaping Object to the list.

Left Remove the selected service or Shaping Object from the list.

When selecting date ranges in TimeObjects, the following keyboard shortcuts are available:

Keyboard Shortcuts

229

Esc Closes the date range selection without selecting a date.

Enter Sets the selected date range.

For objects where there are advanced options available, Space and Enter toggles showing/hiding the advancedoptions.

B.8. System Configuration EditorThe following keyboard shortcuts are available in the System Configuration Editor:

Ctrl+S Save the current configuration.

Ctrl+W Close the System Configuration Editor.

B.9. User EditorThe following keyboard shortcuts are available in the User Editor:

Ctrl+N Add a new user.

Ctrl+S Save the edited user configuration.

Ctrl+W Close the User Editor.

Ctrl+X Cut the selected user.

Ctrl+C Copy the selected user.

Ctrl+V Paste the user last cut or copied.

Del Delete the selected user.

Ctrl+P Change password for the selected user.

B.10. Tech SupportThe following keyboard shortcuts are available in the Tech Support (IRC client):

Ctrl+W Close the window.

B.11. Resource ManagerThe following keyboard shortcuts are available in the Resource Manager:

Ctrl+D Display debug information for the resources.

B.12. Statistics ViewerThe following keyboard shortcuts are available in the Statistics Viewer:

Ctrl+W Close the current tab.

Ctrl+F Find (in bar chart).

Keyboard Shortcuts

230

Alt+Up Go up one level in the object path.

Alt+Home Go to the root level in the object path.

Ctrl+L Focus the Location Field.

Ctrl+Left View the previous date interval.

Ctrl+Right View the next date interval.

Ctrl+B Switch to Bar Chart.

Ctrl+I Switch to Pie Chart.

Ctrl+T Switch to Throughput Chart.

Ctrl+P Print the current statistics view.

Ctrl+D Add a bookmark.

Down or PageDown Go down one page in a multi-page statistics view.

Up or PageUp Go up one page in a multi-page statistics view.

Home Go to the first page in a multi-page statistics view.

End Go to the last page in a multi-page statistics view.

Alt+Left (Linux), Apple+[ (Mac) Go back in history in the Statistics Viewer.

Alt+Right (Linux), Apple+] (Mac) Go forward in history in the Statistics Viewer.

B.13. Bookmark ManagerThe following keyboard shortcuts are available in the Bookmark Manager:

Ctrl+W Close the Bookmark Manager.

Ctrl+X Cut the selected bookmark.

Ctrl+C Copy the selected bookmark.

Ctrl+V Paste the bookmark last cut or copied.

B.14. Calendar ToolThe following keyboard shortcuts are available in the Calendar Tool:

Left Move the date selection to the left.

Right Move the date selection to the right.

Up Move the date selection up.

Down Move the date selection down.

PageUp Go forward one month.

PageDown Go back one month.

Keyboard Shortcuts

231

B.15. LiveViewThe following keyboard shortcuts are available in the LiveView part:

Ctrl+Shift+P Pause/unpause (stop/start updating)

Ctrl+Shift+G Open the Go to Host dialog, where an IP address can be entered to go directly tothe connections for that host.

Ctrl+D Display debugging zones in System Diagnostics.

Ctrl+W Close the current view.

Keyboard Shortcuts

System Diagnostics Values

233

Appendix C. System DiagnosticsValuesC.1. IntroductionThis section describes the values shown in the System Diagnostics view in LiveView in the PacketLogic client.

System diagnostics shows values for various parts and subsystems in PacketLogic. The values are divided into so-called zones, each representing a specific part or subsystem.

For each value, there are three columns: Rate, Current/Total, and Peak. Rate shows the rate at which the valueis increasing. Rate is not applicable for all values. Current/Total shows the current value or the accumulated total,depending on the nature of the value. Peak shows the highest registered value or rate sample, depending on thenature of the value.

Note: Values denoted as bytes have rate values in bits per second (bps).

Some zones are only available if the associated functionality is active (for example, the BGP zone is only visibleif BGP is configured and used), whereas others are always present.

For some zones, the values are expandable. This applies when there are more than one component in the systemperforming the associated function. For example, the Connection zone has expandable zones in case there aremultiple components handling connections. Expanding the value will then display values for the individualcomponents, even down to each thread running on a multithreaded processor.

C.2. BGPConnection uptime This is the time this system has been

connected to the configured BGP server.OID:1.3.6.1.4.1.15397.2.1.122.4

Maximum number of communities we have seen in aBGP update

This is the highest number of communities so farreceived from the BGP peer in any one update.OID:1.3.6.1.4.1.15397.2.1.122.25

Number of community updates received that exceedPL_CONFIG_BGP_MAX_COMMUNITIES

This is the number of communities in an updatethat exceed the limit imposed by the systemconfiguration value BGP_MAX_COMMUNITIES.These communities are ignored and will not beshown in LiveView or applied in the ruleset.OID:1.3.6.1.4.1.15397.2.1.122.24

Number of paths waiting for garbage collection This is the number of paths that are no longerannounced, but still has connections in packetlogicdusing them.OID: 1.3.6.1.4.1.15397.2.1.122.12

Number of prefixes This is the number of prefixes announced by the BGPserver.OID: 1.3.6.1.4.1.15397.2.1.122.2

Number of unique paths This is the number of unique AS paths in the lookuptreeOID: 1.3.6.1.4.1.15397.2.1.122.3

Time to convert lookup tree This is the time it takes to convert the informationreceived from the BGP server into the form used byengine.OID: 1.3.6.1.4.1.15397.2.1.122.5


234

Time to rebalance tree This is the time it took the last time the BGP tree wasrebalanced.OID: 1.3.6.1.4.1.15397.2.1.122.14

Time to update lookup tree This is the time it takes to send an update of the lookuptree to engine.OID: 1.3.6.1.4.1.15397.2.1.122.6

Total count of announced routes This is the number of routes announced by the BGPserver.OID: 1.3.6.1.4.1.15397.2.1.122.9

Total count of announces without withdraw This is the number of routes announced by theBGP server that already was annonced with anotherpath, with no withdraw before the reannounce.OID:1.3.6.1.4.1.15397.2.1.122.7

Total count of withdrawn routes This is the number of routes announced by the BGPserver that have subsequently been withdrawn.OID:1.3.6.1.4.1.15397.2.1.122.8

Total number of reconnects This is the number of times the systemhas reconnected to the BGP server.OID:1.3.6.1.4.1.15397.2.1.122.10

Updates received This is the number of updates received from the BGPserver.OID: 1.3.6.1.4.1.15397.2.1.122.1

C.3. ConnectionAttempts refused (already existed) This is the number of connection create attempts

that failed because an identical connection alreadyexisted. This is a typical sign of a worm,but could also be a natural occurrence.OID:1.3.6.1.4.1.15397.2.1.56.18

Attempts refused (connprot) This is the number of connection create attemptsthat were refused by the connection protection.OID:1.3.6.1.4.1.15397.2.1.56.5

Attempts refused (resources) This is the number of connection createattempts refused because the connection pool wasexhausted.OID: 1.3.6.1.4.1.15397.2.1.56.6

Attempts refused (ruleset) This is the number of connection createattempts refused by the current ruleset.OID:1.3.6.1.4.1.15397.2.1.56.19

Bytes received after connection close This is the number of bytes seen forconnections where a RST has been seen.OID:1.3.6.1.4.1.15397.2.1.56.42

Connections allocated from LRU This is the number of connections that have beenallocated by taking the least recently used connectionand reusing the memory for the new connection.OID:1.3.6.1.4.1.15397.2.1.56.9

Connections without timer OID: 1.3.6.1.4.1.15397.2.1.56.27

Create attempts inbound This is the number of inbound connection createattempts.OID: 1.3.6.1.4.1.15397.2.1.56.3


235

Create attempts outbound This is the number of outbound connection createattempts.OID: 1.3.6.1.4.1.15397.2.1.56.4

Created inbound This is the number of inbound connectionscreated.OID: 1.3.6.1.4.1.15397.2.1.56.7

Created outbound This is the number of outbound connectionscreated.OID: 1.3.6.1.4.1.15397.2.1.56.8

Current count This is the current number of connections,both established and unestablished.OID:1.3.6.1.4.1.15397.2.1.56.1

Current established count This is the current number of establishedconnections. Established connections have had trafficin both directions. For TCP, connections remainunestablished until the entire TCP handshake hasbeen completed.OID: 1.3.6.1.4.1.15397.2.1.56.2

Destroyed established OID: 1.3.6.1.4.1.15397.2.1.56.25

Failed lookups OID: 1.3.6.1.4.1.15397.2.1.56.15

Lookups OID: 1.3.6.1.4.1.15397.2.1.56.10

Made established OID: 1.3.6.1.4.1.15397.2.1.56.11

Made unestablished OID: 1.3.6.1.4.1.15397.2.1.56.24

Protection enabled This is the number of times theconnection protection has been enabled.This happens when the connection creationrate is above CONNPROT_THRESSHOLD.OID:1.3.6.1.4.1.15397.2.1.56.14

Redirected This is the number of redirected connections.OID:1.3.6.1.4.1.15397.2.1.56.20

Refused redirects (collision) This is the number of redirects that failed due tocollisions.OID: 1.3.6.1.4.1.15397.2.1.56.21

Shunted bytes (connection create failure) This is the number of bytes that have beenshunted (directly forwarded) because a connectioncould not be created for the packet.OID:1.3.6.1.4.1.15397.2.1.56.41

Shunted packets (connection create failure) This is the number of packets that havebeen shunted (directly forwarded) because aconnection could not be created for the packet.OID:1.3.6.1.4.1.15397.2.1.56.40

TTL timeouts OID: 1.3.6.1.4.1.15397.2.1.56.13

Updates sent OID: 1.3.6.1.4.1.15397.2.1.56.12

Updates with invalid ruleset OID: 1.3.6.1.4.1.15397.2.1.56.26

C.4. ConnsyncConnection not found OID: 1.3.6.1.4.1.15397.2.1.60.16


236

Connections actively syncing This is the number of connectionscurrently taking part in synchronization.OID:1.3.6.1.4.1.15397.2.1.60.8

Corrupt packet received OID: 1.3.6.1.4.1.15397.2.1.60.15

Double seen This is the number of times a SEEN message isreceived when flow synchronization is already setup.OID: 1.3.6.1.4.1.15397.2.1.60.9

First updates received This is the number of first updates received(that is, only the first UPDATE message ineach connection synchronization increments thiscounter).OID: 1.3.6.1.4.1.15397.2.1.60.4

Hello received This is the number of Hello packets received fromflow syncing peers.OID: 1.3.6.1.4.1.15397.2.1.60.10

Out of sync - collision OID: 1.3.6.1.4.1.15397.2.1.60.12

Out of sync - missed rcv/late collision This is the number of connections set as out of syncdue to gaps in the message sequence. This is causedby packet loss on the flowsync connection.OID:1.3.6.1.4.1.15397.2.1.60.11

Out of syncs This is the number of connections set as out of syncdue to UPDATE messages arriving after ordinarypackets for a connection. This can be caused bytoo high latency on the flowsync connection.OID:1.3.6.1.4.1.15397.2.1.60.7

Received packets with incompatible version This is the number of flow sync packets receivedfrom an engine that has an incompatible version.OID:1.3.6.1.4.1.15397.2.1.60.17

Received packets with incorrect ethernet type This is the number of packets received on the flowsync interface that are not flow sync packets.OID:1.3.6.1.4.1.15397.2.1.60.18

Received packets with own engine-id This is the number of flow sync packets received froman engine that claims to have the same ID as thisone.OID: 1.3.6.1.4.1.15397.2.1.60.19

Seen received This is the number of SEEN messages received(that is, the number of times requests tosynchronize connections have been received).OID:1.3.6.1.4.1.15397.2.1.60.2

Seen sent This is the number of SEEN messages sent (that is, thenumber of times requests to synchronize connectionshave been sent).OID: 1.3.6.1.4.1.15397.2.1.60.1

UDP received This is the number of flow sync packets receiver forUDP connections.OID: 1.3.6.1.4.1.15397.2.1.60.21

UDP sent This is the number of flow sync packets sent for UDPconnections.OID: 1.3.6.1.4.1.15397.2.1.60.20

Update packet overflow OID: 1.3.6.1.4.1.15397.2.1.60.14


237

Updates Sent This is the number of connectionsynchronization update messages sent.OID:1.3.6.1.4.1.15397.2.1.60.3

Updates for mismatching ARM This is the number of flow sync updatessent from an engine that has another ARM(signature bundle) version than the local one.OID:1.3.6.1.4.1.15397.2.1.60.13

Updates for unknown connections received This is the number of times connectionsynchronization messages for unknown connectionshave been received.OID: 1.3.6.1.4.1.15397.2.1.60.6

Updates received This is the number of connection synchronizationupdate messages received (for connections beingsynchronized).OID: 1.3.6.1.4.1.15397.2.1.60.5

C.5. DivertBypassed packets This is the number of packets that match a Divert

rule where the system to divert to is considered down.These packets are bypassed, but still processed by therest of the ruleset.OID: 1.3.6.1.4.1.15397.2.1.125.17

Connections This is the number of connections beingdiverted.OID: 1.3.6.1.4.1.15397.2.1.125.11

Dropped packets This is the number of packets dropped because thedivert mechanism could not determine what to dowith it.OID: 1.3.6.1.4.1.15397.2.1.125.18

Egress bytes This is the number of bytes sent to divertsystem(s).OID: 1.3.6.1.4.1.15397.2.1.125.5

Egress packets This is the number of packets sent to divertsystem(s).OID: 1.3.6.1.4.1.15397.2.1.125.4

Failed proxy connections This is the number of times PacketLogicfailed to set up a proxied connection on adivert channel (Section 6.9.7, “Diverting Mid-Session”)OID: 1.3.6.1.4.1.15397.2.1.125.20

Failed proxy connections (too many channels) This is the number of times setting up a proxiedconnection (Section 6.9.7, “Diverting Mid-Session”)failed because the divert channel chosen is part of achained divert (Section 6.9, “TECH: Divert”).OID:1.3.6.1.4.1.15397.2.1.125.21

