Professional Documents
Culture Documents
Guide
Version 7.3
™
SOLIDserver Administrator Guide
SOLIDserver Administrator Guide
Revision: #100483
iv
SOLIDserver Administrator Guide
v
SOLIDserver Administrator Guide
vi
SOLIDserver Administrator Guide
vii
SOLIDserver Administrator Guide
viii
SOLIDserver Administrator Guide
ix
SOLIDserver Administrator Guide
x
SOLIDserver Administrator Guide
xi
SOLIDserver Administrator Guide
xii
SOLIDserver Administrator Guide
xiii
SOLIDserver Administrator Guide
xiv
SOLIDserver Administrator Guide
xv
SOLIDserver Administrator Guide
xvi
SOLIDserver Administrator Guide
xvii
SOLIDserver Administrator Guide
xviii
SOLIDserver Administrator Guide
xix
About This Guide
SOLIDserver is a hardware or software appliance suite that allows to manage from one device
a network at all levels, from the IP addresses to the network devices, through key services, systems
and protocols.
The Administrator Guide describes and details the modules you might have purchased with your
license. This guide does not detail the existing license types and what they may contain or lack.
Note that some configurations described in this document should not be handled by end users
if they do not have previous knowledge of the basic principles of certain protocols and what the
operations imply on the network configuration.
Documentation Organization
The guide is divided into the following parts:
• Starting: the hardware appliances description, the installation of SOLIDserver on hardware
and software, the basic network configuration, the appliance first use procedures and a com-
prehensive presentation of the GUI.
• Configuring SOLIDserver: all the available time, network, service configurations to properly
set up and use the appliance.
• Imports and Exports: all the data import and export options available.
• Dashboards: all the gadget related options available in the module Dashboards.
• IPAM: all the options available in the module IPAM.
• DHCP: all the options available in the module DHCP.
• DNS: all the options available in the module DNS.
• Global Policies: all the behaviors you can set between and within modules via the parameters
inheritance and propagation and/or the advanced properties.
• Application: all the options available in the module Application.
• Guardian: all the options available in the module Guardian.
• NetChange: all the options available in the module NetChange.
• Workflow: all the options available in the module Workflow.
• Device Manager: all the options available in the module Device Manager.
• VLAN Manager: all the options available in the module VLAN Manager.
• VRF: all the options available in the module VRF.
• SPX: all the options available in the module SPX.
• Identity Manager: all the options available in the module Identity Manager.
• Rights Management: all the options available to manage the access to SOLIDservers, via
users, groups of users and authentication rules.
• Administration: all the management options available in the module Administration, from remotely
managing other appliances and setting high availability, to managing licenses, monitoring,
maintaining, securing and upgrading the appliance.
• Customization: a description of all the options available in the module Administration to cus-
tomize your appliance: from images, IPv6 labels and Smart Folders to custom databases,
classes and customization packages.
xx
About This Guide
At the end of the guide, you can also find appendices containing further details regarding:
• Matrices of Network Flows details all the service flows to take into account to properly utilize
SOLIDserver on your network.
• Multi-Status Messages contains the existing messages returned by the column Multi-status.
• Default Gadgets describes the gadgets available by default: their type, purpose and the
dashboard they are displayed when relevant.
• DHCP Options describes all supported DHCP options, gathered using the categories available
in the GUI.
• MAC Address Types References displays the reference number, in the GUI, of DHCP statics
supported MAC types.
• DNS Resource Records Related Fields displays the fields that need to be configured when
adding resource records to a zone.
• Advanced Properties provides illustrated representations of all the advanced properties inter-
actions between the modules IPAM, DHCP and DNS.
• Configuring OpenID Authentication details the preliminary configuration to authenticate external
users via the OpenID authentication rule.
• User Tracking Services Filter details the use of the filters available on the page User tracking.
• SNMP Metrics provides a list of the most relevant SOLIDserver indicators you can monitor
through an external solution.
• Class Studio Pre-defined Variables describes how to add and configure the class object Pre-
defined-variables.
• Configuring RADIUS: describes the procedures to implement user authentication via FreeRa-
dius, RADIUS with Cisco ACS and OneTime Password with Token Authentication.
• Using Remote Authentication for SSH Connections to SOLIDserver: provides the configuration
details to use LDAP or RADIUS authentication and grant access to existing LDAP/RADIUS
users to SOLIDserver via SSH.
• Configuring Non-Supported Options: provides advanced configuration details to incorporate
non-supported firewall rules and options for the services Apache, Unbound, NSD, BIND, SNMP,
DHCP, NTP, syslog-ng and PostgreSQL.
Documentation Convention
Each part of this guide is divided into chapters where the available operations are detailed in
procedures. Throughout the guide, you will find the following elements.
Element Description
Procedure All configurations and operations are detailed in step by step procedures. In each procedure,
the key words of the Graphical User Interface (GUI) are formatted as detailed below.
Name All key words to browse the GUI, like a page name or a wizard title.
BUTTON The buttons in the GUI, like OK , EDIT or CANCEL .
Menu The menus and their entries. The navigation within menu entries is symbolized by arrows as
such: menu > option > sub-option.
xxi
Part I. Starting
This part details the very first operations to connect to SOLIDserver, for hardware and software appliances
as well as a presentation of the GUI and the modules' dashboard. It contains the following chapters:
• Hardware Appliance Specificities: describes our hardware appliance suite. Depending on the model you
chose, the front panel and available buttons and possible configurations from the hardware appliance
differ.
• First Configuration: describes the hardware appliance installation procedures for all hardware models,
the installation via USB and the basic network configuration to complete the appliance configuration or
to reset the default configuration details.
• Using SOLIDserver for the First Time: describes the first steps and best practices to follow after setting
SOLIDserver with an IP address: from logging in and configuring the appliance service to creating users.
• Understanding the GUI: describes the default features of SOLIDserver Graphical User Interface. It includes
a presentation of the navigation philosophy, some tips and all the extra functionalities we provide: book-
marks, quick wizards, global search, etc.
Table of Contents
1. Hardware Appliance Specificities .................................................................................... 3
5th Generation Hardware Appliances ......................................................................... 3
4th Generation Hardware Appliances ....................................................................... 13
2. First Configuration ....................................................................................................... 19
Prerequisites .......................................................................................................... 19
SOLIDserver-50 First Configuration .......................................................................... 19
Rack Hardware Appliances First Configuration .......................................................... 20
Completing the Basic Network Configuration via CLI ................................................. 26
3. Using SOLIDserver for the First Time ............................................................................ 31
Connecting to SOLIDserver ..................................................................................... 31
Requesting and Activating a License ........................................................................ 32
Defining the Internal Module Setup .......................................................................... 33
Configuring SOLIDserver Network and Services ....................................................... 34
Configuring User Access to SOLIDserver ................................................................. 34
4. Understanding the GUI ................................................................................................ 35
SOLIDserver Main Dashboard ................................................................................. 36
Sidebar .................................................................................................................. 36
Top Bar .................................................................................................................. 42
Breadcrumb ............................................................................................................ 45
Menu ..................................................................................................................... 47
Account Configuration ............................................................................................. 50
Listing Page ............................................................................................................ 51
Properties Page ...................................................................................................... 65
Charts .................................................................................................................... 67
Wizards .................................................................................................................. 70
Quick Wizards ......................................................................................................... 77
Bookmarks ............................................................................................................. 80
2
Chapter 1. Hardware Appliance
Specificities
There are two generations of SOLIDserver rack hardware appliances that have specific plugs,
ports and/or connectors on their front and back panels that they may share.
• SOLIDserver fifth generation hardware appliances:
SOLIDserver-270 SOLIDserver-270.
SOLIDserver-570
SOLIDserver-1170 SOLIDserver-570, SOLIDserver-1170 and SOLIDserver-2270.
SOLIDserver-2270
SOLIDserver-Blast-3370 SOLIDserver-3370.
SOLIDserver-Blast-4070
SOLIDserver-Blast-5070 SOLIDserver-Blast Series.
SOLIDserver-Blast-5570
SOLIDserver-7070 SOLIDserver-7070.
They all come with SOLIDserver Bezel.
SOLIDserver-260 SOLIDserver-260.
SOLIDserver-550
SOLIDserver-1100 SOLIDserver-550, SOLIDserver-1100 and SOLIDserver-2200.
SOLIDserver-2200
SOLIDserver-3300
SOLIDserver-4000
SOLIDserver-3300 and SOLIDserver-Blast Series.
SOLIDserver-5000
SOLIDserver-5500
SOLIDserver Bezel
All fifth generation hardware appliances share a common LCD bezel that allows to set up the IP
address of the iDRAC used to configure SOLIDserver software and display hardware information.
3
Hardware Appliance Specificities
SOLIDserver TM
SOLIDserver-270
The sections below describe the front and back panel of SOLIDserver-270 appliances.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The On/Off button. It is lit when the appliance is on.
The hardware information tag. Pull it out to see the service tag and express service tag.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
iDRAC
4
Hardware Appliance Specificities
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The On/Off button. It is lit when the appliance is on.
The hot swappable hard drive 1.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 2.
The hardware information tag. Pull it out to see the service tag and express service tag.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
5
Hardware Appliance Specificities
iDRAC
iDRAC
6
Hardware Appliance Specificities
SOLIDserver-3370
The sections below describe the front and back panel of SOLIDserver-3370 appliances. Depending
on the current of your appliance, refer to the section AC or DC.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The On/Off button. It is lit when the appliance is on.
The hot swappable hard drive 1.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 2.
The hardware information tag. Pull it out to see the service tag and express service tag.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
iDRAC
7
Hardware Appliance Specificities
The hardware status indicators, respectively the health indicator, temperature indicator,
electrical indicator, memory indicator and PCIe indicator.They flash amber if any error occurs.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The front USB 3.0 port.
The front VGA port.
The On/Off button. It is lit when the appliance is on.
The hot swappable hard drive 1.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 2.
The hardware information tag. Pull it out to see the service tag and express service tag.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
8
Hardware Appliance Specificities
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The serial port.
The VGA port.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The back USB 3.0 ports.
The ethernet connector igb0.
The ethernet connector igb1.
The ethernet connector igb2.
The ethernet connector igb3.
SOLIDserver-Blast Series
The sections below describe the front and back panel of SOLIDserver-Blast Series appliances:
SOLIDserver-Blast-4070, SOLIDserver-Blast-5070 and SOLIDserver-Blast-5570. Depending on
the current of your appliance, refer to the section AC or DC.
The back panel provides two 10 Gbps optical fiber slots, for a full DNS Guardian protection.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The On/Off button. It is lit when the appliance is on.
9
Hardware Appliance Specificities
iDRAC
10
Hardware Appliance Specificities
The hardware status indicators, respectively the health indicator, temperature indicator,
electrical indicator, memory indicator and PCIe indicator.They flash amber if any error occurs.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The front USB 3.0 port.
The front VGA port.
The On/Off button. It is lit when the appliance is on.
The hot swappable hard drive 1.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 2.
The hardware information tag. Pull it out to see the service tag and express service tag.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The optical slot ixl0.
The optical slot ixl1.
The serial port.
The VGA port.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
11
Hardware Appliance Specificities
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The back USB 3.0 ports.
The ethernet connector igb0.
The ethernet connector igb1.
The ethernet connector igb2.
The ethernet connector igb3.
SOLIDserver-7070
The sections below describe the front and back panel of AC and DC SOLIDserver-7070 appliances.
The hardware status indicators, respectively the health indicator, temperature indicator,
electrical indicator, memory indicator and PCIe indicator.They flash amber if any error occurs.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The front USB 3.0 port.
The front VGA port.
The On/Off button. It is lit when the appliance is on.
The hot swappable hard drive 1.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 2.
The hardware information tag. Pull it out to see the service tag and express service tag.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
12
Hardware Appliance Specificities
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The optical slot ixl0.
The optical slot ixl1.
The serial port.
The VGA port.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The back USB 3.0 ports.
The ethernet connector igb0.
The ethernet connector igb1.
The ethernet connector igb2.
The ethernet connector igb3.
SOLIDserver-260
The sections below describe the front and back panel of SOLIDserver SOLIDserver-260 appli-
ances.
From the front panel, you can connect a keyboard and monitor to set up the access IP address
of the iDRAC. From the iDRAC interface, you can configure SOLIDserver IP address.
13
Hardware Appliance Specificities
14
Hardware Appliance Specificities
From the front panel LCD screen, you can set up the IP address of the iDRAC used to configure
SOLIDserver and display hardware information.
15
Hardware Appliance Specificities
From either appliance front panel LCD screen, you can set up the IP address of the iDRAC used
to configure SOLIDserver and display hardware information.
SOLIDserver-Blast Series appliances back panel provides two 10 Gbps optical fiber slots, for a
full DNS Guardian protection.
16
Hardware Appliance Specificities
17
Hardware Appliance Specificities
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The serial port.
The VGA port.
The USB port 3 (3.0 compliant).
The USB port 4 (3.0 compliant).
The ethernet connector igb0.
The ethernet connector igb1.
The ethernet connector igb2.
The ethernet connector igb3.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
18
Chapter 2. First Configuration
This chapter is a recollection of the proper first configuration of all SOLIDserver hardware
appliances.
The first configuration requires to connect the appliance to the network and set it an IP address
to access the Graphical User Interface (GUI). To properly do so, you must:
• Meet the prerequisites.
• Identify your hardware appliance and follow the appropriate procedure:
• For SOLIDserver-50 appliances, refer to the section SOLIDserver-50 First Configuration.
• For all other SOLIDserver- hardware appliances, the rack appliances of the fifth or fourth
generation, refer to the section Rack Hardware Appliances First Configuration.