Heartbeat replies received This is the number of heart beat replies received fromdivert system(s).OID: 1.3.6.1.4.1.15397.2.1.125.15

Heartbeat replies sent This is the number of heart beat replies sent to divertsystem(s).OID: 1.3.6.1.4.1.15397.2.1.125.14

Heartbeat requests received This is the number of heart beatrequests received from divert system(s).OID:1.3.6.1.4.1.15397.2.1.125.13


238

Heartbeat requests sent This is the number of heart beat replies sent to divertsystem(s).OID: 1.3.6.1.4.1.15397.2.1.125.12

Heartbeats lost This is the number of heart beats lost.OID:1.3.6.1.4.1.15397.2.1.125.16

Hosts This is the number of hosts stored for divertchannels.OID: 1.3.6.1.4.1.15397.2.1.125.10

Ingress bytes This is the number of bytes received from divertsystem(s).OID: 1.3.6.1.4.1.15397.2.1.125.7

Ingress packets This is the number of packets received from divertsystem(s).OID: 1.3.6.1.4.1.15397.2.1.125.6

Ingress packets with host missing L2-header This is the number of packets received from divertsystems where there is no original L2 header storedfor that host and direction. In this case, the L2 headeris constructed from the L2 header for the host in theopposite direction, but with source/destination MACaddress reversed.OID: 1.3.6.1.4.1.15397.2.1.125.9

Ingress packets with missing host This is the number of packets received from divertsystems where there is no host stored. These packetsare dropped.OID: 1.3.6.1.4.1.15397.2.1.125.8

Out of hosts This is the number of attempts to create a new datastructure for a host with diverted connections whenthere are no more to allocate. This means the systemconfiguration value DIVERT_NUM_HOSTS mustbe raised or the number of hosts diverted must belowered.OID: 1.3.6.1.4.1.15397.2.1.125.2

Proxied connections This is the number of connections that havebeen set up as proxied divert connections(Section 6.9.7, “Diverting Mid-Session”).OID:1.3.6.1.4.1.15397.2.1.125.19

Too large L2-headers This is the number of times the L2 header was toolarge to store in the divert hosts data structure (ortoo large to restore after diverting). If this happenswhen the packet is received from the originator, thepacket is bypassed (not diverted). If this happenswhen the packet returns from the divert system it isdropped.OID: 1.3.6.1.4.1.15397.2.1.125.3

C.6. DrdlAnalyzed bytes OID: 1.3.6.1.4.1.15397.2.1.24.12

Analyzer actions called This is the number of actions called by DRDL whenanalyzing traffic.OID: 1.3.6.1.4.1.15397.2.1.24.14

Analyzer literals set This is the number of properties set asstring literals by the DRDL engine.OID:1.3.6.1.4.1.15397.2.1.24.29

Analyzer packet checks OID: 1.3.6.1.4.1.15397.2.1.24.11


239

Analyzer properties set This is the number of properties set by the DRDLengine.OID: 1.3.6.1.4.1.15397.2.1.24.15

Analyzer properties that could not be set This is the number of times DRDL hasfailed to set a property for a connection.OID:1.3.6.1.4.1.15397.2.1.24.30

Buckets used in taint store OID: 1.3.6.1.4.1.15397.2.1.24.49

Child allocation failures OID: 1.3.6.1.4.1.15397.2.1.24.4

Childconnection iterations during search (max) OID: 1.3.6.1.4.1.15397.2.1.24.33

LRU child allocations OID: 1.3.6.1.4.1.15397.2.1.24.3

New childconnections This is the number of expected childconnections hooks that are installed.OID:1.3.6.1.4.1.15397.2.1.24.2

Number of automatic accepts OID: 1.3.6.1.4.1.15397.2.1.24.21

Number of buffer allocation failures This is the number of buffer allocationsthat fail. Buffers are DRDL containers thatare used as temporary storage. If there areallocation failures here, the connection propertieswill not be complete. The number of buffersavailable is governed by the System Configurationvalue CONNECTION_PROP_BUFFERS.OID:1.3.6.1.4.1.15397.2.1.24.23

Number of buffers used This is the number of buffers used by DRDL.OID:1.3.6.1.4.1.15397.2.1.24.22

Number of full run packets OID: 1.3.6.1.4.1.15397.2.1.24.24

Number of slice state structure allocation failures OID: 1.3.6.1.4.1.15397.2.1.24.28

Number of slice state structures used OID: 1.3.6.1.4.1.15397.2.1.24.27

Orphaned childconnections OID: 1.3.6.1.4.1.15397.2.1.24.18

Port tainting data structure usage This is the usage level of the data structure used forport tainting (Section 4.4.2.5, “Port Tainting”).OID:1.3.6.1.4.1.15397.2.1.24.54

Properties used (256) This is the number of 256 byte properties used.Properties are allocated in pools of either 256 or 32bytes.OID: 1.3.6.1.4.1.15397.2.1.24.10

Properties used (32) This is the number of 32 byte properties used.OID:1.3.6.1.4.1.15397.2.1.24.8

Property allocation failures (256) OID: 1.3.6.1.4.1.15397.2.1.24.7

Property allocation failures (32) OID: 1.3.6.1.4.1.15397.2.1.24.5

Skipped bytes OID: 1.3.6.1.4.1.15397.2.1.24.13

UCAP: Allocated packet queues OID: 1.3.6.1.4.1.15397.2.1.24.50

UCAP: Connections sent to userspace OID: 1.3.6.1.4.1.15397.2.1.24.52


240

UCAP: Overflows in packet queues OID: 1.3.6.1.4.1.15397.2.1.24.53

UCAP: Packets held in packet queues OID: 1.3.6.1.4.1.15397.2.1.24.51

Virtual services range steps OID: 1.3.6.1.4.1.15397.2.1.24.46

Virtual services range tests OID: 1.3.6.1.4.1.15397.2.1.24.45

Virtual services regex steps OID: 1.3.6.1.4.1.15397.2.1.24.48

Virtual services regex tests OID: 1.3.6.1.4.1.15397.2.1.24.47

Waiting childconnections This is the number of child connections hookspending.OID: 1.3.6.1.4.1.15397.2.1.24.1

C.7. Dynamic RulesetAdd calls attempted This is the number of calls made to add a dynamic

NetObject item.OID: 1.3.6.1.4.1.15397.2.1.121.11

Add calls failed This is the number of calls made to add adynamic NetObject item that have failed.OID:1.3.6.1.4.1.15397.2.1.121.9

Add calls failed in PLDB This is the number of calls made to adda dynamic NetObject item that have failedwhen processed by the Database Daemon.OID:1.3.6.1.4.1.15397.2.1.121.10

Add calls succeeded This is the number of calls made to add adynamic NetObject item that have completedsuccessfully.OID: 1.3.6.1.4.1.15397.2.1.121.8

Dynamic netobject items added during set operations This is the number of dynamic NetObject items thathave been added as a result of a set operation.OID:1.3.6.1.4.1.15397.2.1.121.27

Dynamic netobject items removed during set operations This is the number of dynamic NetObject items thathave been removed as a result of a set operation.OID:1.3.6.1.4.1.15397.2.1.121.28

Dynamic netobject items unchanged during setoperations

This is the number of dynamic NetObject items thatare in NetObjects affected by set operations but leftunchanged.OID: 1.3.6.1.4.1.15397.2.1.121.29

Failed inserts (too many dynamic items) This is the number of calls to adda dynamic NetObject item that havefailed because the maximum number allowedalready exists (defined by the systemconfiguration value MAX_DYNAMIC_IPS.OID:1.3.6.1.4.1.15397.2.1.121.1

IP networks in table OID: 1.3.6.1.4.1.15397.2.1.121.42

IPs in table This is the number of unique IP addressesin the table of dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.5

Items in table This is the number of items in the table of dynamicNetObject items.OID: 1.3.6.1.4.1.15397.2.1.121.6


241

Items returned from last PLDB query This is the number of items returned lasttime the database daemon was queried forthe number of dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.2

Items returned from list calls This is the number of items returned in dynamiclisting calls.OID: 1.3.6.1.4.1.15397.2.1.121.16

List calls attempted This is the number of calls to listthe dynamic NetObject items attempted.OID:1.3.6.1.4.1.15397.2.1.121.15

Number of unique subscriber names This is the number of unique names for dynamicNetObjects.OID: 1.3.6.1.4.1.15397.2.1.121.18

Orphan dynamic netobject items removed This is the number of dynamic NetObject itemsremoved because their parent NetObject wasremoved and a call was made to remove orphanitems.OID: 1.3.6.1.4.1.15397.2.1.121.41

Remove calls attempted This is the number of calls made to remove a dynamicNetObject item.OID: 1.3.6.1.4.1.15397.2.1.121.12

Remove calls failed This is the number of calls made to removea dynamic NetObject item that have failed.OID:1.3.6.1.4.1.15397.2.1.121.4

Remove calls succeeded This is the number of calls made to removea dynamic NetObject item that have completedsuccessfully.OID: 1.3.6.1.4.1.15397.2.1.121.3

RemoveOrphans calls (Always succeeds) This is the number of times the method toremove orphaned dynamic NetObject items has beenmade.OID: 1.3.6.1.4.1.15397.2.1.121.40

Set calls attempted This is the number of calls to use theset method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.30

Set calls failed This is the number of failed calls to use theset method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.32

Set calls succeeded This is the number of successful calls to usethe set method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.31

SetBegin calls attempted This is the number of calls to use theset_begin method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.33

SetBegin calls failed This is the number of failed calls to use theset_begin method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.35

SetBegin calls succeeded This is the number of successful calls to use theset_begin method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.34


242

SetEnd calls attempted This is the number of calls to use theset_end method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.36

SetEnd calls failed This is the number of failed calls to use theset_end method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.38

SetEnd calls succeeded This is the number of successful calls to use theset_end method for dynamic NetObject items.OID:1.3.6.1.4.1.15397.2.1.121.37

Too many unique subscriber names failures This is the number of dynamic operationsthat fail because there are too manyunique dynamic NetObject (subscriber) names.This indicates that the system configurationvalue MAX_DYNAMIC_IP_NAMES should beraised.OID: 1.3.6.1.4.1.15397.2.1.121.19

C.8. Ethernet802.1q encapsulated packets This is the number of 802.1q encapsulated frames

received. These frames have a VLAN ID, and apriority field, and are also called 'trunked' or 'vlantrunked' packets.OID: 1.3.6.1.4.1.15397.2.1.28.4

Broadcast packets This is the number of ethernet broadcastpackets. Broadcast packets have 0xFF in thefirst byte of the ethernet destination address.OID:1.3.6.1.4.1.15397.2.1.28.2

Divert packets This is the number of packets received on divertchannels.OID: 1.3.6.1.4.1.15397.2.1.28.8

Dropped packets because of HB Reset OID: 1.3.6.1.4.1.15397.2.1.28.21

Ethernet bytes (IPv4 and IPv6) The number of bytes of Ethernet framesseen with IPv4 or IPv6 headers.OID:1.3.6.1.4.1.15397.2.1.28.30

Invalid MPLS frames This is the number of packets with an ethernet typeof MPLS (0x8847 or 0x8848) but with no bottomof stack found. These packets are dropped.OID:1.3.6.1.4.1.15397.2.1.28.6

MPLS over Ethernet frames This is the number of MPLS frames received. Thecontents of the MPLS frame is then run throughthe Ethernet layer one more time, so the packetcounters for different ethernet types might be largerthan the number of received packets on the wire.OID:1.3.6.1.4.1.15397.2.1.28.5

Multicast packets This is the number of ethernet multicast packetsreceived. These packets have the first bit in theethernet destination set, but the first byte is not0xFF (in which case it is a broadcast packet).OID:1.3.6.1.4.1.15397.2.1.28.3


243

Non IP packets This is the number of packets received that donot contain an IPv4 header. These are silentlyforwarded.OID: 1.3.6.1.4.1.15397.2.1.28.7

Shunted bytes (Dot1q) This is the number of bytes that have beenshunted due to a VLAN ID matching thesystem configuration value SHUNT_DOT1Q.OID:1.3.6.1.4.1.15397.2.1.28.29

Shunted bytes (EoMPLS) This is the number of bytes that havebeen shunted because the packets areEthernet-over-MPLS (EoMPLS) and the systemconfiguration value SHUNT_EOMPLS is True.OID:1.3.6.1.4.1.15397.2.1.28.27

Shunted bytes (MPLS) This is the number of bytes that have beenshunted due to an MPLS label matching thesystem configuration value SHUNT_MPLS.OID:1.3.6.1.4.1.15397.2.1.28.25

Shunted bytes (ethertype) This is the number of bytes that have beenshunted due to an ethertype matching the systemconfiguration value SHUNT_ETHERTYPES.OID:1.3.6.1.4.1.15397.2.1.28.23

Shunted packets (Dot1q) This is the number of packets that have beenshunted due to a VLAN ID matching thesystem configuration value SHUNT_DOT1Q.OID:1.3.6.1.4.1.15397.2.1.28.28

Shunted packets (EoMPLS) This is the number of packets that havebeen shunted because the packets areEthernet-over-MPLS (EoMPLS) and the systemconfiguration value SHUNT_EOMPLS is True.OID:1.3.6.1.4.1.15397.2.1.28.26

Shunted packets (MPLS) This is the number of packets that have beenshunted due to an MPLS label matching thesystem configuration value SHUNT_MPLS.OID:1.3.6.1.4.1.15397.2.1.28.24

Shunted packets (ethertype) This is the number of packets that have beenshunted due to an ethertype matching the systemconfiguration value SHUNT_ETHERTYPES.OID:1.3.6.1.4.1.15397.2.1.28.22

Unicast packets This is the number of unicasted ethernet packets.These are all ethernet frames except multicast andbroadcast packets.OID: 1.3.6.1.4.1.15397.2.1.28.1

C.9. FilteringFailed monitored packets This is the number of monitored packets that

failed to be duplicated to user space.OID:1.3.6.1.4.1.15397.2.1.80.9

Inject data preparation failures This is the number of attempts to generate injectpackets that have failed because the resulting


244

data becomes too large or because the propertyfrom which to use data is not found.OID:1.3.6.1.4.1.15397.2.1.80.11

Inject properties exceeding max length (255) This is the number of attempts to generate injectpackets that have failed because the propertyfrom which to use data contains data thatis too long (longer than 255 characters).OID:1.3.6.1.4.1.15397.2.1.80.12

Log entries This is the number of log entries made.OID:1.3.6.1.4.1.15397.2.1.80.7

Monitored packets This is the number of packets monitored.OID:1.3.6.1.4.1.15397.2.1.80.8

Rewrites changed in active connection This is the number of times a ruleset evaluationcaused the rewrite of an existing connection tochange.OID: 1.3.6.1.4.1.15397.2.1.80.13

Ruleset evaluations OID: 1.3.6.1.4.1.15397.2.1.80.6

Ruleset evaluations giving ACCEPT This is the number of times the ruleset has beenevaluated to accept a packet. Note that only the firstpacket of a new connection will be evaluated by theruleset. Subsequent packets will continue to use thepreviously calculated action until a property in theconnection changes (such as services, properties, orAS path).OID: 1.3.6.1.4.1.15397.2.1.80.1

Ruleset evaluations giving DIVERT This is the number of times the ruleset has beenevaluated to divert a packet. Note that only the firstpacket of a new connection will be evaluated by theruleset. Subsequent packets will continue to use thepreviously calculated action until a property in theconnection changes (such as services, properties, orAS path).OID: 1.3.6.1.4.1.15397.2.1.80.5

Ruleset evaluations giving DROP This is the number of times the ruleset has beenevaluated to drop a packet. Note that only the firstpacket of a new connection will be evaluated by theruleset. Subsequent packets will continue to use thepreviously calculated action until a property in theconnection changes (such as services, properties, orAS path).OID: 1.3.6.1.4.1.15397.2.1.80.3

Ruleset evaluations giving INJECT This is the number of times the ruleset has beenevaluated to set off injection. Note that only the firstpacket of a new connection will be evaluated by theruleset. Subsequent packets will continue to use thepreviously calculated action until a property in theconnection changes (such as services, properties, orAS path).OID: 1.3.6.1.4.1.15397.2.1.80.10

Ruleset evaluations giving REJECT This is the number of times the ruleset has beenevaluated to reject a packet. Note that only the firstpacket of a new connection will be evaluated by theruleset. Subsequent packets will continue to use the


245

previously calculated action until a property in theconnection changes (such as services, properties, orAS path).OID: 1.3.6.1.4.1.15397.2.1.80.2

Ruleset evaluations giving REWRITE This is the number of times the ruleset has beenevaluated to rewrite a packet. Note that only the firstpacket of a new connection will be evaluated by theruleset. Subsequent packets will continue to use thepreviously calculated action until a property in theconnection changes (such as services, properties, orAS path).OID: 1.3.6.1.4.1.15397.2.1.80.4

C.10. GRE0xffff Type packets OID: 1.3.6.1.4.1.15397.2.1.131.10

GRE Packets with unknown version OID: 1.3.6.1.4.1.15397.2.1.131.4

GRE packets with depricated route flag OID: 1.3.6.1.4.1.15397.2.1.131.7

GRE packets with unkown type OID: 1.3.6.1.4.1.15397.2.1.131.6

IPv4 Type packets OID: 1.3.6.1.4.1.15397.2.1.131.8

IPv6 Type packets OID: 1.3.6.1.4.1.15397.2.1.131.9

PPP Type Packets OID: 1.3.6.1.4.1.15397.2.1.131.12

PPP Type Packets with Unknown Protocol OID: 1.3.6.1.4.1.15397.2.1.131.13

PPTP Packets OID: 1.3.6.1.4.1.15397.2.1.131.11

RX data Number of bytes of payload in GRE packetsseen.OID: 1.3.6.1.4.1.15397.2.1.131.3

RX packets Number of GRE packets seen.OID:1.3.6.1.4.1.15397.2.1.131.2

Too Short GRE Packets OID: 1.3.6.1.4.1.15397.2.1.131.5

C.11. GTPCreate PDP Context Request Packets OID: 1.3.6.1.4.1.15397.2.1.129.5

Create PDP Context Response Packets OID: 1.3.6.1.4.1.15397.2.1.129.6

Delete PDP Context Request Packets OID: 1.3.6.1.4.1.15397.2.1.129.7

Delete PDP Context Response Packets OID: 1.3.6.1.4.1.15397.2.1.129.8

Echo Request Packets OID: 1.3.6.1.4.1.15397.2.1.129.13

Echo Response Packets OID: 1.3.6.1.4.1.15397.2.1.129.14

Error Indication OID: 1.3.6.1.4.1.15397.2.1.129.9

G-PDU Packets OID: 1.3.6.1.4.1.15397.2.1.129.4


246

RX data Number of bytes of payload in GTP packetsseen.OID: 1.3.6.1.4.1.15397.2.1.129.3

RX packets Number of GTP packets seen.OID:1.3.6.1.4.1.15397.2.1.129.2

SGSN Context Request OID: 1.3.6.1.4.1.15397.2.1.129.15

SGSN Context Response OID: 1.3.6.1.4.1.15397.2.1.129.16

Unkown GTP Type OID: 1.3.6.1.4.1.15397.2.1.129.10

Update PDP Context Request Packets OID: 1.3.6.1.4.1.15397.2.1.129.11

Update PDP Context Response Packets OID: 1.3.6.1.4.1.15397.2.1.129.12

C.12. IPv4Dropped fragments (timeout/LRU) This is the number of times fragments have been

dropped because the packet was not reassembledbefore the timeout, or due to LRU allocation of newerfragments.OID: 1.3.6.1.4.1.15397.2.1.32.21

ECN Capable Packets ECT(0) The number of IPv4 packets seen markedas ECN capable, with ECT(0) set.OID:1.3.6.1.4.1.15397.2.1.32.39


ECN Packets Congestion Experienced The number of IPv4 packets seen marked ashaving experience congestion with ECN.OID:1.3.6.1.4.1.15397.2.1.32.41

Fragment allocation failures This is the number of allocations failed(from the packet pool) for IP fragments.OID:1.3.6.1.4.1.15397.2.1.32.15

Fragment ids OID: 1.3.6.1.4.1.15397.2.1.32.10

Fragment reassembly failures This is the number of times an IPpacket was not reassembled due to packetallocation failure, or invalid fragmentation.OID:1.3.6.1.4.1.15397.2.1.32.16

Fragments in queue This is the number of fragments buffered waiting forreassembly.OID: 1.3.6.1.4.1.15397.2.1.32.11

Packet fragments This is the number of received fragments.OID:1.3.6.1.4.1.15397.2.1.32.7

Packets refused (too many fragments) This is the number of refused packetsthat were discarded because it usedtoo many fragments (the threshold isconfigurable with the system configuration valueIPV4_MAX_FRAGMENTS_PER_HEADER). Tosee what IP address is affected,set the system configuration value


247

IPV4_EXPOSE_FRAGMENT_VIOLATIONS toTrue. This will store a log message in the engine logevery time a packet is refused due to too many IPfragments.OID: 1.3.6.1.4.1.15397.2.1.32.19

Packets refused by lowlevel filter Not in use currentlyOID: 1.3.6.1.4.1.15397.2.1.32.17

RX data This is the number of bytes received as IPv4packets.OID: 1.3.6.1.4.1.15397.2.1.32.2

RX packets This is the number of packets received as IPv4packets.OID: 1.3.6.1.4.1.15397.2.1.32.1

Reassembled packets This is the number of packets reassembled fromfragments.OID: 1.3.6.1.4.1.15397.2.1.32.20

Refused (invalid version) This is the number of packets dropped because the IPheader version was not 4 (but the ethernet type saidIPv4)OID: 1.3.6.1.4.1.15397.2.1.32.4

Refused (out of fragments) This is the number of packets droppedbecause the IP fragment pool is exhausted.OID:1.3.6.1.4.1.15397.2.1.32.14

Refused (packet is too short) This is the number of packets refused because theyare not long enough to contain an IPv4 header, or thepayload length in the IPv4 header does not fit in thepacket.OID: 1.3.6.1.4.1.15397.2.1.32.3

Refused (src == dest) This is the number of packets refused because the IPheader source address is identical to the destinationaddress.OID: 1.3.6.1.4.1.15397.2.1.32.5

Shunted bytes (address) This is the number of bytes shunted based onaddress.OID: 1.3.6.1.4.1.15397.2.1.32.36

Shunted bytes (protocol) This is the number of bytes shunted based onprotocol.OID: 1.3.6.1.4.1.15397.2.1.32.38

Shunted packets (address) This is the number of packets shunted based onaddress.OID: 1.3.6.1.4.1.15397.2.1.32.35

Shunted packets (protocol) This is the number of packets shunted based onprotocol.OID: 1.3.6.1.4.1.15397.2.1.32.37

C.13. IPv6Destination Ext. Headers This is the number of destination extension headers

seen.OID: 1.3.6.1.4.1.15397.2.1.126.22

Dropped fragments (timeout/LRU) This is the number of times fragments have beendropped because the packet was not reassembledbefore the timeout, or due to LRU allocation of newerfragments.OID: 1.3.6.1.4.1.15397.2.1.126.27



248


ECN Packets Congestion Experienced The number of IPv6 packets seen marked ashaving experience congestion with ECN.OID:1.3.6.1.4.1.15397.2.1.126.35

Fragment allocation failures This is the number of allocations failed(from the packet pool) for IP fragments.OID:1.3.6.1.4.1.15397.2.1.126.15

Fragment ids OID: 1.3.6.1.4.1.15397.2.1.126.10

Fragment reassembly failures This is the number of times an IPpacket was not reassembled due to packetallocation failure, or invalid fragmentation.OID:1.3.6.1.4.1.15397.2.1.126.16

Fragments in Fragments OID: 1.3.6.1.4.1.15397.2.1.126.32

Fragments in queue This is the number of fragments buffered waiting forreassembly.OID: 1.3.6.1.4.1.15397.2.1.126.11

Hob-by-hop Ext. Headers This is the number of hop-by-hop extension headersseen.OID: 1.3.6.1.4.1.15397.2.1.126.23

Invalid Ext. Headers This is the number of invalid extension headersseen.OID: 1.3.6.1.4.1.15397.2.1.126.25

Overlapping Fragments This is the number of overlapping fragments seen.These are not allowed and will be dropped.OID:1.3.6.1.4.1.15397.2.1.126.21

Packet fragments OID: 1.3.6.1.4.1.15397.2.1.126.7

Packets refused (too many fragments) This is the number of refused packets that werediscarded because it used too many fragments.OID:1.3.6.1.4.1.15397.2.1.126.19

RX data This is the number of bytes received as IPv6packets.OID: 1.3.6.1.4.1.15397.2.1.126.2

RX packets This is the number of packets received as IPv6packets.OID: 1.3.6.1.4.1.15397.2.1.126.1

Reassembled packets This is the number of packets reassembled fromfragments.OID: 1.3.6.1.4.1.15397.2.1.126.20

Reassembly Timeout This is the number of times fragmented packets havebeen discarded because it took too long to receive allfragments.OID: 1.3.6.1.4.1.15397.2.1.126.26

Refused (invalid version) This is the number of packets dropped because the IPheader version was not 6 (but the ethernet type saidIPv6)OID: 1.3.6.1.4.1.15397.2.1.126.4

Refused (out of fragments) This is the number of packets droppedbecause the IP fragment pool is exhausted.OID:1.3.6.1.4.1.15397.2.1.126.14


249

Refused (packet is too short) This is the number of packets refused because theyare not long enough to contain an IPv6 header, or thepayload length in the IPv6 header does not fit in thepacket.OID: 1.3.6.1.4.1.15397.2.1.126.3

Refused (src == dest) This is the number of packets refused because the IPheader source address is identical to the destinationaddress.OID: 1.3.6.1.4.1.15397.2.1.126.5

Route Ext, Headers This is the number of route extension headersseen.OID: 1.3.6.1.4.1.15397.2.1.126.24

Shunted bytes (address) This is the number of bytes shunted based onaddress.OID: 1.3.6.1.4.1.15397.2.1.126.29

Shunted bytes (protocol) This is the number of bytes shunted based onprotocol.OID: 1.3.6.1.4.1.15397.2.1.126.31

Shunted packets (address) This is the number of packets shunted based onaddress.OID: 1.3.6.1.4.1.15397.2.1.126.28

Shunted packets (protocol) This is the number of packets shunted based onprotocol.OID: 1.3.6.1.4.1.15397.2.1.126.30

C.14. InterfaceFlow updates missed OID: 1.3.6.1.4.1.15397.2.1.120.11

Hostname allocation failures OID: 1.3.6.1.4.1.15397.2.1.120.13

Hostname allocations OID: 1.3.6.1.4.1.15397.2.1.120.15

New flows OID: 1.3.6.1.4.1.15397.2.1.120.12

New flows missed OID: 1.3.6.1.4.1.15397.2.1.120.10

Received from engine OID: 1.3.6.1.4.1.15397.2.1.120.9

Reordered flow updates OID: 1.3.6.1.4.1.15397.2.1.120.14

Sent to engine OID: 1.3.6.1.4.1.15397.2.1.120.8

C.15. Ipfix ExporterConnection table size The size of the table where connection information for

IPFIX is stored.OID: 1.3.6.1.4.1.15397.2.1.139.1

Connection updates The number of updates for connections received by theIPFIX daemon.OID: 1.3.6.1.4.1.15397.2.1.139.2

Exported Ipfix Messages The number of IPFIX messages sent by the IPFIXexporter.OID: 1.3.6.1.4.1.15397.2.1.139.7

Exported Records IPv4 The number of IPv4 records exported.OID:1.3.6.1.4.1.15397.2.1.139.3

Exported Records IPv6 The number of IPv6 records exported.OID:1.3.6.1.4.1.15397.2.1.139.4


250

Exported Sets IPv4 The number of IPv4 record sets exported.OID:1.3.6.1.4.1.15397.2.1.139.5

Exported Sets IPv6 The number of IPv6 record sets exported.OID:1.3.6.1.4.1.15397.2.1.139.6