• For non-Efficient IP hardware appliances, you can install SOLIDserver software appliance
via a USB flash drive. For more details, refer to the guide Reimaging SOLIDserver on
Hardware Appliances, available at https://downloads.efficientip.com/support/downloads/docs/
in the appropriate version folder.
When the first configuration is done, you can further the basic network configuration of the appli-
ance (hostname, interfaces...) through a terminal. For more details, refer to the section Completing
the Basic Network Configuration via CLI.
Prerequisites
• One of the following supported web browsers installed on your computer: Google Chrome,
Mozilla Firefox, Microsoft Internet Explorer, Microsoft Edge or, for Mac computers, Safari. We
recommend using its latest and most stable version.
• A web browser with all pop-up blockers disabled for the IP address and domain name used
during the configuration of your appliance. Otherwise, you may not manage the iDRAC and/or
SOLIDserver properly.
Prerequisites
• A SOLIDserver-50 hardware appliance.
• A computer with a serial port.
• A terminal emulator able to connect to a serial port installed on your computer.
19
First Configuration
Hit 1, 2, 3 or the arrows to highlight an interface. Hit space to select the interface. Each
selected interface is preceded by (*).
The selected interface(s) respond(s) to the IP address, netmask and gateway you configure
next. Selecting several interfaces configures an Ethernet port failover.
9. Hit Enter to confirm the interface(s) selection. The menu Network configuration opens.
10. Configure the interface IP address, netmask and gateway used to access SOLIDserver.
• Set an IP: and hit the down arrow to get to the next line.
• Set a Netmask: and hit the down arrow to get to the next line.
• Set a default Gateway: and hit tabulation to highlight OK.
11. Hit Enter to confirm your configuration and go back to the Main Menu.
12. The line C Commit modifications to system is highlighted, hit Enter to save the whole
configuration.The window Do you really want to commit modifications to system? opens.
13. The button Yes is highlighted, hit Enter to confirm.
Your configuration is now complete and you can connect to SOLIDserver software using the IP
address you configured. For more details, refer to the chapter Using SOLIDserver for the First
Time.
For these reasons, the installation of these hardware appliance models requires to:
1. Configure an IP address for the iDRAC. On all appliances, except SOLIDserver-260, you can
set it from the LCD screen.
2. Connect to the iDRAC to configure SOLIDserver access IP address.
3. Once the software installation is over, you need to connect to SOLIDserver, add your license
and set up the Internal module setup. For more details, refer to the chapter Using SOLIDserver
for the First Time.
20
First Configuration
All rack hardware appliances, except the SOLIDserver-260, provide an LCD screen that allows
to set up
Prerequisites
• An EfficientIP rack hardware appliance:
• A 5th generation hardware appliance: SOLIDserver-270, SOLIDserver-570, SOLIDserver-
1170, SOLIDserver-2270, SOLIDserver-3370, SOLIDserver-Blast Series (SOLIDserver-
Blast-4070, SOLIDserver-Blast-5070 or SOLIDserver-Blast-5570) or SOLIDserver-7070.
• Or a 4th generation hardware appliance: SOLIDserver-260, SOLIDserver-550, SOLIDserv-
er-1100, SOLIDserver-2200, SOLIDserver-3300 or SOLIDserver-Blast series (SOLIDserver-
4000, SOLIDserver-5000 or SOLIDserver-5500). They require a browser with the latest
version of Java JRE installed.
• Making sure that the appliance power supply cables are plugged.
• Making sure that the iDRAC dedicated port and physical interface port are connected. Note
that you can set up an Ethernet port failover with up to 4 cables.
Once the iDRAC IP address is set, you can access it and configure SOLIDserver IP address.
For SOLIDserver-260 appliances, you can configure an access IP address for the iDRAC using
a keyboard and monitor. This is the only method for SOLIDserver-260 appliances. You can
configure the iDRAC IP address without LCD screen on any other appliance, of the 4th or 5th
generation.
Once the iDRAC IP address is set, you can access it and configure the IP address of your
SOLIDserver appliance. The iDRAC is already configured with a default IP address -
192.168.0.120, netmask - 255.255.255.0 and gateway - 192.168.0.0.
If this IP address is free and accessible on your network, you do not need to follow the procedure
below, you can go straight to the section Configuring the Access to SOLIDserver from the iDRAC.
21
First Configuration
F2 = System Setup
F10 = Lifecycle Controller
F11 = BIOS Boot Manager
F12 = PXE Boot
Now you can connect to the iDRAC to configure SOLIDserver as detailed in the section Config-
uring the Access to SOLIDserver from the iDRAC.
22
First Configuration
For all hardware appliances, except SOLIDserver-260 appliances, you can set up the access IP
address for the iDRAC from the LCD screen. Note that this screen also displays hardware inform-
ation, configurations and errors.
If you already configured the iDRAC IP address using a keyboard and monitor, following the
section Configuring the iDRAC IP address Without LCD Screen, you can go straight to the section
Configuring the Access to SOLIDserver from the iDRAC.
Once the iDRAC IP address is set, you can access it and configure the IP address of your
SOLIDserver appliance. The iDRAC is already configured with a default IP address -
192.168.0.120, netmask - 255.255.255.0 and gateway - 192.168.0.0.
If this IP address is free and accessible on your network, you do not need to follow the procedure
below, you can go straight to the section Configuring the Access to SOLIDserver from the iDRAC.
Once the full IP address matches your needs, press until the cursor highlights >> at the
end of the IP address.
8. Press to commit the IP address. The subnet mask is displayed: Sub: 255.255.255.000 .
Set the netmask of your choice using the technique detailed in step 7.
Once the full netmask matches your needs, press until the cursor highlights >> at the end
of the subnet mask.
9. Press to commit the subnet mask. The gateway is displayed: Gtw: 192.168.000.000 . Set
the gateway of your choice using the technique detailed in step 7.
Once the gateway matches your needs, press until the cursor highlights >> at the end of
the subnet mask.
23
First Configuration
10. Press to commit the gateway IP address. The DNS configuration menu appears: Setup
DNS: Yes.
11. Press to highlight No and press to skip the DNS configuration. The screen displays:
Save: Yes | No, Yes is highlighted.
12. Press to save your configuration. The LCD screen is now empty.
Now you can connect to the iDRAC to configure SOLIDserver as detailed in the section Config-
uring the Access to SOLIDserver from the iDRAC below.
If you want, you can tick the box Do not show this warning again.
7. Click on Continue. The iDRAC homepage opens, it details the hardware information.
8. Launch the virtual console.
a. In the section Virtual Console, click on Launch Virtual Console. A window opens.
b. During your first connection, you must authorize the pop-ups and press F5 to refresh
the window.
c. If your iDRAC is in version 8 or in a higher version set with its Plug-in Type to Java, you
must accept to save the file viewer.jnlp to be able to launch the console, and then open
1
the file .
d. In the pop-up window SecurityWarning, click on Continue.
e. In the pop-up window Do you want to run this application?, click on Run.
f. In the pop-up window Warning-Security, click on Run to accept the certificate. The
console opens.
9. When SOLIDserver installation is complete, the page WELCOME TO SOLIDSERVER ap-
pears.
1
If the file .jnlp has not been automatically opened by Java, you have to associate it manually with the file javaws.exe located in the
folder jre\bin of the appropriate Java version.
24
First Configuration
If an error message is displayed on the screen, you need to reimage SOLIDserver. For more
details, refer to the guide SOLIDserver_Hardware_Reimaging-x.x.pdf available on our
2
website .
Once you are connected to SOLIDserver from the iDRAC console, you can configure its IP ad-
dress.
Hit 1, 2, 3 or the arrows to highlight an interface. Hit space to select the interface. Each
selected interface is preceded by (*).
The selected interface(s) respond(s) to the IP address, netmask and gateway you configure
next. Selecting several interfaces configures an Ethernet port failover.
5. Hit Enter to confirm the interface(s) selection. The menu Network configuration opens.
6. Configure the interface IP address, netmask and gateway used to access SOLIDserver:
• Set an IP: and hit the down arrow to get to the next line.
• Set a Netmask: and hit the down arrow to get to the next line.
• Set a default Gateway: and hit tabulation to highlight OK.
7. Hit Enter to confirm your configuration and go back to the Main Menu.
8. The line C Commit modifications to system is highlighted, hit Enter to save the whole
configuration.The window Do you really want to commit modifications to system? opens.
9. The button Yes is highlighted, hit Enter to confirm.
25
First Configuration
10. Hit Enter to close the window. The Main Menu is visible again.
11. Hit E to select EXIT and hit Enter. The configuration window closes.
Now your configuration is complete and you can connect to SOLIDserver software using the IP
address you configured.
Via Command-Line Interface (CLI) you can set a hostname, default gateways, physical interfaces...
for the appliance.
• On software appliances, you can access CLI via the IP address of SOLIDserver, that can be
used to open a shell session via a terminal emulator. If you installed SOLIDserver on VMware,
you can also access its CLI from VMware console.
• On hardware appliances, accessing CLI depends on the model:
• For appliances SOLIDserver-50, you must connect your computer to the hardware serial
port and open a serial connection session via a terminal emulator.
• For appliances SOLIDserver-260, SOLIDserver-550, SOLIDserver-1100, SOLIDserver-2200,
SOLIDserver-3300 and SOLIDserver-Blast series (SOLIDserver-4000, SOLIDserver-5000
and SOLIDserver-5500), you can connect to the iDRAC GUI and open the Virtual console.
You can also plug a monitor and keyboard into the hardware appliance VGA and USB ports.
• For appliances SOLIDserver-270, SOLIDserver-570, SOLIDserver-1170, SOLIDserver-2270,
SOLIDserver-3370, SOLIDserver-Blast series (SOLIDserver-Blast-4070, SOLIDserver-Blast-
5070 and SOLIDserver-Blast-5570) and SOLIDserver-7070, you can connect to the iDRAC
GUI and open the Virtual console. You can also plug a monitor and keyboard into the hard-
ware appliance VGA and USB ports.
By default there is already an interface configured for SOLIDserver image, it has the IP address
192.168.1.1 and the netmask 255.255.255.0.You can change both according to your need when
configuring the basic network settings or during the first installation.
26
First Configuration
3. Log in as the default admin user, the default password is admin. The Main menu appears.
4. The line N Network Configuration is highlighted.
27
First Configuration
Hit the digits or arrows to highlight an interface. Hit space to select the interface. Each
selected interface is preceded by [*].
The selected interface(s) respond(s) to the IP address, netmask and gateway you con-
figure next. Selecting several interfaces configures an Ethernet port failover.
Hit Enter to confirm the interface(s) selection. The menu IP addresses list opens.
b. The line 1 192.168.1.1 255.255.255.0 is highlighted. The IP address 192.168.1.1 and
the netmask 255.255.255.0 are the default values.
28
First Configuration
Hit Enter to save your changes, the menu IP addresses list menu opens again.
d. Hit E to select E EXIT and it Enter. The menu Network configuration opens.
7. Configure the appliance hostname
a. Hit G to select G Global configuration.
Hit Enter to save your changes, the menu Network configuration opens again.
c. Hit E to select E EXIT and it Enter. The menu Main menu opens.
8. The line C Commit modifications to system is highlighted.
29
First Configuration
Hit Enter to save the whole configuration. The last message appears.
9. The button Yes is highlighted.
Your configuration is now complete and you can access your SOLIDserver through the browser
of your choice. Make sure the browser version complies with the prerequisites mentioned above.
30
Chapter 3. Using SOLIDserver for the
First Time
When using SOLIDserver for the first time, you need to:
1. Log in.
2. Request and activate a license.
3. Define the modules interaction, or internal module setup.
4. Configure SOLIDserver on your network.
5. Configure user access to the appliance.
Connecting to SOLIDserver
No matter the browser you choose to use, to access SOLIDserver you need to follow the procedure
below.
If you defined a hostname for your SOLIDserver in your DNS, you can use its name in the URL
field rather than the IP address.
Your browser probably identified that the certificate is not from a trusted certifying authority
and that the hostname on the certificate is invalid or does not match the name of the site.
3. Accept the certificate. SOLIDserver login page appears:
ddi.mycorp.com
Login
Password
On the dashboard the gadget System Information indicates that there is No license installed,
you must request a license and add it to manage SOLIDserver.
31
Using SOLIDserver for the First
Time
Each license key is unique and specific to one SOLIDserver appliance, you cannot use the same
license key on several appliances.
The Maintenance contract number is composed of 12 digits and your client name, where
the first 6 digits are the maintenance expiry date (yymmdd) and the next 6 digits are the
maintenance start date (yymmdd).
e. In the field Request Key, paste your request key or the content of your request key file.
This field is required.
f. In the field Number of External Managed Servers (MVSM, if any), specify the total
number of servers - DNS, DHCP... - you intend to manage from SOLIDserver.
g. In the section Optional Module, tick all the optional modules you might need: DNS
1
Guardian, DNS GSLB, NetChange, Device Manager or SPX.
h. If relevant, fill in the field If requester is NOT end customer, please provide your contact
information (Name, Company, Email, Phone): with all the appropriate data.
i. In the drop-down list Language, you can choose to display the content of the panel
Privacy Policy in English, French, German or Spanish. The panel provides a link towards
EfficientIP Privacy Statement.
j. Tick the box I accept the Terms and Conditions.
k. Click on SUBMIT to send us your information.
1
If you do not tick this box, you are using NetChange-IPL, NetChange basic options.
32
Using SOLIDserver for the First
Time
Once EfficientIP has answered your request and sent you a license key, you can add it to the
appliance to activate your licence as detailed below. Note that the appliance should be time
synchronized before activating the license.
To make sure the appliance is on time, we strongly recommend configuring the NTP. For more
details, refer to the chapter Configuring the Time and Date.