C.16. L2TPPPP CHAP RX packets The number of PPP CHAP packets seen in L2TP.OID:

1.3.6.1.4.1.15397.2.1.132.9

PPP CIPv4 RX packets The number of PPP CIPv4 packets seen in L2TP.OID:1.3.6.1.4.1.15397.2.1.132.7

PPP CIPv6 RX packets The number of PPP CIPv6 packets seen in L2TP.OID:1.3.6.1.4.1.15397.2.1.132.8

PPP IPv4 RX packets The number of PPP IPv4 packets seen in L2TP.OID:1.3.6.1.4.1.15397.2.1.132.4

PPP IPv6 RX packets The number of PPP IPv6 packets seen in L2TP.OID:1.3.6.1.4.1.15397.2.1.132.5

PPP LCP RX packets The number of PPP LCP packets seen in L2TP.OID:1.3.6.1.4.1.15397.2.1.132.6

RX data The number of payload bytes in L2TP packets seen.OID:1.3.6.1.4.1.15397.2.1.132.3

RX packets The number of L2TP packets seen.OID:1.3.6.1.4.1.15397.2.1.132.2

C.17. LiveviewActive visible NetObjects The number of NetObjects marked as Visible

NetObjects containing hosts that are currentlyactive. Currently active means they hadtraffic during the past connection updateinterval (default 5 seconds, configurablewith CONNECTION_UPDATE_INTERVAL.OID:1.3.6.1.4.1.15397.2.1.134.6

Active visible netobject pool exhausted This is the number of times allocating anactive visible NetObject has failed. This couldindicate that the system configuration valueMAX_FULL_VISIBLE_NETOBJECTS should beraised.OID: 1.3.6.1.4.1.15397.2.1.134.9

Bytes in not accounted in plsd This is the number of inbound bytes thatare not accounted because they belong toconnections that do not exceed the threshold foraccounting defined by the system configurationvalue PLD_PLSD_CONN_THRESHOLD_IN andwere not marked as high priority by theStatisticsObject.OID: 1.3.6.1.4.1.15397.2.1.134.11

Bytes out not accounted in plsd This is the number of outbound bytes thatare not accounted because they belong to


251

connections that do not exceed the threshold foraccounting defined by the system configurationvalue PLD_PLSD_CONN_THRESHOLD_OUT andwere not marked as high priority by theStatisticsObject.OID: 1.3.6.1.4.1.15397.2.1.134.12

Connected PLSD clients This is the number of clients receiving allstreams. These are usually statistics receivers.OID:1.3.6.1.4.1.15397.2.1.134.3

Connected clients This is the total number of clients connected to thePLD.OID: 1.3.6.1.4.1.15397.2.1.134.2

DRDL revision This is the revision number on the DRDL ApplicationRecognition Module (ARM) currently installed.OID:1.3.6.1.4.1.15397.2.1.134.7

Flow updates not sent to plsd This is the number of flow updates that arewithheld from the statistics daemon since they stemfrom connections that do not exceed the thresholdsconfigured for what shall be stored in statistics.OID:1.3.6.1.4.1.15397.2.1.134.13

Hostname allocation failures The number of times allocating a hostnamefailed.OID: 1.3.6.1.4.1.15397.2.1.134.20

Hostname allocations The number of hostnames allocated.OID:1.3.6.1.4.1.15397.2.1.134.19

Hosts This is the number of hosts seen in the trafficbelonging to the network(s) connected to an internalchannel interface.OID: 1.3.6.1.4.1.15397.2.1.134.4

Hosts not created due to exhausted cache This is the number of times a host could notbe created because the data structure for holdinghosts is full. The system configuration valueHOST_NUM_HOSTS needs to be raised.OID:1.3.6.1.4.1.15397.2.1.134.14

PLSD buffer usage This is the buffer usage for the statistics daemon.OID:1.3.6.1.4.1.15397.2.1.134.23

Properties stored OID: 1.3.6.1.4.1.15397.2.1.134.17

Property arrays used OID: 1.3.6.1.4.1.15397.2.1.134.16

Property entries used OID: 1.3.6.1.4.1.15397.2.1.134.15

Reaper receive buffer usage OID: 1.3.6.1.4.1.15397.2.1.134.21

Reaper send buffer usage OID: 1.3.6.1.4.1.15397.2.1.134.22

String cache usage This is the number of items in the string cache.OID:1.3.6.1.4.1.15397.2.1.134.10

Too many netobjects on a single host OID: 1.3.6.1.4.1.15397.2.1.134.18

Uptime OID: 1.3.6.1.4.1.15397.2.1.134.1


252

Visible NetObjects This is the number of visible NetObjects in the ruleset.OID: 1.3.6.1.4.1.15397.2.1.134.5

Visible netobject pool exhausted This is the number of times allocatinga visible NetObject has failed. Thiscould indicate that the system configurationvalue MAX_VISIBLE_NETOBJECTS should beraised.OID: 1.3.6.1.4.1.15397.2.1.134.8

C.18. Load BalancerBlacklisted buckets This is the number of buckets blacklisted

by the load balancer (Section 4.4.1.2, “LoadBalancer Blacklisting (PL10000/PL20000)”).OID:1.3.6.1.4.1.15397.2.1.135.51

Blacklisted packets This is the number of packets shuntedor dropped due to blacklisting in theload balancer (Section 4.4.1.2, “LoadBalancer Blacklisting (PL10000/PL20000)”).OID:1.3.6.1.4.1.15397.2.1.135.52

CPU load CPU load on the load balancer CPU.OID:1.3.6.1.4.1.15397.2.1.135.40

CPU power save OID: 1.3.6.1.4.1.15397.2.1.135.57

CPU uptime Uptime of the load balancer.OID:1.3.6.1.4.1.15397.2.1.135.39

Fabrics allowed This is a bitmask representation of the switchfabrics allowed to use for communicationwith flow processors (as defined by systemconfiguration value LB_FABRICS_ALLOW.OID:1.3.6.1.4.1.15397.2.1.135.62

Heartbeat packets lost This is the number of heartbeats sent toflow processors that have been lost.OID:1.3.6.1.4.1.15397.2.1.135.49

Heartbeat packets lost (Fabric 1) OID: 1.3.6.1.4.1.15397.2.1.135.60

Heartbeat packets lost (Fabric 2) OID: 1.3.6.1.4.1.15397.2.1.135.61

Incompatible flowsync packets This is the number of flowsync packetsseen that are not the correct version.OID:1.3.6.1.4.1.15397.2.1.135.14

Logical ID This is the logical ID of the load balancer CPU.OID:1.3.6.1.4.1.15397.2.1.135.45

Logical flow processors This is the list of the logical IDs of the flowprocessors handled by this load balancer.OID:1.3.6.1.4.1.15397.2.1.135.2

Moved buckets This is the number of buckets that have been moved toa different flow processor by the load balancer.OID:1.3.6.1.4.1.15397.2.1.135.50


253

Number of flow processors This is the number of flow processors installed in thesystem.OID: 1.3.6.1.4.1.15397.2.1.135.1

Online flow processors OID: 1.3.6.1.4.1.15397.2.1.135.3

Out of poll slots OID: 1.3.6.1.4.1.15397.2.1.135.65

RX bytes external This is the number of bytes of data receivedby the load balancer from the external channelinterface(s).OID: 1.3.6.1.4.1.15397.2.1.135.7

RX bytes internal This is the number of bytes of data receivedby the load balancer from the internal channelinterface(s).OID: 1.3.6.1.4.1.15397.2.1.135.6

RX drops external OID: 1.3.6.1.4.1.15397.2.1.135.54

RX drops internal OID: 1.3.6.1.4.1.15397.2.1.135.53

RX errors external This is the number of errors in packetreception from the external channel interface(s).OID:1.3.6.1.4.1.15397.2.1.135.9

RX errors internal This is the number of errors in packetreception from the internal channel interface(s).OID:1.3.6.1.4.1.15397.2.1.135.8

RX packets external This is the number of packets of data receivedby the load balancer from the external channelinterface(s).OID: 1.3.6.1.4.1.15397.2.1.135.5

RX packets internal This is the number of packets of data receivedby the load balancer from the internal channelinterface(s).OID: 1.3.6.1.4.1.15397.2.1.135.4

Responding flow processors (Fabric 1) OID: 1.3.6.1.4.1.15397.2.1.135.58

Responding flow processors (Fabric 2) OID: 1.3.6.1.4.1.15397.2.1.135.59

Shunt bytes external (EoMPLS) OID: 1.3.6.1.4.1.15397.2.1.135.38

Shunt bytes external (IPv4 address) OID: 1.3.6.1.4.1.15397.2.1.135.18

Shunt bytes external (IPv4 protocol) OID: 1.3.6.1.4.1.15397.2.1.135.22

Shunt bytes external (IPv6 address) OID: 1.3.6.1.4.1.15397.2.1.135.44

Shunt bytes external (MPLS) OID: 1.3.6.1.4.1.15397.2.1.135.34

Shunt bytes external (dot1q) OID: 1.3.6.1.4.1.15397.2.1.135.30

Shunt bytes external (ethertype) OID: 1.3.6.1.4.1.15397.2.1.135.26

Shunt bytes internal (EoMPLS) OID: 1.3.6.1.4.1.15397.2.1.135.37

Shunt bytes internal (IPv4 address) OID: 1.3.6.1.4.1.15397.2.1.135.17

Shunt bytes internal (IPv4 protocol) OID: 1.3.6.1.4.1.15397.2.1.135.21

Shunt bytes internal (IPv6 address) OID: 1.3.6.1.4.1.15397.2.1.135.43


254

Shunt bytes internal (MPLS) OID: 1.3.6.1.4.1.15397.2.1.135.33

Shunt bytes internal (dot1q) OID: 1.3.6.1.4.1.15397.2.1.135.29

Shunt bytes internal (ethertype) OID: 1.3.6.1.4.1.15397.2.1.135.25

Shunt packets external (EoMPLS) OID: 1.3.6.1.4.1.15397.2.1.135.36

Shunt packets external (IPv4 address) OID: 1.3.6.1.4.1.15397.2.1.135.16

Shunt packets external (IPv4 protocol) OID: 1.3.6.1.4.1.15397.2.1.135.20

Shunt packets external (IPv6 address) OID: 1.3.6.1.4.1.15397.2.1.135.42

Shunt packets external (MPLS) OID: 1.3.6.1.4.1.15397.2.1.135.32

Shunt packets external (dot1q) OID: 1.3.6.1.4.1.15397.2.1.135.28

Shunt packets external (ethertype) OID: 1.3.6.1.4.1.15397.2.1.135.24

Shunt packets internal (EoMPLS) OID: 1.3.6.1.4.1.15397.2.1.135.35

Shunt packets internal (IPv4 address) OID: 1.3.6.1.4.1.15397.2.1.135.15

Shunt packets internal (IPv4 protocol) OID: 1.3.6.1.4.1.15397.2.1.135.19

Shunt packets internal (IPv6 address) OID: 1.3.6.1.4.1.15397.2.1.135.41

Shunt packets internal (MPLS) OID: 1.3.6.1.4.1.15397.2.1.135.31

Shunt packets internal (dot1q) OID: 1.3.6.1.4.1.15397.2.1.135.27

Shunt packets internal (ethertype) OID: 1.3.6.1.4.1.15397.2.1.135.23

TX direct external This is the number of packets forwardeddirectly to the external channel interface(s)without being processed by a flow processor.OID:1.3.6.1.4.1.15397.2.1.135.11

TX direct external not allowed OID: 1.3.6.1.4.1.15397.2.1.135.64

TX direct internal This is the number of packets forwardeddirectly to the internal channel interface(s)without being processed by a flow processor.OID:1.3.6.1.4.1.15397.2.1.135.10

TX direct internal not allowed OID: 1.3.6.1.4.1.15397.2.1.135.63

TX drops external This is the number of packets droppedin transmission on the external channelinterface(s).OID: 1.3.6.1.4.1.15397.2.1.135.13

TX drops internal This is the number of packets droppedin transmission on the internal channelinterface(s).OID: 1.3.6.1.4.1.15397.2.1.135.12

TX flowsync packets OID: 1.3.6.1.4.1.15397.2.1.135.46

TX packets LB channel external OID: 1.3.6.1.4.1.15397.2.1.135.56


255

TX packets LB channel internal OID: 1.3.6.1.4.1.15397.2.1.135.55

TX packets external OID: 1.3.6.1.4.1.15397.2.1.135.48

TX packets internal OID: 1.3.6.1.4.1.15397.2.1.135.47

C.19. PPPoEControl packets This is the number of PPPoE control packets

received.OID: 1.3.6.1.4.1.15397.2.1.96.3

IPv4 packets This is the number of IPv4 packets received in PPPoEframes.OID: 1.3.6.1.4.1.15397.2.1.96.6

IPv6 packets This is the number of IPv6 packets received in PPPoEframes.OID: 1.3.6.1.4.1.15397.2.1.96.8

Non IP packets This is the number of non-IP packets received inPPPoE frames.OID: 1.3.6.1.4.1.15397.2.1.96.7

Packets with unknown version This is the number of packets receivedwith an unknown PPPoE version.OID:1.3.6.1.4.1.15397.2.1.96.2

Padded packets This is the number of padded PPPoE framesreceived.OID: 1.3.6.1.4.1.15397.2.1.96.5

Short Packets dropped This is the number of invalidly shortPPPoE frames received (and dropped).OID:1.3.6.1.4.1.15397.2.1.96.1

Truncated packets dropped This is the number of truncatedPPPoE frames received (and dropped).OID:1.3.6.1.4.1.15397.2.1.96.4

C.20. Packet ProcessingCPU Load This is the processing load, in percent of maximum

capacity, on the flow processor(s) and threads.OID:1.3.6.1.4.1.15397.2.1.8.15

CPU power save OID: 1.3.6.1.4.1.15397.2.1.8.25

CPU uptime This is the time a packet processor CPU has beenrunning.OID: 1.3.6.1.4.1.15397.2.1.8.17

DMA-allocated packets OID: 1.3.6.1.4.1.15397.2.1.8.13

Free memory This is the amount of free memoryavailable to a packet processor CPU.OID:1.3.6.1.4.1.15397.2.1.8.16