To activate a license
1. From the EfficientIP email response to your license request, copy the license key.
2. Connect to SOLIDserver using the superuser credentials. The page Main dashboard opens.
3. In the gadget System Information, click on the link Add license . The wizard opens.
4. Read the License Agreement and click on NEXT . The page Add a license opens.
5. In the field Licens(e), paste the license key.
6. Click on OK to complete the operation. The page refreshes. In the gadget System Information
the License type is updated and all the modules that come with your license are visible.
If you need to renew your license, to have more services, extend the maintenance time or manage
the license metrics, refer to the section Managing Licenses.
The Internal module setup allows you to enable the interaction between the modules IPAM, DNS
and DHCP. That way you can manage your resources and objects on one page and update them
in other modules.
At any point, you can edit the internal module setup from the module Administration.
33
Using SOLIDserver for the First
Time
What is marked has not been configured yet. You can click on each link to configure
everything you need. For more details, refer to the section SOLIDserver Configuration
Checklist.
2. The gadget General Information provides shortcuts toward services and appliance settings.
• Services lists key services. services are not configured yet, are not started yet and
are configured and running. Clicking on configured services allows to start/stop them,
clicking on services not configured yet opens the page Services configuration where you
can configure them. For more details, refer to the chapter Configuring the Services.
Make sure that the service NTP is started, it is crucial for DHCP, DNS and High Availability
management. For more details, refer to the chapter Configuring the Time and Date.
• Hostname, IP Addresses, Default gateways and Status return the appliance basic network
configuration details. Clicking on any value opens the page Network Configuration where
you can edit or set them. For more details, refer to the chapter Configuring the Network.
• SOLIDserver role is the appliance role on the page Centralized management. For more
details, refer to the chapter Centralized Management.
Being logged as the superuser, ipmadmin, you belong to the most privileged group, admin. Users
of that group can perform all operations and have access to all existing resources. Some operations
can only be performed by the users of that group, in which case it is specified in the procedure.
Note that you can also configure and enable authentication rules relying on Active Directory,
LDAP, RADIUS and OpenID Connect to securely log in external users. For more details regarding
users and groups, refer to the part Rights Management.
34
Chapter 4. Understanding the GUI
SOLIDserver centralizes all the operations in a unified Graphical User Interface (GUI) divided
into modules with common management principles and navigation logic.
All management pages share common elements, detailed in the image below.
The sidebar gives access to the SOLIDserver dashboards, the modules, the Tree view and
the Smart folders. For more details, refer to the section Sidebar.
The top bar gives access the Global search, your settings through the menu My account,
all Notifications and the menu Help. For more details, refer to the section Top Bar.
The breadcrumb is a navigation bar available on all pages of all modules except Administra-
tion, where it is only displayed on some pages. It provides direct and hierarchical access to
the module objects. For more details, refer to the section Breadcrumb.
The menu is displayed on every page. Its content differs on each page. For more details,
refer to the section Menu.
35
Understanding the GUI
The Main dashboard contains one or several gadgets depending on the user connected. For
more details, refer to the section Gadgets Displayed by Default.
You can edit the Main dashboard welcome banner with a different message or even an image.
For more details, refer to the chapter Customizing the GUI.
In the module Dashboards, you can access the dashboard of a specific module through the
drop-down list on the page Main dashboard.
On the dashboards, you can add the gadgets of your choice. For more details, refer to the chapter
Managing Gadgets.
Sidebar
The sidebar allows to access all the modules as well as the Tree view and the Smart folders.
36
Understanding the GUI
Modules
Each module has a dedicated section in the sidebar.
When you navigate from one module to another, the latest page visited is saved and you can
open it again if you go back to the module.
Clicking on the icon or name of the module you are currently in opens the page of the top level.
Figure 4.3. Overview of the page All Networks in the module IPAM
When the sidebar is expanded, each module icon and name are displayed.
The button highlighted in blue indicates the module you are currently in.
The module you are currently in is displayed. The current page is highlighted in blue.
In the breadcrumb, the current page is also highlighted in blue.
The menu contains some options specific to the module. For more details, refer to the section
Menu.
In the image above, to list the networks, in the sidebar, go to IPAM > Networks. The page
All networks opens.
37
Understanding the GUI
Figure 4.4. Overview of the page All Networks in the module IPAM
When the sidebar is collapsed, only the module icons are displayed.
The button highlighted in blue indicates the module you are currently in.
When you hover over the icon of a module, its name and the list of the pages it contains are
displayed.
In the image above, to list the networks, in the sidebar, go to IPAM > Networks. The page
All networks opens.
Keep in mind that in addition to the menu entries in the sidebar, the breadcrumb allow to access
the pages of the module. For more details, refer to the section Breadcrumb.
The module Administration has a dedicated sidebar and a homepage, Admin Home.
38
Understanding the GUI
Figure 4.5. Overview of Admin Home, the homepage of the module Administration
The button Quit Administration allows to leave the module Administration and to go back to
the other modules.
The sidebar cannot be reduced in the module Administration. It allows to navigate between
specific pages of the module without displaying the homepage.
Admin Home is divided into six sections. In each section, you find links to open the different
pages of the module.
When there are two links on one line, it means that the pages they open are linked to the
same object. For example, for the links Alerts and Definitions, the link Definition opens the
page Alerts Definition.
Tree View
The Tree view is a side panel that allows to display and access the data of the modules IPAM,
v1 v2
DHCP and DNS. When one of these modules is open, the button Tree view is available at
the bottom of the sidebar and allows to display a panel that contains the following information:
DHCP
This section is divided among DHCP servers, DHCP scopes, DHCPv6 servers and DHCPv6
scopes. Open each type to display and access the servers and scopes you manage in the
module DHCP.
DNS
This section is divided among servers and zones. Open each type to display and access the
servers and zones you manage in the module DNS.
39
Understanding the GUI
IPAM
This section is divided among the spaces you manage. Open each space sub-section to
display and access the objects it contains in the module IPAM.
This button allows to open or close the Tree view. The button is highlighted in blue when
the Tree view is open.
This button allows to refresh a section.
These icons indicate that a branch of the Tree view hierarchy is opened or closed . Click
on it to display or hide the content.
The Tree view panel can be dragged open according to your needs. Double-click on the
right edge of the Tree view to close it.
40
Understanding the GUI
If you open a module for which the tree view is not available, the panel closes automatically.
Smart Folders
This section contains all the smart folders you created, listed in the ASCII alphabetic order. It
provides links following the hierarchy you set towards the objects you configured in these folders.
The button My Smart Folders is available at the bottom of the sidebar and allows to display
a panel that contains your smart folders. For more details regarding smart folders refer to the
chapter Managing Smart Folders.
This button allows to open or close the Smart Folders panel. The button is highlighted in
blue when the Smart Folders panel is open.
This button allows to refresh a section.
41
Understanding the GUI
These icons indicate that a branch of the Smart folders hierarchy is opened or closed .
Click on it to display or hide the content.
The Smart Folders panel can be dragged open according to your needs. Double-click on
the right edge of the panel to close it.
Top Bar
The top bar is available on all pages and gives access the Global search, your settings through
the menu My account, the Notifications and the Help.
Global Search
SOLIDserver includes a search engine called Global search that allows you to perform searches
in the database of several modules at once.
This Global search field is available from any page.You can look for data using full names, values
or look for fragments of information (some letters of a name for instance) to find all the partial
matches.
42
Understanding the GUI
All matching results are returned in sections dedicated to all the relevant modules and objects
and preceded by their dedicated icon.
This button allows you to resize the window Global search.
To display more information in the window Global search, click on any result line. The data
loads under the object line.
The button allows to access the properties page of the object.
This button allows you to close the window. Once you performed a search, the window re-
mains open above the page you are currently on, until you close it.
43
Understanding the GUI
Notifications
SOLIDserver keeps track of all the operations performed during the last week in the dedicated
window Notifications. Whether the operation was successful or not, this window lists the services
run and allows to see and export the final report of the operation.
In the top bar, click on Notifications, to open the window. The number in the red flag
above the icon Notifications indicates the number of error messages in the window.
The notifications are listed in reverse chronological order.
This button allows to resize the notifications window.
The operation is displayed using the service it uses as follows: <action>:<resource it was
performed on>.
The status is either if the operation was successful or if at least one error occurred.
Any other icon indicates that the operation is ongoing.
This button allows to delete a notification. There is no warning before deletion.
This button allows you to close the window. Once you open it, the window remains open
above the page you are currently on, until you close it.
Once you clicked on a line, the type and full details of the report appear in the window.
Click on any of the available formats to export the final report.
This button allows to go back to the list of notifications.
44
Understanding the GUI
My Account
This menu is accessible from any page of SOLIDserver. It allows to:
• Access the connected user account configuration options via My Settings. For more details,
refer to the section Account Configuration.
• Change the connected user password.
• Access the page My Quick Wizards. For more details, refer to the section Quick Wizards.
• Access the page My Smart Folders. For more details, refer to the chapter Managing Smart
Folders.
• Access the page My Bookmarks. For more details, refer to the section Bookmarks.
• Access the page My Gadgets, that provides access to the pages Gadgets Library and My
Gadgets. For more details, refer to the chapter Managing Gadgets.
• Close your session via Logout.
Help
This menu allows to:
• Open SOLIDserver Administrator Guide, via Administrator Guide. The PDF file opens in a new
tab of your browser. You can save it on your computer to access it even when you are no
longer connected to the appliance.
• Open the Software License Agreement, via License Agreement.
Breadcrumb
The breadcrumb is a navigation bar. It is available on all the pages of SOLIDserver except in the
module Dashboards and on most pages of the module Administration. It provides direct and
hierarchical access to the module objects, allows you to filter data displayed on the listing pages
and to access additional pages.
45
Understanding the GUI
The icon and name displayed in blue show the page you are currently on, here the page All
networks. The current level and its parent(s) have a dark gray background.
The lower levels are displayed in a light gray area. Here All pools or All addresses. You can
access either directly.
Filtering Data
The breadcrumb allows to filter and browse the content of specific objects in each module.
This display indicates that you are filtering data and browsing the content of the object
mentioned. Here, you are displaying the views, zones and records of the DNS server
ns1.mycompany.com.
With the breadcrumb filtered at server level, clicking on All views opens the page but only
displays the views of the server ns1.mycompany.com.
With the breadcrumb filtered, the object level All <objects> is renamed <Object>. It still
provides access to the page, here DNS zone opens the page All zones but only displays
the zones of the server ns1.mycompany.com as the breadcrumb is filtered at server level.
If it was not, it would list all existing zones regardless of their server.
With the breadcrumb filtered, the object name is a link toward its properties page. Here,
clicking on mycompany.com opens its properties page.
With the breadcrumb filtered at zone level, clicking on All RRs opens the page but only dis-
plays the records of the zone mycompany.com.
46
Understanding the GUI
The chevron icon indicates that additional pages are available. Click on the icon to display
these pages in the breadcrumb.
When the additional pages are displayed in the breadcrumb, you can click on to hide
them.
All additional pages available are displayed to the right of the icon.
Menu
The menu is displayed on almost every listing page. Its content differs on each page and the
options available vary from one user to another depending on the rights they are granted. For
more details regarding rights, refer to the part Rights Management.
Add
This menu is available on all the listing pages when relevant.
Delete
This menu is available on all the listing pages when relevant.
On some pages, the button Delete is grayed out. You need to select the object that you want
to delete in the list to be able to click on it.
Edit
This menu is available on all the listing pages when relevant.
For example, it allows to synchronize/refresh servers and devices, manage access to the objects
for groups of users or perform specific operations on the objects listed.
On the properties page of the objects, it allows to edit the panels on the page.
On some pages, the menu option Edit is grayed out. You need to select the object that you
want to edit in the list to have access to this menu.
Tools
This menu is available on all the listing pages. It allows to:
47
Understanding the GUI
On the properties pages, this menu is available only for some specific advanced operations.
On some pages, the menu Tools is grayed out. You need to select an object in the list to
have access to this menu.
Import
This menu is available on all the listing pages when relevant.
In the IPAM, the DNS and Device Manager it allows to import the objects you manage on the
page as well as the objects they can contain. For instance, you can import IP addresses from
the page All spaces.
Report
This menu is available on the listing pages of all the modules when relevant. It allows to:
• Export the list in a CSV, HTML, XML, EXCEL and PDF file.
• Generate a report specific to the data listed in a HTML or PDF file.
This menu also allows to generate reports from some properties pages.
For more details, refer to the chapters Managing Gadgets, Managing Alerts and Managing Smart
Folders.
Extra Options
Ancienne taille de la page
This menu is accessible from any listing page or properties page of SOLIDserver.
48
Understanding the GUI
Other Buttons
On the right-end side of the menu you can see other buttons.
Listing Templates
This button allows to display, edit or create listing templates for the current page in a dedicated
window. For more details, refer to the section Customizing the List Layout.
Switch to IPv4
This toggle buttons is displayed next to on the pages that provide both IPv4 and IPv6 man-
agement in the IPAM, DHCP and NetChange. The gray button indicates the current version dis-
played. If you click on the white button, you display the other version.
Switch to IPv6
This toggle buttons is displayed next to on the pages that provide both IPv4 and IPv6 man-
agement in the IPAM, DHCP and NetChange. The gray button indicates the current version dis-
played. If you click on the white button, you display the other version.
This button is displayed when the IPv6 toggle is active. It allows to use IPv6 labels. For more
details, refer to the chapter Managing IPv6 Labels.
This button is displayed when the IPv6 toggle is active. It allows to uncompress IPv6 addresses
Show/Hide
In the module IPAM, it allows to show/hide subnet-type networks managed by other networks
under the column Address + prefix.
In the DHCP and the DNS, it allows to show/hide the physical servers managed via smart archi-
tectures under the Name of each smart architecture.
In the module Application, it allows to show/hide the deployed applications and traffic policies
under the Name of each application.
In the module Guardian, it allows to show/hide the deployed policies under the Name of each
policy.
49
Understanding the GUI
Account Configuration
Each user has the possibility to edit their account once they are connected. From any page, they
can use the menu My Account to edit their account preferences or they can go to the SOLID-
server Main dashboard to edit them from two default gadgets.
Any user can perform this configuration from the menu My account. The super user, ipmadmin,
can also do it from the gadget System Information.
50
Understanding the GUI
Keep in mind that remote users cannot edit their password. Remote users come from a third
party server or directory - AD, LDAP or RADIUS - and are authenticated via a dedicated rule.
For more details, refer to the chapter Managing Authentication Rules.
Listing Page
The listing pages are the most common pages within SOLIDserver.
• They allow to sort the data displayed on the page. When the name of the columns is underlined,
it indicates that sorting is available and you can click on it.
• They allow to filter data. Use the search engine located under the column name to only display
the objects matching your search.
• They allow to manage objects. The menu indicates what operations users can perform on the
page. Depending on their rights, some options are not visible. For more details, refer to the
part Rights Management.
• They allow to access the properties page of the objects listed, when relevant. For more details,
refer to the section Properties Page.
• They provide a contextual menu with some options for the objects listed. For more details,
refer to the section Using the Contextual Menu.
51
Understanding the GUI
Each object can be ticked and managed separately. You can select a set of successive
items using the key SHIFT on your keyboard.
All the objects can be selected at once. Above the list, you can tick the box left to the first
column to select all the items listed, whether the list is filtered or not, it selects all the items
counted in the result.
It allows you to refresh the listing page.
Within the data listed, all the data underlined provides a link. Depending on the page, it
can be a filter to list the content of a container or open the properties page of an object. At
the lowest level of a module hierarchy, it can perform specific operations (assign the object
for instance) or open the edition wizard or properties page of the object.
There is no limit to the number of objects on a page but the more data you display, the more
resources SOLIDserver uses to display them. To define the number of elements per page, refer
to the procedure To configure the user settings.
If there are more lines to be displayed than the number selected in your settings, the listing area
contains sub-pages that allow to navigate within the object database. The GUI provides some
key fields, buttons and areas to navigate within these pages. The following elements only appear
when there are many elements on the same page:
The results indicates the total number of objects listed on all pages, if no filter is applied. If
a filter is applied, it indicates the total number of objects matching your search.
These buttons allow you to display, respectively, the first and previous pages of data.
The number of pages on which data is listed. The number highlighted in blue displays which
page you are currently on.
These buttons allow you to display, respectively, the next and last page of data.
52
Understanding the GUI
The underlined column names indicate that you can sort the data listed in direct/reverse al-
phabetical order.
This arrow indicates that the list is sorted through the column Date in ascending order.
The column names not underlined indicate that you cannot sort the column data.
This button allows you to apply the filter using the data entered in the column search engine.
You can also hit Enter to perform a filtered search.
The column search engine allows to type in the data you are looking for in the column. If
this field is not visible, you cannot filter data via the column, you might only be able to sort.
This button allows to unset all the filters applied on the page, no matter how many were set.
Columns with no search field cannot be filtered.
53
Understanding the GUI
Using Filters
All the columns that can be filtered provide a search engine where you can type in or select, using
the filter constructor, the values that you want to match or avoid.
There are filter constructors dedicated to the database recurring values, such as statuses, protocol
versions, server types, etc.
For the recurring values in your database, filter constructors provide a box Top occurrences.
54
Understanding the GUI
Figure 4.22. The top occurrences of DHCP physical servers on the page All servers
In the columns for time and date, there is a dedicated filter constructor.
55
Understanding the GUI
2. In the search engine of any column, type in values or operators. For more details, refer to
the section Accepted Operators for Time & Date Columns.
3. Click on APPLY . Only the data matching your search is displayed in the column.
4. You can filter more columns if need be.
To filter columns containing time and date using the filter constructor
1. Go to the module and listing page of your choice.
2. In the search engine of any column, double-click in the search engine. The filter constructor
opens. Depending on the resources listed on the page, it may provide a list of Top occur-
rences. This list provides an overview of the recurring values in the column (names,
vendors...): the most used values.
3. If you use several criteria, select the radio button AND or OR.
4. In the drop-down list, select a filter constructor. To see the list of available filter constructors,
refer to the figure 1.19.
5. In the box on the right, enter the value you want to use to filter.
6. To use several criteria, click on . A new line appears, follow the steps a and b to define
the new criterion.
Note that these operators are not available in all search engine fields. For more details, refer to
the section Using Filters
For columns containing time and dates, refer to the section Accepted Operators for Time & Date
Columns.
You can also type in keywords in the search engine, the following operators are accepted:
56
Understanding the GUI
Expression Description
!~*string does not end with string.
string* begins with string.
!~string* does not begin with string.
expression1 expression2 expression1 and expression2 on the same line.
expression1 & expression2 expression1 and expression2 on the same line.
expression1 | expression2 expression1 or expression2 in the same column: the line matching either data
in the column is returned.
Keep in mind that the space between the operator and the string is accepted.
On several pages, some columns are dedicated to time and/or date. If the column contains a
search engine under the column name, it provides specific filtering operators.
The columns containing time and/or date also provide dedicated keywords that you can use to
filter a list:
Removing Filters
Once you filtered columns, you can remove your filters following the procedures below.
57
Understanding the GUI
2. Once you filtered a column, its search engine contains the value you set and .
3. Click on to remove the column filter.
If the page has columns filtered by default, they are still filtered.
• On this page, the default listing templates are only available after you have added other
listing templates.
Classes can help customizing the layout
• You can include columns displaying class parameters in the listing templates, these columns
are all named Class param: <object label>. For more details regarding classes, refer to
the section Configuring Classes.
58
Understanding the GUI
• You can automatically display listing templates based on the class applied to the container
of the object listed via the automatic templates. Note that the automatic templates are
not available at the highest level of a module hierarchy. For more details regarding how
to apply a class, refer to the section Configuring Classes.
Note that if your administrator has configured several templates with the same class, the
Automatic template option displays the most recent one.
You can add listing templates and automatic templates from listing pages or the page Listing
templates management.
Note that when you add a new listing template, it is not automatically displayed.
59
Understanding the GUI
• To add a column to the template, select it in the list Hidden columns and click on . The
column is moved to the Displayed columns.
• To remove a column from the template, select it in the list Displayed columns and click
on . The column is moved to the Hidden columns.
• To set the order of the columns, select them one by one in the list Displayed columns
and click on or .
If you are adding a template at the highest level of a module, go to the step 10.
8. Click on NEXT . The last page opens.
9. In the drop-down list Parent level, None is selected.
10. Click on OK to complete the operation. The report opens and closes.
11. Display the template. For more details, refer to the section Displaying Listing Templates.
3. In the panel of your choice, click on ADD . The wizard Template Selection opens.
4. In the drop-down list Action, select New template. A field appears.
5. In the field Name, type in the template name.
6. Click on NEXT . The page <Objects> lists configuration opens.
7. Via the lists Hidden columns and Displayed columns, configure your listing template. Each
list contains the same columns than the template default.
• To add a column to the template, select it in the list Hidden columns and click on . The
column is moved to the Displayed columns.
• To remove a column from the template, select it in the list Displayed columns and click
on . The column is moved to the Hidden columns.
• To set the order of the columns, select them one by one in the list Displayed columns
and click on or .
If you are adding a template at the highest level of a module, go to the step 10.
8. Click on NEXT . The last page opens.
9. In the drop-down list Parent level, None is selected.
10. Click on OK to complete the operation. The report opens and closes.
11. Display the template. For more details, refer to the section Displaying Listing Templates.
An automatic template is a listing template that is automatically displayed when one or several
classes, defined in the template, of the current object container are selected.
You can add automatic templates from listing pages or the page Listing templates management.
60
Understanding the GUI
You can add a template for page listing objects that have a container.
1. Go to the listing page of your choice.
2. In the menu, click on Listing templates. The window opens.
3. Click on MORE OPTIONS . The wizard Template Selection opens.
4. In the drop-down list Action, select New template. A new field appears.
5. In the field Name, type in the template name.
6. Click on NEXT . The page <Objects> lists configuration opens.
7. Via the lists Hidden columns and Displayed columns, configure your listing template. Each
list contains the same columns than the template default.
• To add a column to the template, select it in the list Hidden columns and click on . The
column is moved to the Displayed columns.
• To remove a column from the template, select it in the list Displayed columns and click
on . The column is moved to the Hidden columns.
• To set the order of the columns, select them one by one in the list Displayed columns
and click on or .
8. Click on NEXT . The last page opens.
9. In the drop-down list Parent level, select the level for which the class should be applied. Two
lists appear.
10. Select the classes that automatically display the template:
• To add a class, select it in the list Available classes and click on . It is moved to the list
Selected classes.
• To remove a class, select it in the list Selected classes and click on . It is moved to the
list Available classes.
11. Click on OK to complete the operation. The report opens and closes.
12. Display the template. For more details, refer to the section Displaying Listing Templates.
You can edit any type of listing template from listing pages or the page Listing templates manage-
ment.
Note that moving the columns of a page automatically edits the current listing template, but you
cannot remove a column from the template that way.
To move a column
61
Understanding the GUI
If you are editing a template at the highest level of the module, go to the step 9.
7. Click on NEXT . The last page opens.
8. In the drop-down list Parent level, select a different value if need be. For more details, refer
to the procedure To add an automatic template.
9. Click on OK to complete the operation. The report opens and closes.
10. Display the template. For more details, refer to the section Displaying Listing Templates.
3. In the panel of your choice, select the template that you want to edit.
4. Click on EDIT . The wizard opens.
5. In the lists Hidden columns and Displayed columns, edit the columns according to your
needs.
If you are editing the template at the highest level of the module, go to the step 8.
6. Click on NEXT . The last page opens.
7. In the drop-down list Parent level, select a different value if need be. For more details, refer
to the procedure To add an automatic template.
8. Click on OK to complete the operation. The report opens and closes.
9. Display the template. For more details, refer to the section Displaying Listing Templates.
You can only rename listing templates, only from the page Listing templates management.
Note that if you rename a listing template while it is displayed on the page, you need to select it
again in the listing page.
62
Understanding the GUI
3. In the panel of your choice, select the template you want to rename.
4. Click on RENAME . The wizard opens.
5. In the field New Name, type in the template new name.
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again, the new name is displayed.
You can only delete listing templates from the page Listing templates management.
Note that you can delete a listing template even if it is being displayed.
3. In the panel of your choice, select the template you want to delete.
4. Click on DELETE . The wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again, the template is no longer listed.
If you delete the listing template that is currently displayed, the automatic template is dis-
played.
63
Understanding the GUI
• Information displays a table containing the basic information of the object. This information
is also displayed in the panel Main properties on its properties page.
• Filter allows to filter the list using the value you right-clicked on.
For more details regarding the options available on the properties page, refer to the section
Properties Page.
The messages returned by this column do no always reflect configuration errors for the object.
For instance, in the DNS, the Multi-status message 61006: Server type incompatible with Hybrid
indicates that the server in question cannot be switched to Hybrid DNS, it is probably managing
authoritative and recursive zones; it does not mean that the server is not running properly or is
misconfigured.
The column is displayed by default on some pages of the modules DNS and DHCP. You can
display it on the other pages. For more details, refer to the section Customizing the List Layout.
Figure 4.25. Example of Multi-status messages on the DHCP page All servers
The column Multi-status returns colored squares containing messages. The color indicates
the severity of the message. In each square, a number indicates how many messages match
the severity. In this example, the yellow square indicates that there is 1 error message re-
turned for the smart architecture and its content.
Hovering over a square opens the window containing the message(s) of the object. In this
example, a physical server returns the Multi-status 60002.
The column provides messages divided into 6 levels of severity. Each one provides useful status
and state information regarding the object or the configuration within the module.
64
Understanding the GUI
Each message and level of severity is specific to each object. The number of the messages are
distributes among the modules: all DHCP messages start with 60000, all DNS messages with
61000... For more details, refer to the appendix Multi-Status Messages.
They are displayed above start addresses to highlight IPv6 containers. For more details, refer to
the chapter Managing IPv6 Labels.
Figure 4.26. Example of IPv6 labels used to highlight a geographical distribution in the IPAM
Properties Page
The properties page gathers all the information regarding an object.
• It is accessible from the listing pages. If the listing page already gathers all the information re-
garding the object managed, the object has no properties page.
• It allows to configure or edit object configurations. Some options are only available on the
properties page of the object.
• It distributes all the information among panels. The panel Main properties contains the most
general information. All the other panels contain more specific data. The panels that can be
edited contain the button EDIT.
• It contains the panel Audit in the modules IPAM, DNS and DHCP that indicates every change
made on the object, by whom and when.
• It contains common panels within a module and levels in the hierarchy.
65
Understanding the GUI
This is what an open panel looks like. In this example, the screenshot displays the default
display of a zone properties page.
In the menu, the menu Edit presents the editable panels in one list.
The button EDIT is present at the bottom of each and every open panel that you can edit. It
opens an edition wizard of the object parameter.
This is what a closed panel looks like: only the panel name is visible. You can open it via
the button .
The button Expand/Collapse All allows to open or close at once all the panels of the
page.
Some panels are specific to the object, others are available across the modules:
• Main properties: provides an overview of the main information regarding the object.
• Advanced properties: displays the advanced properties configuration of the object and the
level the property was inherited from.
This panel is available in the modules IPAM, DHCP and DNS for the resources that can be
configured with advanced properties, for more details refer to the chapter Managing Advanced
Properties.
• Audit: logs all the changes carried out on the object by the connected user over time.