Load balancer drops OID: 1.3.6.1.4.1.15397.2.1.8.22

Load balancer queue length OID: 1.3.6.1.4.1.15397.2.1.8.24

NIC RX drops OID: 1.3.6.1.4.1.15397.2.1.8.23


256

Overload mode OID: 1.3.6.1.4.1.15397.2.1.8.27

Packets left in pool This is the number of packets left in the internalpacket pool for each flow processor and thread.OID:1.3.6.1.4.1.15397.2.1.8.10

RX drops This is the number of packets dropped onreception by each flow processor and thread.OID:1.3.6.1.4.1.15397.2.1.8.2

RX packets This is the number of packets received by each flowprocessor and thread.OID: 1.3.6.1.4.1.15397.2.1.8.1

TX drops This is the number of packets dropped ontransmission by each flow processor and thread.OID:1.3.6.1.4.1.15397.2.1.8.7

TX packets This is the number of packets transmittedby each flow processor and thread.OID:1.3.6.1.4.1.15397.2.1.8.6

TX packets not allowed OID: 1.3.6.1.4.1.15397.2.1.8.26

C.21. Queue Sync(ext entries) Received update entries OID: 1.3.6.1.4.1.15397.2.1.123.13

(ext entries) Sent update entries OID: 1.3.6.1.4.1.15397.2.1.123.14

(ext sendbuffer) Entries dropped due to full sendbuffer OID: 1.3.6.1.4.1.15397.2.1.123.17

(ext sendbuffer) Sendbuffer usage OID: 1.3.6.1.4.1.15397.2.1.123.18

(ext status) Invalid packets received OID: 1.3.6.1.4.1.15397.2.1.123.30

(ext status) Status packets late/out of order OID: 1.3.6.1.4.1.15397.2.1.123.32

(ext status) Status packets lost OID: 1.3.6.1.4.1.15397.2.1.123.31

(ext status) Status packets received OID: 1.3.6.1.4.1.15397.2.1.123.28

(ext status) Status packets sent OID: 1.3.6.1.4.1.15397.2.1.123.27

(ext status) Version mismatch in status packets received OID: 1.3.6.1.4.1.15397.2.1.123.29

(ext timeout) Last timeout of peer OID: 1.3.6.1.4.1.15397.2.1.123.34

(ext timeout) Number of timeouts of peer OID: 1.3.6.1.4.1.15397.2.1.123.33

(ext update) Packets with mismatching ruleset received OID: 1.3.6.1.4.1.15397.2.1.123.25

(ext update) Update packets lost OID: 1.3.6.1.4.1.15397.2.1.123.26

(ext update) Update packets received OID: 1.3.6.1.4.1.15397.2.1.123.24

(ext update) Update packets sent OID: 1.3.6.1.4.1.15397.2.1.123.23

(ext) Last seen peer OID: 1.3.6.1.4.1.15397.2.1.123.21


257

(ext) Number of peers This is the number of peers connectedfor external queue synchronization.OID:1.3.6.1.4.1.15397.2.1.123.9

(ext) Short erronous packets received OID: 1.3.6.1.4.1.15397.2.1.123.22

(ext) Split object age timeout This is the number of times an entry (representing aqueue in a ShapingObject) has been removed fromthe queue sync table due to not being used within thetimeout.OID: 1.3.6.1.4.1.15397.2.1.123.12

Ignored out of order updates OID: 1.3.6.1.4.1.15397.2.1.123.19

Ignored updates (generation wrap) OID: 1.3.6.1.4.1.15397.2.1.123.20

Object adjustments sent This is the number of queuesynchronization messages sent requestingadjustments of a ShapingObject queue.OID:1.3.6.1.4.1.15397.2.1.123.8

Qsync not run because unsynced objects This is the number of occurrences of reapers ina PL10000/PL20000 system not having identicalobjects, which means queues are not synced. This cantypically happen when the ruleset is reloaded.OID:1.3.6.1.4.1.15397.2.1.123.16

Split entries active (reaper) This is the number of split entries (queues syncing)for all reapers in the PL10000/PL20000 system.OID:1.3.6.1.4.1.15397.2.1.123.5

Split entries active (sum) This is the total number of split entries thatPLD manages when duplicates are countes as oneentry.OID: 1.3.6.1.4.1.15397.2.1.123.7

Split entries created (reaper) This is the number of split entries that arecreated.OID: 1.3.6.1.4.1.15397.2.1.123.4

Split entries on free list (sum) This is the number of split entries that have been puton the free list, making them available for reuse.OID:1.3.6.1.4.1.15397.2.1.123.6

Updates received for unknown object This is the number of queue synchronization updatesreceived for an object not known by the localengine.OID: 1.3.6.1.4.1.15397.2.1.123.3

Updates received from reapers This is the number of queue synchronizationupdates received from reapers on packet processingCPUs.OID: 1.3.6.1.4.1.15397.2.1.123.1

Updates received from reapers with old ruleset This is the number of queue synchronizationupdates received from reapers where the reaperdid not have an up to date ruleset.OID:1.3.6.1.4.1.15397.2.1.123.2

C.22. RulesetBGP path lookups OID: 1.3.6.1.4.1.15397.2.1.64.12


258

Bitmask average number of words OID: 1.3.6.1.4.1.15397.2.1.64.15

Bitmask max number of words OID: 1.3.6.1.4.1.15397.2.1.64.16

Different number of prefix lengths used for dynamicIPv4 rules

OID: 1.3.6.1.4.1.15397.2.1.64.51

Dynamic ip loading failures (allocation failure) This is the number of times a dynamic IP failed to beloaded because it could not be allocated. The systemconfiguration value MAX_DYNAMIC_IPS must beraised.OID: 1.3.6.1.4.1.15397.2.1.64.41

Dynamic ip loading failures (oversized) This is the number of times a dynamicIP failed to be loaded because it causeda NetObject to match too many dynamicrules (split-by). The system configuration valueMAX_DYNAMIC_RULES_PER_NO needs to beraised.OID: 1.3.6.1.4.1.15397.2.1.64.42

Dynamic ips added This is the number of dynamic IPs addedthat are affected by a rule. Note that HostNetObject conditions will cause an increment oftwo, one for client and one for server.OID:1.3.6.1.4.1.15397.2.1.64.17

Dynamic ips current This is the number of dynamic IPs currentlyexisting that are affected by a rule. Note thatHost NetObject conditions will cause an increment/decrement of two, one for client and one forserver.OID: 1.3.6.1.4.1.15397.2.1.64.23

Dynamic ips removed This is the number of dynamic IPs removedthat were affected by a rule. Note that HostNetObject conditions will cause an decrementof two, one for client and one for server.OID:1.3.6.1.4.1.15397.2.1.64.18

FW rules loaded OID: 1.3.6.1.4.1.15397.2.1.64.5

Flow ruleset recalcs from bgp OID: 1.3.6.1.4.1.15397.2.1.64.34

Flow ruleset recalcs from state OID: 1.3.6.1.4.1.15397.2.1.64.35

Flow ruleset recalcs from time OID: 1.3.6.1.4.1.15397.2.1.64.33

Flow ruleset recalcs from version OID: 1.3.6.1.4.1.15397.2.1.64.32

Flow ruleset statechanges OID: 1.3.6.1.4.1.15397.2.1.64.27

Flow ruleset statechanges (aspath) OID: 1.3.6.1.4.1.15397.2.1.64.31

Flow ruleset statechanges (flags) OID: 1.3.6.1.4.1.15397.2.1.64.30

Flow ruleset statechanges (linklevel) OID: 1.3.6.1.4.1.15397.2.1.64.39

Flow ruleset statechanges (prop) OID: 1.3.6.1.4.1.15397.2.1.64.28

Flow ruleset statechanges (service) OID: 1.3.6.1.4.1.15397.2.1.64.29

Flow ruleset statechanges (ttl) OID: 1.3.6.1.4.1.15397.2.1.64.44


259

Last ruleset reload This is the time when the current ruleset wasloaded.OID: 1.3.6.1.4.1.15397.2.1.64.22

NatCfg: Dynamic natcfg allocation failures OID: 1.3.6.1.4.1.15397.2.1.64.47

NatCfg: Dynamic natcfg parsing failures OID: 1.3.6.1.4.1.15397.2.1.64.48

NatCfg: Lookup of non-existing dynamic natcfg OID: 1.3.6.1.4.1.15397.2.1.64.49

NatCfg: Number of added dynamic natcfg to currentruleset

OID: 1.3.6.1.4.1.15397.2.1.64.45

NatCfg: Number of added dynamic natcfg to next ruleset OID: 1.3.6.1.4.1.15397.2.1.64.46

Nodes in BGP-tree This is the number of nodes in the BGP tree.This is different from the number of prefixesbecause PacketLogic will compile the prefixesinto a tree with no overlapping nodes.OID:1.3.6.1.4.1.15397.2.1.64.10

Nodes in Client IP-tree OID: 1.3.6.1.4.1.15397.2.1.64.7

Nodes in Local IP-tree This is the number of nodes in the local IP tree. Thelocal IP tree contains the IP addresses of all hoststhat have appeared on a local channel interface, and isused to determine whether a host is local or not.OID:1.3.6.1.4.1.15397.2.1.64.25

Nodes in Server IP-tree OID: 1.3.6.1.4.1.15397.2.1.64.8

Number of ASPaths This is the number of distinct ASPaths. This isdifferent from the number of ASnumbers.OID:1.3.6.1.4.1.15397.2.1.64.9

Number of added subscribers This is the number of subscribers added.OID:1.3.6.1.4.1.15397.2.1.64.37

Old or corrupted AS-path entry OID: 1.3.6.1.4.1.15397.2.1.64.38

Property checks This is the number of properties checked by theruleset. This is a rather expensive operation.OID:1.3.6.1.4.1.15397.2.1.64.13

RX packets This is the number of packets received by theruleset.OID: 1.3.6.1.4.1.15397.2.1.64.1

Ruleset recalcs with outdated service ruleset OID: 1.3.6.1.4.1.15397.2.1.64.36

Shaping rules loaded OID: 1.3.6.1.4.1.15397.2.1.64.6

Split on unknown subscriber OID: 1.3.6.1.4.1.15397.2.1.64.43

Statistics rules loaded OID: 1.3.6.1.4.1.15397.2.1.64.24

Subscriber allocation failures This is the number of times a subscriber could not beallocated.OID: 1.3.6.1.4.1.15397.2.1.64.40

Too many matching statistics rules This is the number of times the ruleset has beenrecalculated and a packet has matched too manystatistics rules.OID: 1.3.6.1.4.1.15397.2.1.64.26


260

C.23. Ruleset CompilerReaper receive buffer usage OID: 1.3.6.1.4.1.15397.2.1.138.1

Reaper send buffer usage OID: 1.3.6.1.4.1.15397.2.1.138.2

C.24. ShapingAQM packet drops OID: 1.3.6.1.4.1.15397.2.1.88.74

BROWN per connection drops This is the number of packets dropped by BROWN(the Active Queue Management (AQM) algorithmused by PacketLogic) to maintain connectionfairness. These packets are dropped when a certainflow is deemed to have used too much queue and thequeue length is greater than the configured latencygoal.OID: 1.3.6.1.4.1.15397.2.1.88.8

BROWN per host drops This is the number of packets dropped by BROWN(the Active Queue Management (AQM) algorithmused by PacketLogic) to maintain host fairness. Thesepackets are dropped when a certain host is deemedto have used too much queue and the queue lengthis greater than the configured latency goal.OID:1.3.6.1.4.1.15397.2.1.88.48

CPS limit drops This is the number of packets dropped to enforce CPSlimits.OID: 1.3.6.1.4.1.15397.2.1.88.64

Delayed Polls OID: 1.3.6.1.4.1.15397.2.1.88.75

Dequeue calls OID: 1.3.6.1.4.1.15397.2.1.88.41

Dequeued bytes This is the number of bytes dequeued from theshaping queues.OID: 1.3.6.1.4.1.15397.2.1.88.12

Dequeued packets This is the number of packets dequeued from theshaping queues.OID: 1.3.6.1.4.1.15397.2.1.88.2

Directly sent bytes This is the number of bytes queued and dequeuedfrom the shaping queues without delay.OID:1.3.6.1.4.1.15397.2.1.88.45

Directly sent bytes (prio 0) OID: 1.3.6.1.4.1.15397.2.1.88.69

Directly sent packets This is the number of packets queued and dequeuedfrom the shaping queues without delay.OID:1.3.6.1.4.1.15397.2.1.88.44

ECN Marked Packets OID: 1.3.6.1.4.1.15397.2.1.88.73

Enqueued bytes This is the number of bytes enqueued to the shapingqueues.OID: 1.3.6.1.4.1.15397.2.1.88.11

Enqueued packets This is the number of packets enqueued to the shapingqueues.OID: 1.3.6.1.4.1.15397.2.1.88.1

Host fairness data allocation failures OID: 1.3.6.1.4.1.15397.2.1.88.65


261

Host fairness data used OID: 1.3.6.1.4.1.15397.2.1.88.66

Object checks OID: 1.3.6.1.4.1.15397.2.1.88.17

Object copies This is the number of ShapingObject copies.OID:1.3.6.1.4.1.15397.2.1.88.13

Object copies created This is the number of ShapingObject copiescreated.OID: 1.3.6.1.4.1.15397.2.1.88.72

Object max connections reached This is the number of connections refusedbecause a ShapingObject has reached its configuredmaximum number of simultaneous connections.OID:1.3.6.1.4.1.15397.2.1.88.49

Out of packets drops This is the number of packets dropped because thepacket pool is exhausted. This will effectively cripplethe shaping engine.OID: 1.3.6.1.4.1.15397.2.1.88.15

Packets received This is the number of packets received by the shapingengine.OID: 1.3.6.1.4.1.15397.2.1.88.16

Queue pool exhausted OID: 1.3.6.1.4.1.15397.2.1.88.51

Queue size OID: 1.3.6.1.4.1.15397.2.1.88.9

Queuing drops (all types) This is the number of packets dropped by theshaping.OID: 1.3.6.1.4.1.15397.2.1.88.37