This panel is available on all properties pages of the modules IPAM, DHCP and DNS; except
for DHCP servers, groups, scopes, leases and DNS views and RRs.
If the user belongs to a group with access to the modifications of all users, it displays all the
operations ever performed on the object. For more details, refer to the section Allowing Users
to Display All the Operations Performed.
• Groups access: displays all the groups that have the object as resource. Under each group
name are listed the rights granted over the resource and its content.
66
Understanding the GUI
This panel is available in the modules IPAM, DHCP and DNS on all properties page, except
at the lowest level of each module hierarchy and on the properties page of DHCP groups and
ranges.
In the module NetChange, it is only available on the properties page of network devices.
In the module Administration, it is available on the properties page of users, except ipmadmin.
Only the name of the group is displayed but not the rights granted to the group. For more details,
refer to the part Rights Management.
Charts
A set of charts are available by default on properties pages and the page System statistics or
even in some gadgets and reports. For more details, refer to the sections Properties Page,
Monitoring the Appliance Statistics, Managing Gadgets and Managing Reports.
Note that, on the DNS page Analytics, all Guardian analytics offer a specific time-based chart
to narrow down the data to return. For more details, refer to the section Monitoring Guardian
Analytics in the chapter Managing Guardian Statistics.
2. Instant charts: they take the form of pie and bar charts. On instant charts, you can display
the data of your choice but you cannot zoom in or select any period.
Note that you can create instant charts from most listing pages, for more details refer to the
section Creating a Chart Gadget in the chapter Managing Gadgets.
All charts share a common structure and set of options. The illustration below contains a time-
based chart, therefore all time related options are not available on instant charts.
67
Understanding the GUI
The start and end dates of the data displayed on time-based charts. It matches the period
selected in the timeline and affects the scale of the x-axis. By default, it displays the last 3
hours.
The data retrieved is represented in a chart, where the y-axis indicates the unit, axis scale
and unit prefix and the x-axis indicates the data displayed or period. On time-based charts,
the y-axis depend on the period selected and maximum value displayed. Following the
standard ISO 80000-1, all the y-axis units can have no prefix or any SI prefix such as: m
(milli), k (kilo) or M (mega).
The timeline, the overall period of data available, of any time-based chart. The period dis-
played is highlighted in gray. By default, it displays a maximum of 365 days, to change it
refer to the section Editing the Number of Days Available on the Timeline.
The legend of the chart. Each set of data has a name and a dedicated color. You can click
on any entry to hide or display the data in the chart.
The display options. They allow to open the chart in a pop-up window with the button , to
refresh the data with . On time-based charts, you can select a period with that opens
a drop-down list to display the Current hour, Last 3 hours, Day, Week, Month or Year, and
the button to select a specific date.
All charts can be used as gadgets. For more details, refer to the section Assigning Gadgets to a
Dashboard in the chapter Managing Gadgets.
Note that the options in the sections below are only available for time-based charts.
If you hover over the edge of the gray area, the mouse pointer turns into a two-sided arrow that
you can move left or right according to your needs.
This period, represented by a gray area can also be dragged to select a different period.
If you hover over the gray area, the mouse pointer turns into a four-sided arrow.
In addition, you can click and drag on the timeline to select a period directly.
68
Understanding the GUI
Within the timeline, with a left-click of the mouse over a white area, you can select the period
that suits your needs. The pointer changes from an arrow to a cross.
Once you release the mouse, the data displayed in the chart, x-axis points of reference and
y-axis scale adjust accordingly.
When you hover over the chart, the arrow pointer turns into a four-sided arrow and the
background turns blue to indicate that you can interact with the data. You can display the
data date and time above the chart and the value at that time is displayed in the legend of
the chart.
69
Understanding the GUI
A black vertical line indicates where you are on the chart, each measurements focus is
symbolized by a circle in the color of the element displayed. Using the scroll wheel on the
mouse, you can zoom in and out.
You can click on the elements of the chart legend to display or hide them from the chart.
When you are browsing the chart, the value of each measurement on the line is indicated
above each element of the legend.
By default, the period of data displayed in the timeline of all charts is one year, 365 days. This
period is set in a dedicated registry database entry.
If you change the default period, all time-based charts refresh and display only the data retrieved
over the period, number of days, that you set.
To edit the registry key that sets the number of days displayed in the timeline
Wizards
Within SOLIDserver every operation - an object addition, edition, configuration, deletion - is per-
formed via a wizard. All the modules share a common wizard structure, the fields and/or buttons
that it contains depend on each operation. The title of the wizard specifies the ongoing operation.
In addition to the wizards, SOLIDserver uses pop-up windows: when there are configuration errors
or when you select too many or not enough objects from a list before performing operations via
the menu. However, some pages, like the Administration pages Groups and Class Studio or the
IPAM page All addresses, use pop-up windows. Therefore, to use SOLIDserver to the best of
its potential, make sure your Internet browser is not configured to block pop-up windows.
All the wizards share a common structure detailed in the sections below.
70
Understanding the GUI
The drag bar contains the title, a pushpin to save the wizard and a cross to close the wizard
without saving any changes. For more details regarding how to save a wizard, refer to the
section Quick Wizards.
The gray areas are informational sections. The first one is a location reminder: it indicates
the container you are in and its basic information. The other sections are read-only sections,
like the field Comment that sums up the current configuration, or informational messages
to guide you during the configuration.
The input fields are the most commonly used. Their border changes color in case of miscon-
figuration.
The button Set/Propagate allows you to configure the inheritance or propagation properties
of the value in the field. If the value is inherited, the field background is gray and cannot be
edited. For more details, refer to the section Setting Advanced Properties.
The fields name and border turn red if there is a syntax error. In addition, the exclamation
mark icon is displayed and you cannot save the configuration.
The star icon indicates that a field/parameter/option is required. If you leave the field blank,
you cannot save your configuration. If the field or drop-down list has a default value that you
do not change, it is selected and applied when you commit the configuration.
The field drop-down list contains a down arrow to indicate you have several values to choose
from.
The box is present on many wizards to set specific parameters. Ticking it usually reloads
the wizard and allows to set specific parameters in extra fields.
The navigation buttons of the wizard. The button OK indicates that you are on the last page
of the wizard. Clicking on it saves and applies your configuration. The button CLOSE closes
the wizard without saving the configuration or changes applied.
For more specific configurations, the wizards embed extra information icons. These icons open
a window containing more detailed information to help with a thorough configuration of the object.
71
Understanding the GUI
The question mark icon indicates extra details regarding a field. Hover over it to open the
field configuration help.
72
Understanding the GUI
For instance, all the object deletion wizards contain a warning message to make you confirm the
deletion or to provide extra information regarding the consequences of the deletion.
Warning messages are displayed in orange. Some specific required values that cannot be
directly verified by the wizard are introduced by warning messages.
Information messages are displayed in blue.
73
Understanding the GUI
This list displays all the available columns that are not yet configured in the listing template.
In this example, the columns that could be displayed on the page All scopes.
Once you have selected a value in the list Hidden column, click on to move it to the list
Displayed columns and include them into the listing template.
These buttons allow to order the list entries. Select them one at a time and move them up
or down until the order suits your needs.
This list displays all the columns that are part of the listing template.
You can remove any column from the listing template. Select them one at a time in the list
Displayed columns and click on to move them to the list Hidden columns.
74
Understanding the GUI
The module Administration provides a set of wizards where you can set up and edit multiple
entries in a single list.
Figure 4.37. An example of data edition in a wizard providing entries management in one list
Once you have selected an entry in the list at the bottom of the wizard page, in this example
IP addresses list, its configuration details appear in these fields.You can edit any white field.
Click on UPDATE to save your modifications and overwrite the former configuration and follow
the wizard to commit your changes.
Click on DELETE to delete the selected configuration entry and follow the wizard to commit
your changes.
Click on CANCEL to discard any modifications made in the fields and to select another entry
in the configuration list or to add a whole new set of data.
The list of existing configurations. The blue color indicates the selected line. During the
modification, it turns gray.
75
Understanding the GUI
This field, above the button SEARCH , provides manual completion: in this example, you can
type in a hostname to automatically retrieve its IP address if the DNS resolution is configured.
76
Understanding the GUI
Quick Wizards
The quick wizard are shortcuts in essence that allow to save any wizard at any point of its config-
uration. The wizard's page and all the data filled or selected is saved within the quick wizard and
accessible at any time.
The quick wizards are saved and managed on a dedicated page but you can set shortcuts toward
each of them in a gadget or in a dedicated menu.
The column Name displays the quick wizard name. It allows to edit the quick wizards. For
more details, refer to the section Editing Quick Wizards.
The column All users indicates if the quick wizard is shared with other users (yes) or not
(no).
The column Description displays the description you might have set during the quick wizard
creation or edition.
The column Dashboard indicates on which dashboard the Quick wizard gadget is displayed.
It is empty if you only saved it in the Quick access menu. You cannot filter this column.
The menu Quick access. It appears if at least one quick wizard was assigned to the
Quick access menu.
The column Access is a link toward the wizard you saved.
The menu Quick access, can contain as many quick wizards as you want. You can access them
from any page as the menu is displayed in the top bar.
77
Understanding the GUI
You can edit it afterward to specify more locations. For more details, refer to the section Editing
Quick Wizards.
• Once created, a quick wizard is only available to the user who created it. To make it visible to
everyone, you can edit its visibility. For more details, refer to the section Editing Quick Wizards.
• You can access your quick wizards in different ways. For more details, refer to the section
Accessing Quick Wizards.
78
Understanding the GUI
79
Understanding the GUI
Bookmarks
You can bookmark any page, except in the module Dashboards. Bookmarks can be managed
from their dedicated page or gadget.
Browsing Bookmarks
All bookmarks are listed and managed from the page My Bookmarks.
The column Name displays the bookmark name. It allows to edit the bookmarks. For more
details, refer to the section Editing Bookmarks.
The column All users indicates if you share the bookmark visibility with other users (Yes)
or not (No).
The column Bookmark Folder indicates if the bookmark belongs to a folder. / means the
bookmark is not in any folder.
The column Path contains the link Access, toward the bookmarked page.
80
Understanding the GUI
When bookmarks are available in SOLIDserver, on the right-end side of the Breadcrumb,
next to the icon , a down arrow is displayed. It allows to display the list of all the available
bookmarks.
Adding Bookmarks
You can bookmark any page, except in the module Dashboards. In all other modules, you can
even bookmark pages displaying filtered data.
On pages that cannot be bookmarked there is no icon in the right-end side of the breadcrumb.
To bookmark a page
1. From any page that can be bookmarked, on the right-end side of the breadcrumb, click on
. The wizard Bookmark this page opens.
2. In the field Name, specify your own bookmark name if need be. By default a bookmark is
named Module: Page.
3. In the field Bookmark Folder, you can type in a folder name to organize the bookmarks on
the page My Bookmarks and in the window Bookmarks.
The field allows to create or find folders: type in a folder name and click on SEARCH to display
the list of existing folders and select the one you need.
4. If you want to add the bookmark to the gadget Bookmarks, tick the box Add to the gadget
Bookmarks.
For more details, refer to the sections The Gadget Bookmarks and Creating a Gadget
Bookmarks.
5. If you want to make the bookmark visible to any user, tick the box Share with the other users.
If you leave it unticked, you are the only user who can see it.
81
Understanding the GUI
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again and marked . The bookmark is listed on the page My Bookmarks.
Editing Bookmarks
You can edit the bookmarks: rename them, place them in a (different) folder, attach them to the
bookmark gadget and/or change the visibility settings from the page My Bookmarks.
Sharing Bookmarks
From the page My Bookmarks you can share one or several bookmarks at once.
To share bookmarks
1. From any page, in the top bar, select My account > My Bookmarks. The page My
Bookmarks opens.
2. Tick the bookmark(s) of your choice.
3. In the menu, select Edit > Visible to all users > Yes. The wizard Bookmark Visibility
opens.
4. Click on OK to complete the operation. The report opens and closes. The page is visible
again. The bookmark is marked Yes in the column All users.
82
Understanding the GUI
Deleting Bookmarks
You can delete bookmarks from the bookmarked page or from the page My Bookmarks. Note
that you can delete several bookmarks at one from this page.
83
Part II. Configuring SOLIDserver
Before managing your network, your administrator needs to configure your appliance.
This part details all the available system configurations needed to set up SOLIDserver from the module
Administration, they are divided as follows:
• Configuring the Time and Date: describes the ways of setting the appliance time and date, a mandatory
configuration to ensure services synchronization and data reliability.
• Configuring the Network: describes the operations to integrate the appliance to your network. From its IP
address and hostname to its DNS resolver, firewall settings, routes and so on.
• Configuring the Services: describes all the services and servers that you can configure and/or manage
from SOLIDserver: SSH, NTP, HTTP, DNS, DHCP, etc.
Note that the module Administration provides extra pages and features all described in the parts Adminis-
tration and Customization.
Table of Contents
5. Configuring the Time and Date ..................................................................................... 86
Configuring NTP Servers ......................................................................................... 86
Forcing the NTP Update .......................................................................................... 88
Setting the Appliance Time and Date Manually ......................................................... 88
6. Configuring the Network .............................................................................................. 89
Configuring Basic IP Addressing on an Interface ....................................................... 90
Setting the Routing ................................................................................................. 91
Setting the Hostname .............................................................................................. 93
Setting the DNS Resolver ........................................................................................ 93
Setting the Firewall .................................................................................................. 94
Setting up a VLAN Interface ..................................................................................... 97
Setting up an Ethernet Port Failover ......................................................................... 99
Configuring a VIP .................................................................................................. 100
Setting up a VIF .................................................................................................... 103
Configuring the Loopback Interface ........................................................................ 104
Configuring a Media Interface ................................................................................ 105
7. Configuring the Services ............................................................................................ 107
Handling Services ................................................................................................. 108
Configuring the SSH Remote Account .................................................................... 109
Changing the SFTP/SCP/RSYNC User Account Password ...................................... 110
Managing the TFTP Upload Authorizations ............................................................. 110
Configuring the SMTP Relay .................................................................................. 111
Changing the HTTPS Certificate ............................................................................ 112
Configuring Windows Events Collector ................................................................... 113
Configuring DNS Guardian .................................................................................... 113
Configuring GSLB Server ...................................................................................... 114
Managing the SNMP Service ................................................................................. 115
Downloading a DNS or DHCP Configuration File ..................................................... 117
85
Chapter 5. Configuring the Time and Date
Your appliance must always be set with the proper time and date to prevent any manage-
ment problems. That way, all your services are properly synchronized and all the data you
manage is up-to-date.