Queuing drops (other prio) OID: 1.3.6.1.4.1.15397.2.1.88.63

Queuing drops (prio 1) OID: 1.3.6.1.4.1.15397.2.1.88.54









Rule sets OID: 1.3.6.1.4.1.15397.2.1.88.10

Skipped qsync updates (no xfer) OID: 1.3.6.1.4.1.15397.2.1.88.71

Too many dynamic objects This is the number of packets dropped because themaximum number of ShapingObjects was exceeded.This can happen if a rule uses a ShapingObjectwith Split by Local Host. In that case, PacketLogicdynamically creates object instances according tothe number of local hosts. In case there is aninstantaneous peak in the number of local hosts


262

causing object instances to be created, some will failand the packets that were to go into object instancesthat were not created are dropped. This behaviouris harmless unless it is recurring and persistent.OID:1.3.6.1.4.1.15397.2.1.88.25

Too many matching rules This is the number of matchingrules for a connection exceededSHAPING_MAX_RULES_PER_CONNECTION(configurable in system configuration),and thus the packet was dropped.OID:1.3.6.1.4.1.15397.2.1.88.32

Too many shaping objects matching a connection OID: 1.3.6.1.4.1.15397.2.1.88.31

Unresponsive Connections Detected OID: 1.3.6.1.4.1.15397.2.1.88.76

Unshaped bytes This is the number of bytes received by the shapingengine that did not match any shaping rules.OID:1.3.6.1.4.1.15397.2.1.88.40

Unshaped packets This is the number of packets received by the shapingengine that did not match any shaping rules.OID:1.3.6.1.4.1.15397.2.1.88.39

C.25. Shaping CounterActive clients This is the number of clients receiving counter

updates.OID: 1.3.6.1.4.1.15397.2.1.124.3

Active counters This is the number of counters existing.OID:1.3.6.1.4.1.15397.2.1.124.2

Recycles This is the number of times an existingcounter has been reset to be used byanother object, because the number ofcounters exceeds the system configuration valueSHAPING_COUNTERS_MAX.OID:1.3.6.1.4.1.15397.2.1.124.4

Updates crossing granularity boundary received This is the number of updates from shapingcounters received that are larger than the granularityboundary defined by the system configuration valueSHAPING_COUNTERS_GRANULARITY_SHIFT.This means the update will be sent to thosewho have requested the counter (usually a VBScontroller).OID: 1.3.6.1.4.1.15397.2.1.124.5

Updates received This is the total number of updates received fromshaping counters.OID: 1.3.6.1.4.1.15397.2.1.124.1

C.26. StatisticsBandwidth used OID: 1.3.6.1.4.1.15397.2.1.136.31

Connection Bytes Accounted In OID: 1.3.6.1.4.1.15397.2.1.136.39


263

Connection Bytes Accounted Out OID: 1.3.6.1.4.1.15397.2.1.136.40

Connection Bytes Unaccounted In OID: 1.3.6.1.4.1.15397.2.1.136.41

Connection Bytes Unaccounted Out OID: 1.3.6.1.4.1.15397.2.1.136.42

Connection Properties Hashtables OID: 1.3.6.1.4.1.15397.2.1.136.38

Connection Properties count OID: 1.3.6.1.4.1.15397.2.1.136.37

Connection table size OID: 1.3.6.1.4.1.15397.2.1.136.15

Connection updates OID: 1.3.6.1.4.1.15397.2.1.136.17

Connection updates (Full) OID: 1.3.6.1.4.1.15397.2.1.136.18

Connection updates (New) OID: 1.3.6.1.4.1.15397.2.1.136.19

Connection updates (Threshold Filtered) OID: 1.3.6.1.4.1.15397.2.1.136.20

Connections dropped (Cache Exhausted) OID: 1.3.6.1.4.1.15397.2.1.136.21

Connects OID: 1.3.6.1.4.1.15397.2.1.136.33

Connlog connections added OID: 1.3.6.1.4.1.15397.2.1.136.23

Connlog connections dumped OID: 1.3.6.1.4.1.15397.2.1.136.25

Connlog connections stored OID: 1.3.6.1.4.1.15397.2.1.136.22

Connlog dumptime OID: 1.3.6.1.4.1.15397.2.1.136.26

Connlog entries dropped OID: 1.3.6.1.4.1.15397.2.1.136.30

Connlog entries incomplete OID: 1.3.6.1.4.1.15397.2.1.136.36

Connlog time remaining OID: 1.3.6.1.4.1.15397.2.1.136.24

Corrupted value paths OID: 1.3.6.1.4.1.15397.2.1.136.43

Dump time OID: 1.3.6.1.4.1.15397.2.1.136.1

Hosts OID: 1.3.6.1.4.1.15397.2.1.136.16

Links in dataset OID: 1.3.6.1.4.1.15397.2.1.136.4

Memory usage (RAM) OID: 1.3.6.1.4.1.15397.2.1.136.35

Memory usage (Virtual) OID: 1.3.6.1.4.1.15397.2.1.136.34

Recv Ringbuf usage (Collector) OID: 1.3.6.1.4.1.15397.2.1.136.28

Time connected OID: 1.3.6.1.4.1.15397.2.1.136.32

Time of last dump OID: 1.3.6.1.4.1.15397.2.1.136.27

Value lookups OID: 1.3.6.1.4.1.15397.2.1.136.10

Value updates(Bytes) OID: 1.3.6.1.4.1.15397.2.1.136.11

Value updates(Conns) OID: 1.3.6.1.4.1.15397.2.1.136.13


264

Value updates, High Priority (Bytes) OID: 1.3.6.1.4.1.15397.2.1.136.12

Value updates, High Priority (Conns) OID: 1.3.6.1.4.1.15397.2.1.136.14

Values filtered OID: 1.3.6.1.4.1.15397.2.1.136.8

Values in dataset OID: 1.3.6.1.4.1.15397.2.1.136.2

Values in dataset (delayed expand) OID: 1.3.6.1.4.1.15397.2.1.136.3

Values in dataset(Aggregation) OID: 1.3.6.1.4.1.15397.2.1.136.5

Values not created, Cache exhausted OID: 1.3.6.1.4.1.15397.2.1.136.6

Values not created, Priority Threshold OID: 1.3.6.1.4.1.15397.2.1.136.7

Values sent to Statwriter OID: 1.3.6.1.4.1.15397.2.1.136.9

C.27. Statistics WriterDataset Values OID: 1.3.6.1.4.1.15397.2.1.137.4

Dataset Values Dropped (Global Index exhausted) OID: 1.3.6.1.4.1.15397.2.1.137.7

Dataset Values Dropped (Symlink target not found) OID: 1.3.6.1.4.1.15397.2.1.137.8

Dataset Values Dropped (cache exhausted) OID: 1.3.6.1.4.1.15397.2.1.137.5

Dataset Values Dropped (malformed name) OID: 1.3.6.1.4.1.15397.2.1.137.6

Dataset values, New Daily Indexes OID: 1.3.6.1.4.1.15397.2.1.137.11

Dataset values, New Global Indexes OID: 1.3.6.1.4.1.15397.2.1.137.9

Dataset values, New Global collisions OID: 1.3.6.1.4.1.15397.2.1.137.10

Dataset values, Updates (Graphs) OID: 1.3.6.1.4.1.15397.2.1.137.13

Dataset values, Updates (Totals) OID: 1.3.6.1.4.1.15397.2.1.137.12

Dataset, Begin OID: 1.3.6.1.4.1.15397.2.1.137.1

Dataset, End OID: 1.3.6.1.4.1.15397.2.1.137.2

Dataset, Sessions OID: 1.3.6.1.4.1.15397.2.1.137.3

Dataset, Time for Daily Index file I/O OID: 1.3.6.1.4.1.15397.2.1.137.16

Dataset, Time for Globals file I/O OID: 1.3.6.1.4.1.15397.2.1.137.15

Dataset, Time for Graph file I/O OID: 1.3.6.1.4.1.15397.2.1.137.18

Dataset, Time for Totals file I/O OID: 1.3.6.1.4.1.15397.2.1.137.17

Dataset, Total Write time OID: 1.3.6.1.4.1.15397.2.1.137.14

Statisticsfs, Daily Graph data usage (Bytes) OID: 1.3.6.1.4.1.15397.2.1.137.23

Statisticsfs, Daily Totals file blocks OID: 1.3.6.1.4.1.15397.2.1.137.22


265

Statisticsfs, Disk Size OID: 1.3.6.1.4.1.15397.2.1.137.25

Statisticsfs, Disk Usage OID: 1.3.6.1.4.1.15397.2.1.137.24

Statisticsfs, Disk Usage Per Day OID: 1.3.6.1.4.1.15397.2.1.137.28

Statisticsfs, Values (Daily Indexes) OID: 1.3.6.1.4.1.15397.2.1.137.21

Statisticsfs, Values (Global Collisions) OID: 1.3.6.1.4.1.15397.2.1.137.20

Statisticsfs, Values (Global Indexes) OID: 1.3.6.1.4.1.15397.2.1.137.19

Statwriter, Peak memory usage OID: 1.3.6.1.4.1.15397.2.1.137.29

System, Disk Size OID: 1.3.6.1.4.1.15397.2.1.137.27

System, Disk Usage OID: 1.3.6.1.4.1.15397.2.1.137.26

C.28. SystemCPU load OID: 1.3.6.1.4.1.15397.2.1.133.1

Context switches OID: 1.3.6.1.4.1.15397.2.1.133.14

Free RAM OID: 1.3.6.1.4.1.15397.2.1.133.3

Free swap OID: 1.3.6.1.4.1.15397.2.1.133.5

Interface bytes received OID: 1.3.6.1.4.1.15397.2.1.133.9

Interface bytes sent OID: 1.3.6.1.4.1.15397.2.1.133.10

Interface packets received OID: 1.3.6.1.4.1.15397.2.1.133.11

Interface packets sent OID: 1.3.6.1.4.1.15397.2.1.133.12

Interrupts OID: 1.3.6.1.4.1.15397.2.1.133.13

System disk size OID: 1.3.6.1.4.1.15397.2.1.133.8

System disk usage OID: 1.3.6.1.4.1.15397.2.1.133.7

Total RAM OID: 1.3.6.1.4.1.15397.2.1.133.2

Total swap OID: 1.3.6.1.4.1.15397.2.1.133.4

Uptime OID: 1.3.6.1.4.1.15397.2.1.133.6

C.29. TCPv4Congestion Window Reduced Packets OID: 1.3.6.1.4.1.15397.2.1.48.41

Connection create attempts This is the number of TCPv4 connectionattempts. Some of these might get refusedby filtering rules or connection protection.OID:1.3.6.1.4.1.15397.2.1.48.4

Connections created This is the number of TCPv4 connections actuallycreated.OID: 1.3.6.1.4.1.15397.2.1.48.5


266

Connections with segments OID: 1.3.6.1.4.1.15397.2.1.48.27

Dequeued segments OID: 1.3.6.1.4.1.15397.2.1.48.35

Discarded segments OID: 1.3.6.1.4.1.15397.2.1.48.36

Enqueued segments OID: 1.3.6.1.4.1.15397.2.1.48.34

Explicit Congestion Notification Echo Packets OID: 1.3.6.1.4.1.15397.2.1.48.42

Goodput bytes This is the number of application (L4 payload) bytesreceived.OID: 1.3.6.1.4.1.15397.2.1.48.15

Goodput packets This is the number of application (L4 payload)packets received.OID: 1.3.6.1.4.1.15397.2.1.48.14

Ignored segments OID: 1.3.6.1.4.1.15397.2.1.48.18

Out of window packets (ignored) OID: 1.3.6.1.4.1.15397.2.1.48.28

Out-of-sync bytes OID: 1.3.6.1.4.1.15397.2.1.48.39

Out-of-sync connections OID: 1.3.6.1.4.1.15397.2.1.48.12

Out-of-sync packets OID: 1.3.6.1.4.1.15397.2.1.48.38

Packet allocation failures This is the number of allocation failures.Allocation failures on this level will stop theTCP reordering from working properly.OID:1.3.6.1.4.1.15397.2.1.48.19

Packets refused by lowlevel filter This is the number of TCPv4 packets refused by thelow level filter.OID: 1.3.6.1.4.1.15397.2.1.48.29

Packets with corrupt conn OID: 1.3.6.1.4.1.15397.2.1.48.26

Packets with corrupt options This is the number of TCPv4 packetsreceived with corrupted TCP options.OID:1.3.6.1.4.1.15397.2.1.48.25

Packets without payload OID: 1.3.6.1.4.1.15397.2.1.48.37

RX bytes This is the number of TCPv4 bytes received.OID:1.3.6.1.4.1.15397.2.1.48.2

RX packets This is the number of TCPv4 packets received.OID:1.3.6.1.4.1.15397.2.1.48.1

Refused (broadcast) This is the number of broadcasted TCPv4 packets thatare dropped.OID: 1.3.6.1.4.1.15397.2.1.48.8

Refused (offset) This is the number of packets where the payloadindicated is larger than the packet size aredropped.OID: 1.3.6.1.4.1.15397.2.1.48.9

Refused (ruleset) This is the number of packets refused by theruleset.OID: 1.3.6.1.4.1.15397.2.1.48.6

Refused (short) This is the number of packets refused because theyare invalidly short.OID: 1.3.6.1.4.1.15397.2.1.48.7


267

Rejected packets This is the number of packets rejected by rejectactions in filtering.OID: 1.3.6.1.4.1.15397.2.1.48.10

Retransmitted packets OID: 1.3.6.1.4.1.15397.2.1.48.40

SYN packets for existing connections This is the number of SYN packets received forconnections that PacketLogic considers to alreadyexist.OID: 1.3.6.1.4.1.15397.2.1.48.32