There are two ways of configuring the appliance time and date:
1. Via NTP.
We strongly recommend configuring NTP servers on your appliance. You can configure sev-
eral servers and even force an update. For more details, refer to the sections Configuring NTP
Servers and Forcing the NTP Update.
2. Manually.
You can set the date and time yourself as detailed in the section Setting the Appliance Time
and Date Manually.
Note that every user can choose time and date display of their session. For more details, refer
to the section Configuring the User Display Settings.
Note that in the procedure below we configure NTP servers from the module Administration, but
you can also configure them from the Main dashboard, in the gadget SOLIDserver Configuration
Checklist.
86
Configuring the Time and Date
4. In the column Name, click on the link NTP server. The wizard NTP servers configuration
opens.
5. Specify the NTP server(s):
a. In the field NTP server, type in the IP address or hostname of the server. It can be an
IPv4 or IPv6 address.
b. In the field Stratum, you can specify a level between 0 and 15. By default nothing is
specified, the stratum is retrieved from the server. We strongly advise against setting a
stratum if it is not necessary.
c. Click on ADD . The server and stratum are moved to the list NTP servers.
d. Repeat these steps for as many servers as you need.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up
or down .
6. Click on NEXT . The page Edit the NTP configuration opens.
7. Set the restrictions of the NTP server(s).
a. In the drop-down list Type, select IPv4 or IPv6.
b. In the field IP address, specify an IPv4 address, an IPv6 address or default.
c. In the field Mask, you can set the netmask of the IPv4 or IPv6 address you specified in
the field IP address. If you specified default, it is useless to set a mask.
d. In the field IP peer limit, you can specify the maximum number of requests for each
client IP address. The IP address and Mask you set identify the clients. You can set any
value between 0 and 65535 in the field, 0 means that no client can query the NTP
server(s). By default, no peer limit is configured, the field is set to -1.
e. In the field Flags, you can set one or several flags, separated by a space. The field ac-
cepts the flags kod, limited, lowpriotrap, noepeer, nomodify, noquery, noserve, notrap,
notrust, ntpport and version.
f. Click on ADD . The configuration is moved to the Restriction list.
g. Repeat these steps for as many restrictions as you need.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
Once the configuration is applied, under the link NTP server, the content of the lists NTP
servers and Restriction list is displayed on dedicated lines.
If you need to edit the NTP servers configuration, follow the procedure again and make your
changes. To take into account your changes immediately, you can stop the service NTP and
start it again. For more details, refer to the section Starting or Stopping a Service.
87
Configuring the Time and Date
We recommend configuring NTP servers on your appliance to make sure that the time and date
are regularly checked and updated, for more details refer to the section Configuring NTP Servers.
Note that, if you set up one or several NTP servers, the time and date you set manually will be
lost the next time an NTP server updates.
88
Chapter 6. Configuring the Network
This chapter details the page Network configuration where you can configure all the settings
necessary to run SOLIDserver on your network, including:
• Setting the Hostname of the appliance.
• Setting the DNS Resolver, the DNS server that SOLIDserver uses to resolve the names and
addresses that it manages.
• Setting the Firewall and reinforcing the appliance security by blocking potential dangerous
communications.
• Setting up the Default Gateway address that SOLIDserver uses to reach networks out of its
domain's broadcast.
• Setting up Specific Routes to set a specific path for the returned packets.
• Setting up Static Routes and enable data to be forwarded through the network with fixed paths.
• Configuring Basic IP Addressing on an Interface.
1
• Setting up a VLAN Interface , like using a physical interface as an 801.1Q interface.
• Setting up an Ethernet Port Failover, to allow aggregation of multiple network interfaces as
one virtual interface in order to provide fault-tolerance and high-speed links.
• Configuring a VIP, or Virtual IP, that is not connected to a specific computer or network interface
card on a computer. Incoming packets are sent to the VIP address, but all packets travel through
real network interfaces.
• Setting up a VIF, or Virtual InterFace, an EfficientIP feature that allows to add into a VIF a
configuration of physical interfaces embedding many services.
• Configuring the Loopback Interface of the appliance.
• Configuring a Media Interface, to define the option supported by the physical interface.
1
Virtual Local Area Network (VLAN) is a group of hosts with a common set of requirements that communicate as if they were attached
to the same broadcast domain, regardless of their physical location.
89
Configuring the Network
Keep in mind that the overlap of IP addresses linked with different physical interfaces is
not allowed in order to avoid asymmetrical routing. Indeed, if a packet is received from a phys-
ical interface it must not be forwarded to another one.
If you selected at least two Physical interfaces, in the drop-down list LAGG procotol you can
select failover or LACP. By default, failover is selected. Click on NEXT .
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
7. Fill in the interface IPv4 address configuration parameters following the table below:
Once all the parameters needed are configured, click on ADD . The new IP address is moved
to the IP addresses list. SOLIDserver can be accessed through all the IP addresses con-
figured on this VIF.
90
Configuring the Network
8. Click on NEXT .The last page opens. Fill in the interface IPv6 address configuration parameters
following the table below:
Once all the parameters needed are configured, click on ADD . The new IP address is moved
to the IPv6 addresses list. SOLIDserver is accessible through all the IP addresses configured
on this VIF.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.
Keep in mind that the default gateway is only used if a packet is sent from a network address
unknown to SOLIDserver. For some networks, you might want to use route sourcing and set up
a specific route to send the response packet to the sender through the channel it came from
rather than using the default gateway to try and locate the sender. For more details, refer to the
section Setting up Specific Routes.
91
Configuring the Network
4. In the field IPv4 default gateway, fill in the IPv4 gateway of your choice.
5. In the field IPv6 default gateway, fill in the IPv6 gateway of your choice.
6. Click on OK to complete the operation.
7. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
Keep in mind that the DHCP does not take into account the specific route. Therefore, the man-
agement IP address a DHCP server should always be on the same network as the default gateway.
Within SOLIDserver, you can set up several specific routes. To configure a specific route, refer
to the procedure To set up a Basic Interface Configuration.
Once all the parameters needed are configured, click on ADD . The static route is moved to
the list Static routes.
92
Configuring the Network
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
4. Click on NEXT . The page Static routes (IPv6) opens. Follow the step 4 to configure an IPv6
static route.
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
The hostname is used to identify and differentiate several appliances. It is all the more useful if
you manage remote appliances or configure appliances in high availability.
93
Configuring the Network
5. Click on ADD . The IP address is now moved to the list DNS Resolvers.
To order the entries, select them one by one and click on the arrows to move them up or
down .
6. Click on OK to complete the operation.
7. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
Stateful filtering treats traffic as a bi-directional exchange of packets comprising a session. It allows
to determine if the session conversation between the originating sender and the destination follows
a valid procedure of bi-directional packet exchange. Any packet that does not properly fit the
session conversation template is automatically rejected.
In addition, you can track down attackers or prevent network attacks by tracking more state per
session. As firewall messages filing are supported, you can review and track information after
the fact. You can see which packets have been dropped, from which addresses they came from
and where they were going, etc.
At any time, you can Open the firewall, to disable it, and ignore all these rules.
2
also known as dynamic packet filtering.
94
Configuring the Network
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
95
Configuring the Network
Parameter Description
any: a special keyword that matches any IP address.
<IP-address> specified with mask-length following the format: x.x.x.x/x or xxxx::/x .
<IP-address> specified without mask-length following the format: x.x.x.x or xxxx:: .
Destination port Define the destination port on which the firewall rule should be applied. Use a comma
to separate several port numbers.
Via Set the interface the packets should go through.The via parameter causes the interface
to always be checked as part of the match process. By default, nothing is selected.
Log Choose to save, or not, the log parameter indicating if a packet matches a rule in
SOLIDserver syslog page (it is saved with a facility SECURITY name). By default, No
is selected.
Keep state Decide if you want SOLIDserver firewall to create a dynamic rule, upon match, whose
default behavior is to match bidirectional traffic between source and destination IP/port
using the same protocol. By default, No is selected.
96
Configuring the Network
Keep in mind that firewall rules must not be deleted lightly. For instance, the rule #34 is a
delicate rule to delete as it refers to fragmented IP packets. As there is a maximum packet size
for transport level that depends on the transport medium (1500 bytes for Ethernet), if the IP
packet is larger than this, it needs to be broken up into fragments that get reassembled at the
destination. Without the rule #34, fragmented IP packets will be blocked by the firewall.
Note that to avoid asymmetrical routing, you cannot link overlapped IP addresses to different
physical interfaces. This way, if a packet is received from a physical interface it cannot be for-
warded to another interface.
If you selected at least two Physical interfaces, in the drop-down list LAGG procotol you can
select failover or LACP. By default, failover is selected. Click on NEXT .
97
Configuring the Network
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
7. Fill in the interface IPv4 addresses configuration parameters following the table below:
Once all the parameters needed are configured, click on ADD . The new IP address is moved
to the IP addresses list. The IP determines to which configured VLAN they belong and the
tag provides a more accurate filter.
Once all the parameters needed are configured, click on ADD . The new IP address is moved
to the IPv6 addresses list. The IP determines to which configured VLAN they belong and
the tag provides a more accurate filter.
98
Configuring the Network
10. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page re-
freshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.
If you selected at least two Physical interfaces, in the drop-down list LAGG procotol you can
select failover or LACP. By default, failover is selected. Click on NEXT .
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
7. Fill in the interface IPv4 address configuration parameters following the table below:
Once all the parameters needed are configured, click on ADD . The new IP address is moved
to the IP addresses list.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
99
Configuring the Network
8. Click on NEXT .The last page opens. Fill in the interface IPv6 address configuration parameters
following the table below:
Once all the parameters needed are configured, click on ADD . The new IP address is moved
to the IPv6 addresses list.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
9. Click on OK to complete the operation. If you configured LAGG, the protocol you chose is
displayed in the column Configuration.
10. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page re-
freshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.
Configuring a VIP
By default, an existing VIF, called DEFAULT_INTERFACE, is already applied in the system, you
can use this one or create a new one. In order to apply a new one, refer to the section Setting
up a VIF.
SOLIDserver allows you to set up virtual IP addresses (VIP) on supported services. This mech-
anism, known as Common Address Redundancy Protocol (CARP) is a protocol which allows
multiple EfficientIP devices on the same local network to share a single IP addresse or the same
set of addresses. Its primary purpose is to provide failover redundancy. For example, if there is
a single SOLIDserver running a DNS service and it goes down, then, the networks on each side
of the DNS service can no longer communicate with each other, or, they communicate without
any DNS service. However, if there are two EfficientIP devices running CARP, if one fails, the
other can take over with SOLIDserver on either side of the DNS service not being aware of the
failure. Operations continue as normal. Note that through a VIP you can manage DNS smart ar-
chitectures Master/Slave and Multi-Master.
The general idea is to have a single IP address, and several physical servers behind. In the case
of a failure, the next available server takes the lead and provides the relevant services. This
mechanism is available for DNS, NTP, TFTP services and SOLIDserver management.
Please note that with virtual appliances, the VMware ESXi host vSwitch must be configured as
follows:
• The option Promiscuous mode must be enabled,
• The option MAC Address Changes must be enabled,
• The option Forged Transmits must be enabled,
100
Configuring the Network
To configure a VIP
If you selected at least two Physical interfaces, in the drop-down list LAGG procotol you can
select failover or LACP. By default, failover is selected. Click on NEXT .
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
7. Fill in the interface IPv4 address configuration parameters following the table below:
These fields allow to set up the availability of the DNS, NTP, TFTP or SOLIDserver
management services as long as both appliances belong to the same LAN (layer 2) and
both appliances are set with the exact same parameters in all the fields EXCEPT for the
101
Configuring the Network
Priority. To avoid any conflict, you must set one priority level for the first appliance and a
different one on the other.
Once all the parameters needed are configured, click on ADD . The new IP address is moved
to the IP addresses list. SOLIDserver is accessible through all the IP addresses configured
on this VIF.
These fields allow to set up the availability of the DNS, NTP, TFTP services as long as
both appliances belong to the same LAN (layer 2) and both appliances are set with the exact
same parameters in all the fields EXCEPT for the Priority. To avoid any conflict, you must
set one priority level for the first appliance and a different one on the other.
Once all the parameters needed are configured, click on ADD . The new IP address is moved
to the IPv6 addresses list. SOLIDserver is accessible through all the IP addresses configured
on this VIF.
102
Configuring the Network
10. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page re-
freshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.
Setting up a VIF
A VIF (Virtual Interface) allows to set a number of configurations in a virtual container. Via this
container you can apply or edit a network configuration including embedded services. Keep in
mind that while the procedures below detail how to create, edit or delete a VIF from the page
Network configuration, during each procedure you need to make sure that you have at least one
operating interface connected to SOLIDserver or you might lose your point of access, and
therefore be unable to manage the appliance.
To add a VIF
To edit a VIF
103
Configuring the Network
To delete a VIF
By default, the loopback interface lo0 is available. You can configure it with one or more IPv4
and/or IPv6 addresses.