Saved segments OID: 1.3.6.1.4.1.15397.2.1.48.16

Saved segments with payload OID: 1.3.6.1.4.1.15397.2.1.48.17

Segment allocation failures OID: 1.3.6.1.4.1.15397.2.1.48.33

Simultaneous Open OID: 1.3.6.1.4.1.15397.2.1.48.43

Untracked bytes OID: 1.3.6.1.4.1.15397.2.1.48.24

Untracked bytes (goodput) OID: 1.3.6.1.4.1.15397.2.1.48.23

Untracked packets OID: 1.3.6.1.4.1.15397.2.1.48.13

C.30. TCPv6Congestion Window Reduced Packets OID: 1.3.6.1.4.1.15397.2.1.127.41

Connection create attempts This is the number of TCPv6 connectionattempts. Some of these might get refusedby filtering rules or connection protection.OID:1.3.6.1.4.1.15397.2.1.127.4

Connections created This is the number of TCPv6 connections actuallycreated.OID: 1.3.6.1.4.1.15397.2.1.127.5

Connections with segments OID: 1.3.6.1.4.1.15397.2.1.127.27

Dequeued segments OID: 1.3.6.1.4.1.15397.2.1.127.35

Discarded segments OID: 1.3.6.1.4.1.15397.2.1.127.36

Enqueued segments OID: 1.3.6.1.4.1.15397.2.1.127.34

Explicit Congestion Notification Echo Packets OID: 1.3.6.1.4.1.15397.2.1.127.42

Goodput bytes This is the number of application (L4 payload) bytesreceived.OID: 1.3.6.1.4.1.15397.2.1.127.15

Goodput packets This is the number of application (L4 payload)packets received.OID: 1.3.6.1.4.1.15397.2.1.127.14

Ignored segments OID: 1.3.6.1.4.1.15397.2.1.127.18

Out of window packets (ignored) OID: 1.3.6.1.4.1.15397.2.1.127.28

Out-of-sync bytes OID: 1.3.6.1.4.1.15397.2.1.127.39

Out-of-sync connections OID: 1.3.6.1.4.1.15397.2.1.127.12


268

Out-of-sync packets OID: 1.3.6.1.4.1.15397.2.1.127.38

Packet allocation failures This is the number of allocation failures.Allocation failures on this level will stop theTCP reordering from working properly.OID:1.3.6.1.4.1.15397.2.1.127.19

Packets refused by lowlevel filter This is the number of TCPv6 packets refused by thelow level filter.OID: 1.3.6.1.4.1.15397.2.1.127.29

Packets with corrupt conn OID: 1.3.6.1.4.1.15397.2.1.127.26

Packets with corrupt options This is the number of TCPv6 packetsreceived with corrupted TCP options.OID:1.3.6.1.4.1.15397.2.1.127.25

Packets without payload OID: 1.3.6.1.4.1.15397.2.1.127.37

RX bytes This is the number of TCPv6 bytes received.OID:1.3.6.1.4.1.15397.2.1.127.2

RX packets This is the number of TCPv6 packets received.OID:1.3.6.1.4.1.15397.2.1.127.1

Refused (broadcast) This is the number of broadcasted TCPv6 packets thatare dropped.OID: 1.3.6.1.4.1.15397.2.1.127.8

Refused (offset) This is the number of packets where the payloadindicated is larger than the packet size aredropped.OID: 1.3.6.1.4.1.15397.2.1.127.9

Refused (ruleset) This is the number of packets refused by theruleset.OID: 1.3.6.1.4.1.15397.2.1.127.6

Refused (short) This is the number of packets refused because theyare invalidly short.OID: 1.3.6.1.4.1.15397.2.1.127.7

Rejected packets This is the number of packetsrejected by reject actions in filtering.OID:1.3.6.1.4.1.15397.2.1.127.10

Retransmitted packets OID: 1.3.6.1.4.1.15397.2.1.127.40

SYN packets for existing connections This is the number of SYN packets received forconnections are considered to already exist.OID:1.3.6.1.4.1.15397.2.1.127.32

Saved segments OID: 1.3.6.1.4.1.15397.2.1.127.16

Saved segments with payload OID: 1.3.6.1.4.1.15397.2.1.127.17

Segment allocation failures OID: 1.3.6.1.4.1.15397.2.1.127.33

Simultaneous Open OID: 1.3.6.1.4.1.15397.2.1.127.43

Untracked bytes OID: 1.3.6.1.4.1.15397.2.1.127.24

Untracked bytes (goodput) OID: 1.3.6.1.4.1.15397.2.1.127.23

Untracked packets OID: 1.3.6.1.4.1.15397.2.1.127.13


269

C.31. TeredoAuthentication headers OID: 1.3.6.1.4.1.15397.2.1.128.5

Origin indication headers OID: 1.3.6.1.4.1.15397.2.1.128.4

RX data OID: 1.3.6.1.4.1.15397.2.1.128.3

RX packets OID: 1.3.6.1.4.1.15397.2.1.128.2

Teredo packets inside fragments OID: 1.3.6.1.4.1.15397.2.1.128.6

C.32. TunnelESP Tunnel Contexts OID: 1.3.6.1.4.1.15397.2.1.130.3

GRE Tunnel Contexts OID: 1.3.6.1.4.1.15397.2.1.130.5

GTP Tunnel Contexts OID: 1.3.6.1.4.1.15397.2.1.130.2

Generic Tunnel Contexts OID: 1.3.6.1.4.1.15397.2.1.130.8

L2TP Tunnel Contexts OID: 1.3.6.1.4.1.15397.2.1.130.10

Packets For Known Tunnels OID: 1.3.6.1.4.1.15397.2.1.130.9

Packets For Unknown Tunnels OID: 1.3.6.1.4.1.15397.2.1.130.6

Teredo Tunnel Contexts OID: 1.3.6.1.4.1.15397.2.1.130.4

Tunnels With Duplicate Keys OID: 1.3.6.1.4.1.15397.2.1.130.7

The Virtual Service Language

271

Appendix D. The Virtual ServiceLanguageD.1. IntroductionMatching is done like this:

condition => "Resulting service";

Example D.1. Generic matching in Virtual Services

port 12345 => "My service";

To match on several criteria nesting is used:

condition1 { condition2 => "Result"; }

Example D.2. Nesting criteria

service "HTTP" { property "Server Hostname" "www.example.com" => "Example Site Surfing"; }

Multiple conditions in the same block specify different alternatives:

condition1 { condition2 => "Result 1"; condition3 => "Result 2"; }

This means that if condition1 and condition2 matches the result will be "Result 1". Or if condition1 and condition3matches the result will be "Result 2".

Comments are /* */ (nestable) or # for single line comments.

In the case where multiple hits are possible, yield-by-order can be used. This will terminate evaluatingconditions on the first match.


272

Example D.3. Conflict

service "HTTP" { property "Server Hostname" domain "apps.example.com" => "Example Apps"; property "Server Hostname" domain "example.com" => "Example.com"; }

The example above would match both on server hostname test.apps.example.com and compilation willreturn an error saying there is a conflict.

To avoid this and still be able to use overlap in conditions, use yield-by-order:

Example D.4. Yield by order

service "HTTP" yield-by-order { property "Server Hostname" domain "apps.example.com" => "Example Apps"; property "Server Hostname" domain "example.com" => "Example.com"; }

This will return the first match, not evaluating any conditions below the first match.

D.2. Condition Types

D.2.1. IP protocol

Syntax: "protocol NUMBER" or "protocol IDENTIFIER"

NUMBER is an integer in range 0 to 255. Identifier is a protocol name known by the virtual service (vs) compiler,such as TCP or UDP.

Example D.5. IP protocol condition

# Break out TCP DNS traffic as separate service: service "DNS" { protocol tcp => "DNS-TCP"; }

D.2.2. Server IP

Syntax: "ip IPNUMBER" or "ip IPNUMBER..IPNUMBER" or "ip IPNUMBER/PREFIXLEN"

IPNUMBER is written as a dotted quad, PREFIXLEN is an integer in range 0 to 32. The form "ipIPNUMBER..IPNUMBER" creates a range and matches connections whose server IP address is in the range(inclusive) between the first and second numbers. It is an error to specify a range where the second item is lowerthan the first.


273

Example D.6. IP matching

# HTTP to 10.13.37.23 is special service "HTTP" { ip 10.13.37.23 => "Secret stuff"; }

D.2.3. Server Port

Syntax: "port PORT" or "port PORT..PORT"

PORT is an integer in range 0 to 65535. The form "port PORT..PORT" creates a range and matches connectionswhose server port is in the range (inclusive) between the first and second numbers. It is an error to specify a rangewhere the second item is lower than the first.

Example D.7. Port matching

# There is no signature for our inhouse protocol running server # at 10.13.37.100:1099 ip 10.13.37.100 { port 1099 => "Our inhouse protocol"; }

D.2.4. Service

Syntax: "service SERVICE"

SERVICE is a quoted string specifying the service name.

Example D.8. Service matching

# We don't care about different BitTorrent variants. Rename them all to BitTorrent service "BitTorrent KRPC" => "BitTorrent"; service "BitTorrent transfer" => "BitTorrent"; service "BitTorrent encrypted transfer" => "BitTorrent"; service "BitTorrent tracker" => "BitTorrent";

Additionally, the service condition can use multiple services to facilitate nesting:

service "foo" "bar" { ... lots of other conditions ... }

This would apply the nested conditions to both services "foo" and "bar".


274

D.2.5. Port TaintSyntax: "service taint SERVICE"

SERVICE is a quoted string specifying the service name.

Example D.9. Port taint matching

# Set service on Unknown connections that are tainted by BitTorrent # connections to BitTorrent encrypted transfer. service "Unknown" { service taint "BitTorrent transfer" => "BitTorrent encrypted transfer"; service taint "BitTorrent tracker" => "BitTorrent encrypted transfer"; service taint "BitTorrent KRPC" => "BitTorrent encrypted transfer"; service taint "BitTorrent encrypted transfer" => "BitTorrent encrypted transfer"; }

D.2.6. PropertySyntax: "property PROPERTYNAME MATCHER"

PROPERTYNAME is a quoted string with the name of the property.

MATCHER is either a quoted string, meaning literal string matching, or a slash or pipe enclosed string, meaningregex string matching.

When MATCHER is a quoted string the property's value must exactly match the string in MATCHER. Thefollowing escape sequences can be used:

• \n for newline

• \r for CR

• \t for tab

• \" for "

• \\ for \

• \xNN for hex char NN

All other escape sequences are an error.

When MATCHER is a slash (/) or pipe (|) enclosed string the string is parsed as an regular expression. The regularexpressions are implicitly anchored at the beginning but not the end. That is, to match the beginning of a string /prefix/ should be used, whereas matching on the end of the string /.*suffix\$/ should be used.

Regexp supports the following constructions:

• . matches any character

• [ ] character classes

• {n,m} repetitions

• * repetition


275

• + repetition

• ? optionality

• (abc|def) alternatives

• $ end of string anchoring

• (?i:xyz) partial case insensitive

If any symbols used for the above constructions are needed as literals they should be quoted by prefixing witha backslash, for example:

/www\.0x[0-9a-f]+\.com/i

For the Server Hostname property, a domain constructor can be used to match a domain.

Example D.10. Domain constructor

property "Server HostName" domain "proceranetworks.com" => "Procera";

D.2.7. FlagsSyntax: "flag FLAGNAME VALUE"

FLAGNAME is an identifier specifying the flag to check. VALUE is an integer in range 0 to 1.

D.2.8. clientbytesSyntax: "clientbytes ..VAL" or "clientbytes VAL.." or "clientbytes VAL..VAL"

D.2.9. serverbytesSyntax: "serverbytes ..VAL" or "serverbytes VAL.." or "serverbytes VAL..VAL"

D.2.10. ageSyntax: "age ..VAL" or "age VAL.." or "age VAL..VAL"

D.2.11. DNS Lookup AddressSyntax: "dnsname NAME"

NAME is a string matching the DNS names used to look up an address. The DNS names are the ones seen in DNSlookups in the traffic flow. DNS names are stored internally with local host IP address, so if two local hosts usedifferent DNS names to look up the same IP address they will match on different dnsnames.

The stored lookup will keep the first CNAME and the IP addresses in the A records as associations.

Example D.11. DNS name matching

dnsname "service.provider.com" => "Service";


276

D.3. Conflict resolutionD.3.1. Conflicts

A conflict occurs when the VS compiler is faced with two or more service definition that might match at thesame time.

port 55 => "foo"; ip 10.3.2.1 => "bar";

A connection to 10.3.2.1:55 would match both these conditions and so the user has to explicitly tell the VS compilerwhich definition takes precedence.

port 55 => "foo"; ip 10.3.2.1 => "bar" yields any;

The forementioned connection to 10.3.2.1:55 would then be classified as "foo" even though both rules match.

D.3.2. Explicit yields

The above yield is called an explicit yield and exists in three forms:

port 10 => "foo" yield any; # This will yield to every other rule. port 20 => "bar" yield none; # This will make every other rule yield # to this rule port 30 => "baz" yield "foo"; # Yield by name to another rule.

In practice, any larger VS file there will contain a lot o conflicts and writing out a yield specification for each onewill quickly become tedious. For this reason there exists a number of implicit yields.

D.3.3. Implicit yields

D.3.3.1. More specific rules takes precedence

property "a" "a" { clientbytes 100 => "foo"; } property "a" "a" => "bar";

The first rule is more specific (i.e it has more conditions) and will therefore take precedence over the second rule.

D.3.3.2. Yield by type

clientbytes 10 => "foo";


277

port 20 => "bar";

The first rule will take precedence since clientbytes has higher priority than port. This is an somewhat arbitraryrule that exists to remove a large number of artificial conflicts that would otherwise arise. The actual list of whichcondition type has which priority is of course secret.

D.3.3.3. Yield by order

service "HTTP" yield-by-order { property "Content-Type" |video/vdo| => "a"; property "Content-Type" |video/| => "b"; property "Content-Type" |vid| => "b"; }

Given that the service is "HTTP" and "Content-Type" is "video/vdo" - all the three previous rules will match. Tobreak this conflict we use yield-by-order. This means that the earlier rules will take precedence over the later andthe connection will be classified as "a".

Yield-by-order is especially great when you don't want to learn anything new or think too hard.Just slap yield-by-order on your topmost condition (it will be inherited) and be done.