Note that you cannot use the loopback interface in LAGG, CARP, 802.1q or specific route config-
urations.
104
Configuring the Network
Once the loopback interface configuration is applied, all the IP addresses you set are
displayed in the column Name, under the line Physical interface: lo0.
5. Click on NEXT . The last page opens.
6. Set the IPv6 address configuration of the virtual loopback interface.
a. In the field IPv6 address, type in the IP address of your choice.
b. In the field Prefix, type in prefix of your choice.
c. Click on ADD . The IP address and prefix are moved to the IPv6 addresses list. By default,
the list already contains ::1-128. You should not delete this address.
d. Repeat these actions for as many IP addresses as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
Once the loopback interface configuration is applied, all the IP addresses you set are
displayed in the column Name, under the line Physical interface: lo0.
7. Click on OK to complete the operation.
8. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page re-
freshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.
105
Configuring the Network
3. Click on the name of Physical interface of your choice (it is attached to a VIF or located
under the Unused interfaces). The wizard Network interface configuration opens.
4. In the drop-down list Media, select the speed and duplex to be applied to the physical interface
you clicked on. By default, the autoselect option is selected, it is automatically selected by
SOLIDserver according to your network configuration.
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
106
Chapter 7. Configuring the Services
This chapter details most of the services embedded in SOLIDserver, all gathered on the page
Services configuration:
• Handling Services details how to enable, disable, start and stop all available services.
• Configuring the SSH Remote Account allows to set up the details of the connection to
SOLIDserver via a Secure Shell (SSH) client.
• Changing the SFTP/SCP/RSYNC User Account Password allows to edit the xfer account
1
password used by the protocols SFTP, SCP and RSYNC .
• Managing the TFTP Upload Authorizations allows to deliver Trivial File Transfer Protocol (TFTP)
services in order to send boot and configuration files to DHCP/BOOTP clients (such as IP
phones, thin clients, bootless stations).
• Configuring the SMTP Relay allows to configure the host relay that SOLIDserver uses to send
emails via Simple Mail Transfer Protocol (SMTP).
• Configuring Windows Events Collector allows to enable the communication between SOLID-
server and your AD domains controllers to retrieve data in the module Identity Manager.
• Configuring DNS Guardian allows to configure the listening interfaces and enable the service
DNS Guardian if your license includes it.
• Configuring GSLB Server allows to configure the listening interfaces and enable the service
GSLB server if your license includes it.
• Changing the HTTPS Certificate allows to change the Apache certificate used to connect to
SOLIDserver.
• Downloading a DNS or DHCP Configuration File: allows to retrieve all DHCP and DNS config-
uration files.
• Managing the SNMP Service: allows to monitor SOLIDserver performances and load through
the SNMP protocol.
1
SFTP stands for Secure File Transfer Protocol also known as SSH File Transfer Protocol. SCP stands for Secure Copy. RSYNC
stands for Remote Synchronization.
107
Configuring the Services
Handling Services
SOLIDserver allows you to completely disable a network service. While a network service is
disabled, it cannot run. Once a network service is enabled, its state is automatically updated after
having applied the configuration. To sum up, a user can easily handle the embedded services:
enabling/disabling and starting/stopping every service provided by SOLIDserver.
To enable/disable a service
To start/stop a service
108
Configuring the Services
By default, the account admin is set with the password is set to admin. This account cannot be
edited but its password and the password level of security can be edited, as detailed in the sections
below.
On the appliance, an SSH shell session is available on SOLIDserver file system. If you update
configuration files directly, you can disturb or prevent SOLIDserver from running. Only adminis-
trators should use this configuration mode, by default admin is the only account that can access
SOLIDserver via SSH.
Keep in mind that you can configure SOLIDserver to allow LDAP/RADIUS authentication for SSH
connections. For more details, refer to the appendix Using Remote Authentication for SSH Con-
nections to SOLIDserver.
109
Configuring the Services
3. In the menu, select Tools > Configuration registry database. The wizard Configuration
of registry database opens.
4. Click on NEXT . The last page of the wizard opens.
5. In the drop-down list Security level of ssh password, select Low, Medium or Strong.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and is visible again.
The xfer account is not enabled and disabled like the services. Only one wizard allows to enable
and disable the account that manages the SFTP, SCP and RSYNC protocols.
You can enable uploads from remote appliances to SOLIDserver GUI. The uploaded files and
files available for download are listed on a dedicated page of the page Local files listing. For more
details, refer to the section Managing Files from the Local Files Listing.
110
Configuring the Services
Once the uploads are enabled, following the procedure above disables them.
You can also change the source email address of the outgoing mails and alerts notifications.
Note that you can only edit the source mail addresses locally.
111
Configuring the Services
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, under the Mail - SMTP line, click on Alert source mail: <mail-address>.
The wizard Source mail configuration opens.
4. In the field Alert mail, type in the email address of your choice.
5. Click on OK to complete the operation.The new address has now replaced the default address
in the list.
To eliminate these warning messages, you can change this certificate and use one that you
created or imported on the page All certificates. For more details, refer to the section Managing
SSL Certificates in the chapter Maintenance.
If the checks fail, the operation is automatically rolled back and the certificate is not changed.
In this case, you need to import or create a valid certificate and follow this procedure again.
For more details on how to import or create certificates, refer to the section Managing SSL Certi-
ficates in the chapter Maintenance.
112
Configuring the Services
For more details, refer to the section Preparing the Module in the chapter Configuring Identity
Manager.
Keep in mind that to enable and configure the service DNS Guardian your appliance must have
at least 8 GB of RAM. For more details regarding DNS Guardian, refer to the part Guardian.
Note that if your license includes both DNS Guardian and DNS GSLB, you must configure the
line DNS Guardian / GSLB server as both features rely on the same service.
113
Configuring the Services
4. In the list Available interfaces, select the interface of your choice and click on . The interface
is moved to the list Selected interfaces.
To remove an interface from the list Selected interfaces, select it and click on . The interface
is moved back to the list Available interfaces.
6. Click on OK to complete the operation. The report opens and closes.
7. In the column Name, look for DNS Guardian or DNS Guardian / GSLB server.
8. In the column Enabled, click on the link Disabled to enable the service. The wizard opens.
9. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
The DNS must be running as well. Make sure the services DNS Guardian and DNS server
(named) or DNS Guardian and DNS server (unbound) are both enabled and started.
Keep in mind that to enable and configure the service GSLB server your appliance must have at
least 8 GB of RAM. For more details regarding the configuration of applications with a GSLB
server, refer to the part Application.
Note that if your license includes both DNS Guardian and DNS GSLB, you must configure the
line DNS Guardian / GSLB server as both features rely on the same service.
To remove an interface from the list Selected interfaces, select it and click on . The interface
is moved back to the list Available interfaces.
6. Click on OK to complete the operation. The report opens and closes.
7. In the column Name, look for GSLB server or DNS Guardian / GSLB server.
114
Configuring the Services
8. In the column Enabled, click on the link Disabled to enable the service. The wizard opens.
9. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
The DNS must be running as well. Make sure the services GSLB server and DNS server
(named / nsd / unbound) are both enabled and started.
The columns Running and Enabled on the page Services configuration indicate the server state
on the appliance.
Note that SNMPv3 requires a properly configured NTP server. For more details, refer to the
section Configuring NTP Servers.
115
Configuring the Services
Parameters Description
SNMP restriction Type in the source of the SNMP. It can be one IP address, several IP addresses
separated by a space or a default value.
User Type in the login used for authentication.
Level You can choose either a noauth, auth or priv security level.
Key Type in the authentication passphrase (i.e. password), it must contain at least 8
characters.
a b
Algorithm You can select either the MD5 or the SHA algorithm. By default, MD5 is selec-
ted.
Key Type in a privacy passphrase. If the privacy passphrase is not specified, it is as-
sumed to be the same as the authentication passphrase. This field is optional
c d
Protocol You can select either the DES or AES algorithm. By default, DES is selected.
a
MD5 Message-Digest algorithm.
b
Secure Hash Algorithm.
c
Data Encryption Standard.
d
Advanced Encryption Standard.
b. When the access configuration is complete, click on ADD . The profile is moved to the
SNMP access list.
b. When your configuration is complete, click on ADD . The profile is moved to the Trap list.
116
Configuring the Services
If you are remotely managing other appliances, you can choose to download a local configuration
file or the configuration file of a remote appliance.
If you downloaded a remote appliance configuration file, the file name is followed by the re-
mote appliance IP address as follows: <file-name>@<remote-IP-address> .
117
Part III. Imports and Exports
SOLIDserver supports many imports and exports methods in almost all the modules.
• Importing Data from a CSV File details how to import or reimport data from a CSV file in the modules
IPAM, DHCP, DNS, NetChange, Devic Manager, VLAN Manager and Administration.
• Importing IPAM Data details how to import VitalQIP and Nortel NetID data to the module IPAM.
• Importing DHCP Data details how to import ISC, Alcatel-Lucent VitalQIP, Microsoft, Infoblox, MetaIP and
Nortel NetID configuration files to the module DHCP.
• Importing DNS Data details how to import BIND and VitalQIP zones from an archive file to the module
DNS.
• Exporting Data details how to export data from any module to CSV, HTML, XML, Excel or PDF files.
Table of Contents
8. Importing Data from a CSV File .................................................................................. 120
The Import Wizard ................................................................................................. 121
Importing Data to the IPAM .................................................................................... 122
Importing Data to the DHCP .................................................................................. 137
Importing Data to the DNS ..................................................................................... 146
Importing Data to NetChange ................................................................................ 150
Importing Data to Device Manager ......................................................................... 152
Importing Data to VLAN Manager ........................................................................... 154
Importing Data to VRF ........................................................................................... 158
Importing Data to SPX ........................................................................................... 160
Importing Data to the Administration Module ........................................................... 164
Managing Import Templates ................................................................................... 167
9. Importing IPAM Data .................................................................................................. 169
VitalQIP data ........................................................................................................ 169
Nortel NetID data .................................................................................................. 170
10. Importing DHCP Data .............................................................................................. 172
ISC configuration files ............................................................................................ 172
Alcatel-Lucent VitalQIP configuration files ............................................................... 173
Microsoft configuration files .................................................................................... 175
Infoblox configuration files ...................................................................................... 176
MetaIP configuration files ....................................................................................... 177
Nortel NetID configuration files ............................................................................... 178
11. Importing DNS Data ................................................................................................. 180
BIND archive files .................................................................................................. 180
VitalQIP archive files ............................................................................................. 181
12. Exporting Data ........................................................................................................ 183
The Export Wizard ................................................................................................ 184
Browsing the Exports Database ............................................................................. 185
Configuring Exports .............................................................................................. 186
Exporting Data to Reimport It Later ........................................................................ 188
Managing Scheduled Exports ................................................................................ 192
Managing Scheduled Exports Configuration Files .................................................... 192
Managing Export Templates ................................................................................... 193
119
Chapter 8. Importing Data from a CSV
File
You can massively import data from CSV formatted files in the modules IPAM, DHCP, DNS,
NetChange, Device Manager, VLAN Manager, VRF, SPX and Administration. To import specific
IPAM, DNS or DHCP configurations in a different format, refer to the import chapter in each
module.
For instance, importing addresses into a terminal network implies that the user has administrative
rights over said network.
• The resources you import must have a unique name
You can import as many resources as you need as long as they all have a unique name.
• An import is generated one page at a time
If you are importing zones from the page All zones in the DNS, you only import the zones
themselves but not the RRs they contain.
• The object parameters that you can import correspond to the columns of the page
When you import objects, you can import all or some of their properties. That way, for instance,
you can import a zone and specify its view, this allows you to set up your DNS hierarchy more
easily.
• An import can overwrite the existing page data
The last step in the import wizard allows to overwrite, or not, all the existing parameters of the
resource except for its name.
• If the page does not have the menu Import you cannot import data
You can import data from almost any page. In the menu, CSV <data> allows to import CSV
files. The list of pages where you can import data is available in each module-dedicated import
section below.
• Your classes may edit the fields available in the wizard
The import procedure only describes the fields that are displayed by default for each resource.
During each import, the number of fields that might appear or be required depends on the
classes you or your administrator might have configured for each resource.
• Any object parameter value is imported with the Inheritance property forced to Set or
Inherit
This allows to respect the configuration of the Inheritance property of an object parameter:
• It is forced to Set if the parameter is not configured on the parent object or if it has a different
value.
• It forced to Inherit if it is configured on the parent object and has the same value.
120
Importing Data from a CSV File
This section allows to specify the CSV import file details. They can be configured and saved
as templates to speed up the checking process. Its fields are detailed in the table CSV file
basic parameters.
This section contains some parameters (columns) that you can include in your import.
The first section of the import wizard is common to all objects and can be configured as follows.
121
Importing Data from a CSV File
On the next page, Class parameters, there are as many drop-down lists as there are existing
class parameters and advanced properties for the resource you are importing. None of the lists
are required, they allow to import your parameters to the database one by one. Any class para-
meter that does not correspond to a class in the database is not displayed in the GUI once impor-
ted.
Finally, on the last page, CSV import parameters, a few options are available.
This drop-down list Existing records allows to replace the existing entries with the data of
the CSV file you are importing.
The box Trigger the execution of all advanced properties allows to force the DNS, DHCP
and VLAN advanced property mechanisms during the import of networks, pools and ad-
dresses. For more details, refer to the section Importing Data to the IPAM
The button CHECK performs a data validity check of the content of the CSV file. The last
pages of the wizard provide a Report: a data validity report and an import report.