D.4. Style guideD.4.1. Matching domain names

Not recommended:

property "Server Hostname" /.*.facebook.com/ => "Facebook";

Since it will also match i-hate-facebook.com. Instead, do this:

property "Server Hostname" domain "facebook.com" => "Facebook";

D.4.2. Simplifying syntax

Either / or | can be used as a delimiter for regexes.

property "Filename" /\/[a-z]*[0-9]*\/[0-9]*\/[0-9]*\.wm[av]/ => "Netflix";

Looks better like this:

property "Filename" |/[a-z]*[0-9]*/[0-9]*/[0-9]*\.wm[av]| => "Netflix";


278

D.4.3. Avoiding repetition

property "Filename" |/[a-z]*[0-9]*(/[0-9]*){2}\.wm[av]| => "Netflix";

D.4.4. Combination

property "foo" "a" { property "bar" "bar" => "service"; }

property "foo" "b" { property "bar" "bar" => "service"; } property "foo" "c" { property "bar" "bar" => "service"; }

Can be replaced by:

property "foo" "a|b|c" { property "bar" "bar" => "service"; }

D.5. Error MessagesExample D.12. Virtual Service Error "X is in conflict with Y"

property "a" /a.*/ => "a";property "b" /abc/ => "abc";Unhandled error: "abc" at foo.vs:2 is in conflict with "a" at foo.vs:1

This means that these two conditions can match at the same time. A connection having both property "a" and "b"- both set to "abc" will match at the same time. Solve it by adding yield specifications.

property "a" /a.*/ => "a";property "b" /abc/ => "abc" yield "a";


279

Example D.13. Virtual Service Error "The following services are shadowed"

Consider the following starting point:

property "a" /a.*/ => "a";property "a" /abc/ => "abc";

This will cause an an error about "... is in conflict with". Adding a yield specification to resolve this results inthe following:

property "a" /a.*/ => "a";property "a" /abc/ => "abc" yield "a";

This causes the warning The following services are shadowed (i.e they appear in theinput files but never in the final decision tree) "abc" at foo.vs:2 (shadowedby "a" at foo.vs:1).. This is because the first condition will match anything the second condition can -and with higher priority. So the second condition will never be used.

Flow Sync protocol

281

Appendix E. Flow Sync protocolFigure E.1. Flow synchronization

Flow Sync protocol

GRE Transport forMonitored Traffic

283

Appendix F. GRE Transport forMonitored TrafficThis is an example of code to use to send monitored traffic to one or more GRE tunnels. Modify at least theGREDEST variable to suit the local deployment. To use this, upload the script as a file named custom.py tothe folder Custom Snooper files, and use the Custom Snooper as a monitor interface in a filtering rule (underAdvanced Options in the Filtering rule editor). Endpoints of the tunnels must be configured to terminate GRE.

import sysimport socketimport struct import packethandler

GREDEST=["1.2.3.4", "1.2.3.5"]GREKEY=NoneGRE_FLAGS_KEY=1<<13GRE_FLAGS_SEQ=1<<12

def buildgre(data, key=None, seq=None, proto=0x800): flags = 0 if key is not None: flags |= GRE_FLAGS_KEY if seq is not None: flags |= GRE_FLAGS_SEQ

H = struct.pack("!HH", flags, proto)

if key is not None: H += struct.pack("!L", key) if seq is not None: H += struct.pack("!L", seq)

return H+data

class GRETransporter(packethandler.PacketHandler): def __init__(self, iface): packethandler.PacketHandler.__init__(self, iface) self.gresock=socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_GRE)

def handle_ip(self, data, props): if len(data) < 20: raise ValueError("Packet too short for ip header")

proto = ord(data[9]) if proto == socket.IPPROTO_GRE: return

grepkt=buildgre(data, key=GREKEY) for dst in GREDEST: self.gresock.sendto(grepkt, (dst,0))

GRE Transport forMonitored Traffic

284

p = GRETransporter(sys.argv[1])p.run()

UDP Transport forMonitored Traffic

285

Appendix G. UDP Transport forMonitored TrafficThis is an example of code to use to send monitored traffic as UDP packets. This is useful for sending monitoredtraffic to a PSM. Modify the DESTINATION variable to suit the local deployment. To use this, upload the scriptas a file named custom.py to the folder Custom Snooper files, and use the Custom Snooper as a monitor interfacein a filtering rule (under Advanced Options in the Filtering rule editor).

## This simply sends monitored udp packets to specified destination# (ipaddress, udp port)#import packethandlerimport socketimport sys

DESTINATION = ("10.0.1.2", 1234)

class UDPTransporterPacketHandler(packethandler.UDPPacketHandler):

def __init__(self, path): packethandler.PacketHandler.__init__(self, path) self.socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

def handle_udpdata(self, data, props): self.socket.sendto(data, DESTINATION)

ph = UDPTransporterPacketHandler(sys.argv[1])ph.run()

To receive the monitored traffic in the PSM, set up the corresponding source on the PSM. For example, if therule is used to send DHCP packets to PSM, set up a DHCP source on the PSM listening on the port entered inDESTINATION.

UDP Transport forMonitored Traffic

FreeradiusConfiguration Example

287

Appendix H. Freeradius ConfigurationExampleThis shows an example of a configuration made to a freeradius server to authenticate users.

In sites-enabled/default, modify the post-auth section to include the following:

update reply { Procera-Local-User-Name = "admin" }

Note: This will grant permissions equivalent to the admin user on the system. Change this as needed.

The freeradius dictionary must be updated to include the Procera vendor specific attribute Procera-Local-User-Name. Create /usr/share/freeradius/dictionary.procera with the following content:

VENDOR Procera 12913 BEGIN-VENDOR Procera ATTRIBUTE Procera-Local-User-Name 1 string END-VENDOR Procera

Include this into the default dictionary by adding the following to /usr/share/freeradius/dictionary:

$INCLUDE dictionary.procera

FreeradiusConfiguration Example

Cisco TAC PLUSConfiguration Example

289

Appendix I. Cisco TAC PLUSConfiguration ExampleThis shows an example of a configuration made to a Cisco TAC PLUS server to authenticate users.

Modify the exec service to include the attribute local-user with the name of the user defined on the whosepermissions the authenticated user is to inherit.

The following shows an example of the configuration for a Cisco TAC PLUS:

key = secretkey user = DEFAULT { default service = deny } user = remote { default service = permit global = cleartext "unsecure" service = exec { local-user = "ro-user" } }

Note: This will grant permissions equivalent to the ro-user user on the system. Change this as needed.

Cisco TAC PLUSConfiguration Example

Examples of Category Files

291

Appendix J. Examples of CategoryFilesExample J.1. categories.version file example

4


292

Example J.2. categories.json file example

{ "next_id" : 12, "version" : 4, "urltags" : [ { "name" : "Leisure", "id" : 2 }, { "name" : "Social Networks", "desc" : "Common social network sites", "text" : "Includes sites such as facebook, twitter and pinterest.", "id" : 3 }, { "name" : "Adult Matching Service", "id" : 4 }, { "name" : "Search and News", "desc" : "Common search and news sites", "text" : "Search engines, news sites, etc.", "id" : 6 }, { "name" : "Youtube", "id" : 8 }, { "name" : "Games", "id" : 9 }, { "name" : "Adult Entertainment", "id" : 10 }, { "name" : "Google Video", "id" : 11 } ]}


293

Example J.3. url-delta-0.txt file example

345D9BE8 0 0 12be4d2858aa02f58c825ac41932e6a72e180c206 66509ed7c7d63665ed6aaa57beeb3ea8f4d4a69b0 65b0e85462b1c8a19a5dbfd60365b17a0a295a1af a18f3b11462ba582ae613c6637825ad881bb937fe 6844c37a252bc59ceab7e81038c149e69cfbf5150 64adbef4ce638ca93dc32a7aa812e424747dca6df 67b1c3d64ef9a7728014aa8024ec7f3ce0b216204 6b09740edd10afdf89ef4632cb72b6e39770da12c 6f9860aaf9417f14ad3df77c364b0c491d363a2f6 6a2c26aa26e48f9bcf6dacdd397f1d182d5508b27 636c6812bef96a2584a130613d3a49978615ee171 a52ce0ef26cbab451d449af6fe0c67ca1ed1b23db 6374539d9038f0c57d1de8b40fcf876efd11546a0 6e1aaa8fb00e90ccb651f173d1f6305f760697ed5 667fb4aa5cbe20f6fbd1cd4c836f53f559c165cdb 61ee4071b6bc3175d25bf61f871e404259b0e6ec9 645b665f5f5c61ca744ca5ef36f7fb8f0b96c44dd a93b397eeb8de99e01507e63e9677d5b0ea53f83a a6fcf64702bdd07778b9a50682b39feb9f23acf01 a50f811c38a08289d240c38a38259c3466a8242a6 a355ddedd912a53f58e24596aae4285839d37342c 6503335b670a1352ba3f6819f504fd9b1d6c6149f 638057e782bf2b6c55f3ba7b46a59a945ebb69fc9 69e24ade86d79cb0023436c28cd48c28c9e5a0b54 6c7272fa04b25f0a224d55973e4f5b5e9b727d40c 60e6e7b471eb044d7fe5b2c1696157d0d1226c7df af98a20d1f0ced2ab9b23acbf416c76dde88bae40 65e3dd54936cfda0b40018a420b5976df889c7f2f 68be000b13fe8a0717adab0bf3e1911a8ef293d6d 225d87dbac69b4790e9bc1dfb5a753940f613a51c 6de167b5224501c7cab6b600e8ee18a6fcb4f3cc4 69c23696ecee9fbdc43c84ad09ae0cecc609475b5 627d1918f3ead677d7fc9b239c97f8b902d13c885 6438c413bb292a4654f65cfc95307400404c7736b 629ec32b90763eb4a2fbf92a005ddc63b961f5bb5 68f8b4ee5487af1f522933589bedb68c016db885d 60cccb692e95f237c7534df5bb90ecb96506f3ba0 6c4a9a7ff3c813a874a1bb76dbc057a41c5294a1d 61e4a63ebd3d16735bfa36712ec92911c65fb2c00 61dc973249514f2c7b49b3c9cbfcfe24d80de0e4f 6abc896a18c57036c3081b51d0c3c61831be55589 6802d90759100354b00d7afbfca110387f8c127af 63431f5c02af20206316788c26d47703448ec8b48 635060f1429ec2c864e700e9e680c7be752f65b89 6027fb49153000469f95cd56c3b97d46d26b76c07 65e01fecd90162257d3f92bb470fb818d86c7e075 6d1c82f1222a09169b15800da9721d788eba6fe39 6743b0854a1a8ec4f85415b71b2ed30c75124e6db 602cc877e94d289fcbae60037b567369ba3123829 6

Index

295

IndexAActions (Filtering), 63Aggregation (Statistics), 89Alert Levels, 121Attributes, 28

BBackup Manager (Client), 145BGP (configuring), 180BGP (overview), 15BGPObjects, 29Bookmarks menu, 128Borrowing (Traffic Shaping), 44

CCategorization (URL), 14CategoryObjects, 29Channel Editor, 148ChannelObjects, 30Client, 103Client/Server, 25Conditions, 36Connection Definition, 25Connection limiting, 46Connection Log, 98Connection Logging, 98Connection protection, 38Connection Search, 98Connection Search (Client), 147Connprot, 38Counters (Shaping), 47

DDatabase daemon, 22Database daemon (Statistics), 23DHCP Snooper, 66Do not process additional rules (Filtering rule), 69DRDL, 20DSCPObjects, 30

EECN, 56Edit menu (client), 106Engine, 19Engine (PL10000/PL20000), 20Examples (Traffic Shaping), 46Exclude, 33

FFile Manager, 145File menu (client), 105

Filtering, 61Filtering Log, 70Filtering Rules, 36Filtering Triggers, 204FlagObjects, 31FLICKA, 25Flow Sync, 13

GGRE Tunneling Monitored traffic, 66

HHelp menu (client), 107Host Triggers, 203

IIncoming, 25Inject, 64

LLatency goal (Traffic Shaping), 57Link speed, 131Linking (Statistics), 89LiveView, 109Local, 25Log Levels Editor, 150Log Viewer, 146

MMain toolbar (client), 128Max Connections, 46Monitor (Filtering), 65Monitor Label, 67Monitoring, 187MPLSObjects, 32MTU, 38

NNetObject Attributes, 28NetObjects, 27New Features, 5

OObjects & Rules Editor, 129Objects and Rules - Key Concepts, 27Outgoing, 25

PPCAP, 67Peak (Statistics), 93peak analysis, 91Peak analysis, 93PLD, 22

Index

296

PortObjects, 28Preferences, 106Priority (StatisticsObjects), 93Priority (Traffic Shaping), 42PropertyObjects, 30ProtocolObjects, 28Proxy, 183Proxying System Diagnostics, 184

QQueue factor (Traffic Shaping), 57Queue Sync, 54Queueing Engine (Traffic Shaping), 53

RRADIUS Snooper, 67Reaper (PL10000/PL20000), 20Remote, 25Resource Manager, 148Resources, 23RewriteObjects, 35

SServiceObjects, 28Shaping Rules, 37ShapingObjects, 35Shunting, 11Sliding window (VBS), 49Snoopers, 65Split By (Traffic Shaping), 44Statistics, 83Statistics daemon, 24Statistics Rules, 37Statistics Viewer (Client), 122StatisticsObjects, 35Synced systems, 104System Configuration Editor, 150System Diagnostics, 120System Diagnostics Triggers, 204System Manager, 104System Overview, 108SystemObjects, 32

TTimeObjects, 29Tools menu (client), 107Traffic Shaping, 39Traffic Shaping - How it works, 39Triggers, 203Triggers - Host Trigger Editor (Client), 143Tunnel Levels, 10Tunnel Types, 11Tunneling, 10TunnelLevelObjects, 32TunnelTypeObjects, 32

UUDP Transport for monitored traffic, 66URL categories, 14usage analysis, 91User Editor (Client), 140

VVBS, 47View menu (LiveView), 120View menu (Statistics), 126View menu (System Overview), 109Virtual Services, 20VLANObjects, 30Volume-Based Shaping, 47

packetlogic product guide 14-1-1.3

Documents

procera networks logo

consent of procera networks

procera networksrevision

packetlogic logo

netintact logos

operation of products

areas of use

backup purposes