Table 8.2. IPAM pages where you can import CSV files
IPAM page Objects that can be imported Option name in the menu Import
All spaces Spaces CSV spaces
Block-type networks CSV networks (block)
Subnet-type networks CSV networks (subnet)
Pools CSV pools
122
Importing Data from a CSV File
IPAM page Objects that can be imported Option name in the menu Import
Addresses CSV addresses
IPv6 block-type networks CSV networks (block v6)
IPv6 subnet-type networks CSV networks (subnet v6)
IPv6 pools CSV pools (v6)
IPv6 addresses CSV addresses (v6)
All networks Block-type networks CSV networks (blocks)
Subnet-type networks CSV networks (subnets)
Pools CSV pools
IP Addresses CSV addresses
All networks (v6) IPv6 block-type networks CSV networks (block v6)
IPv6 subnet-type networks CSV networks (subnet v6)
IPv6 pools CSV pools (v6)
IPv6 addresses CSV addresses (v6)
All pools Pools CSV pools
Addresses CSV addresses
All pools (v6) IPv6 pools CSV pools (v6)
IPv6 addresses CSV addresses (v6)
All addresses Addresses CSV addresses
All addresses (v6) IPv6 addresses CSV addresses (v6)
To import VitalQIP or Nortel NetID data, refer to the chapter Importing IPAM Data.
To import SPX data, whether RIPE or APNIC, refer to the section Importing Data to SPX
Importing Spaces
When importing space(s), only the field Name is required. The other parameters are optional and
can be left empty.
123
Importing Data from a CSV File
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format, Skip
the first line and set in as a Template if you want. For more details, refer to the table CSV
file basic parameters.
6. Select the columns of your CSV file you want to import.
Only the field Name is required. All fields are detailed in the table below.
7. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results.The last page opens.and displays a
report indicating the total number of spaces actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All spaces. The spaces are now listed.
Importing Networks
You can import block-type networks or subnet-type networks in IPv4 or IPv6.
When importing a file containing any type of network, the field First address and one of the fields
specifying the network size are required - Last address, Netmask, Prefix or Size.
124
Importing Data from a CSV File
The field First address and any field that indicates the network size (Last address, Netmask,
Prefix or Size) are required. All fields are detailed in the table below.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
125
Importing Data from a CSV File
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of networks actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page All networks. The networks are now listed.
When importing a file containing any type of network, the field First address and one of the fields
specifying the network size are required - Last address, Netmask, Prefix or Size.
The fields First address, Prefix and Space name are required. All fields are detailed in the
table below.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
126
Importing Data from a CSV File
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of networks actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the list All networks. The networks are now listed.
Several options and fields are only available for the import of subnet-type networks.
Use best space
This option is available in the drop-down list Space name, if you import IPv4 subnet-type
networks on the page All networks (rather than within a specific space or block-type network).
It allows to import the networks into the space containing the smallest network able to receive
them.
Note that importing subnet-type networks into a space containing no matching block-type
network places them in a container Orphan Networks. Later on, you can create a block-type
network large enough to contain them. For more details, refer to the chapter Adding Networks.
VLSM space name
This option allows to import subnet-type networks in a specific level of a space-based VLSM
organization. Note that to import subnet-type networks in a VLSM configuration:
• To import subnet-type networks in a space and replicate them as block-type networks in
one of its sub-spaces, in the field Space name, select the parent space and in the field
VLSM space name, select the sub-space.
• You cannot select the option Use best space in drop-down list Space name.
• You cannot specify a VLSM space name and tick the box Imbricated networks in one import.
If you do, the VLSM space name prevails and the option Imbricated networks is ignored.
You can configure them in two separate imports if you need them both in your network
configuration.
Imbricated networks
This box allows to import a network-based VLSM organization. Tick it to import non-terminal
subnet-type networks and all the terminal and non-terminal networks they contain.
127
Importing Data from a CSV File
Note that you cannot tick the box and specify a VLSM space name in one import. If you do,
the VLSM space name prevails and the option Imbricated networks is ignored. You can
configure them in two separate imports if you need them both in your network configuration.
If you want to import an organization without ticking the box, the subnet-type networks are
imported in a container Orphan Networks in the order saved in the CSV file. The first are
imported, the rest is considered overlap and is not imported.
If you import an organization and tick the box, the receiving container shapes the import be-
havior:
• If the selected Space name does not contain any block-type network to receive it, the first
non-terminal subnet-type network becomes a block-type network.
• If the selected Space name contains block-type networks:
• If an existing block-type network is bigger than the first non-terminal subnet-type network,
the whole hierarchy is created within the block-type network if there is enough space
available. Otherwise, only the subnet-type networks that fit in the block-type network are
imported.
• If an existing block-type network is the same size as the first non-terminal subnet-type
network, the first non-terminal subnet-type network is ignored. The subnet-type networks
it contains are imported in the block-type network if it can receive them. Otherwise, only
the subnet-type networks that fit in the block-type network are imported.
Subnet-type networks can be imported into a block-type network or directly into a space.
When importing a file containing any type of network, the field First address and one of the fields
specifying the network size are required - Last address, Netmask, Prefix or Size.
If you import IPv4 subnet-type networks on the page All networks (rather than within a specific
space or block-type network), the option Use best space is available in the drop-down list Space
name. It allows to put the content of the CSV file into the space containing the smallest block-
type network able to receive the subnet-type network(s). Other options are detailed in the section
Subnet-type Networks Import Specificities.
The fields Address, Name, Space name and one field specifying the network size (Netmask,
Prefix or Size) are required. All fields are detailed in the table below.
128
Importing Data from a CSV File
By default, if you import a network hierarchy, the last imbricated network is considered
terminal even if it is not. You can select the column Terminal to ensure that the net-
works remain terminal, or non-terminal, during the import. This parameter is only
taken into account if its value is 0 or 1.
Note that if you tick the box Imbricated networks, you must leave this field empty.
Class parameters All the class parameters declared in a single line, in URL format. The information
you specify in this drop-down list overwrites any class parameter you may specify
on the page Class parameters. This field is optional.
Space name The name of the space where you want to import the network(s). It can be a space
listed in the file, an existing space in your database or you can use the option Use
best space. This field is required.
Use best space: Select this option to import subnet-type networks in the space
managing the smallest networks that can receive them.
Note that you cannot select this option if you want to specify a VLSM space name.
VLSM space name If you set up a space-based VLSM organization, select the sub space that uses the
subnet-type network you are importing as a block-type network. This field is optional.
Note that if you tick the box Imbricated networks or select the option Use best space
in the drop-down list Space name, you must leave this field empty.
Class name The network class name. This field is optional.
Imbricated networks Tick this box if you want to import a hierarchy of non-terminal and terminal (subnet-
type) networks.
Note that if you tick this box, you should leave blank the fields Network is terminal
and VLSM space name.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick this box Trigger the execution of all advanced properties if you want to force the
advanced property mechanisms during the import. These mechanisms depend on the
configuration set on the page Class parameters and/or on the properties inherited from
higher level(s), they can include properties impacting the IPAM, DNS, DHCP and VLAN
Manager. For more details, refer to the section Network Advanced Properties.
129
Importing Data from a CSV File
After the import, you can still trigger the execution of the configured mechanisms. Tick
the subnet-type networks of your choice and in the menu select Tools > Expert >
Initialize rules. This operation also triggers the replication on the objects they contain.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of networks actually imported.
If you want to download that import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All networks. The networks are now listed.
Subnet-type networks can be imported into a block-type network or directly into a space.
When importing a file containing any type of network, the field First address and one of the fields
specifying the network size are required - Last address, Netmask, Prefix or Size.
Note that in IPv6, the option Use best space is not available in the drop-down list Space name.
Available options are detailed in the section Subnet-type Networks Import Specificities.
The fields Address, Prefix, Name and Space name are required. All fields are detailed in
the table below.
130
Importing Data from a CSV File
Parameter Description
Network is terminal The VLSM status of the network(s), terminal or non-terminal. This field is optional.
By default, if you import a network hierarchy, the last imbricated network is considered
terminal even if it is not. You can select the column Terminal to ensure that the net-
works remain terminal, or non-terminal, during the import. This parameter is only taken
into account if its value is 0 or 1.
Note that if you tick the box Imbricated networks, you must leave this field empty.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
VLSM space name If you set up a space-based VLSM organization, select the sub space that uses the
subnet-type network you are importing as a block-type network. This field is optional.
Note that if you tick the box Imbricated networks, you must leave this field empty.
Space name The name of the space where you want import the network(s). It can be a space listed
in the file or an existing space in your database. This field is required.
Class name The network class name. This field is optional.
Imbricated networks Tick this box if you want to import a hierarchy of non-terminal and terminal (subnet-
type) networks. Note that if you tick this box, you should leave blank the fields Network
is terminal and VLSM space name.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick this box Trigger the execution of all advanced properties if you want to force the
advanced property mechanisms during the import. These mechanisms depend on the
configuration set on the page Class parameters and/or on the properties inherited from
higher level(s), they can include properties impacting the IPAM, DNS, DHCP and VLAN
Manager. For more details, refer to the section Network Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the subnet-type networks of your choice and in the menu select Tools > Expert >
Initialize rules. This operation also triggers the replication on the objects they contain.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of networks actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
131
Importing Data from a CSV File
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All networks. The networks are now listed.
Importing Pools
Before importing pools keep in mind that you cannot import pools in an empty space, you
must specify a space containing terminal networks that can receive them.
When importing IPv4 pools, the fields First address, Last address, Name and Space name are
required.
If you import IPv4 pools on the page All networks (rather than within a specific space or block-
type network), the option Use best space is available in the drop-down list Space name. It allows
to put the content of the CSV file into the space containing the smallest network able to receive
the pool(s).
The fields First address, Name, Space name and one of fields specifying the pool size (Last
address or Size) are required. All fields are detailed in the table below.
132
Importing Data from a CSV File
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . Each available drop-down list is named after a class para-
meter or advanced property. All the fields are optional.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick this box Trigger the execution of all advanced properties if you want to force the
advanced property mechanisms during the import. These mechanisms depend on the
configuration set on the page Class parameters and/or on the properties inherited from
higher level(s), they can include the IPAM to DHCP replication. For more details, refer
to the section Pool Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the pools of your choice and in the menu select Tools > Expert > Initialize rules.
This operation also triggers the replication on the IP addresses they contain.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The The last page opens.and displays
a report indicating the total number of pools actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All pools. The pools are now listed.
When importing IPv6 pools, the fields First address, Last address, Name and Space name are
required.
Note that in IPv6, the option Use best space is not available in the drop-down list Space name.
133
Importing Data from a CSV File
The fields First address, Last address, Name and Space name are required. All fields are
detailed in the table below.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . Each available drop-down list is named after a class para-
meter or advanced property. All the fields are optional.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick this box Trigger the execution of all advanced properties if you want to force the
advanced property mechanisms during the import. These mechanisms depend on the
configuration set on the page Class parameters and/or on the properties inherited from
higher level(s), they can include the IPAM to DHCP replication. For more details, refer
to the section Pool Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the pools of your choice and in the menu select Tools > Expert > Initialize rules.
This operation also triggers the replication on the IP addresses they contain.
10. Click on CHECK . The The next page opens and displays a report indicating the total amount
of correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The The last page opens.and displays
a report indicating the total number of pools actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All pools. The pools are now listed.
Importing IP Addresses
Keep in mind that you can import addresses in an empty space, they are saved in a container
Orphan Addresses.
134
Importing Data from a CSV File
When importing a file containing IPv4 address(s), the fields IP address, Name and Space name
are required.
The fields IP address, Name and Space name are required. All fields are detailed in the table
below.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
135
Importing Data from a CSV File
b. Tick this box Trigger the execution of all advanced properties if you want to force the
advanced property mechanisms during the import. These mechanisms depend on the
configuration set on the page Class parameters and/or on the properties inherited from
higher level(s), they can include properties impacting the IPAM, DNS, DHCP and Device
Manager. For more details, refer to the section IP Address Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the IP addresses of your choice and in the menu select Tools > Expert > Initialize
rules.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of addresses actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All addresses. The IP addresses are now listed.
When importing a file containing IPv6 address(s), the fields IP address, Name and Space name
are required.
The fields IP address, Name and Space name are required. All fields are detailed in the table
below.
136
Importing Data from a CSV File
Parameter Description
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Space name The name of the space where you want to import the address. At the bottom of the
list of columns of the CSV file, the existing spaces are also listed, select the space
where you want import the address(es). This field is required.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick this box Trigger the execution of all advanced properties if you want to force the
advanced property mechanisms during the import. These mechanisms depend on the
configuration set on the page Class parameters and/or on the properties inherited from
higher level(s), they can include properties impacting the IPAM, DNS, DHCP and Device
Manager. For more details, refer to the section IP Address Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the IP addresses of your choice and in the menu select Tools > Expert > Initialize
rules.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of addresses actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All addresses. The IP addresses are now listed.
Table 8.12. DHCP pages where you can import CSV files
DHCP page Objects that can be imported Option name in the menu Import
All scopes Scopes CSV scopes
137
Importing Data from a CSV File
DHCP page Objects that can be imported Option name in the menu Import
Ranges CSV ranges
Statics CSV statics
All scopes (v6) IPv6 scopes CSV scopes (v6)
IPv6 ranges CSV ranges (v6)
IPv6 statics CSV statics (v6)
All ranges Ranges CSV ranges
All ranges (v6) IPv6 ranges CSV ranges (v6)
All statics Statics CSV statics
All statics (v6) IPv6 statics CSV statics (v6)
To import an ISC, Alcatel-Lucent VitalQIP, Microsoft, Infoblox, MetaIP or Nortel NetID configuration,
refer to the chapter Importing DHCP Data.
Importing Scopes
You can import several scopes coming from different DHCP configurations into the same server.
If you plan on importing scopes into different servers, make sure that your CSV file contains a
column dedicated to the server name.
When importing a file containing IPv4 scope(s), the fields Start address, DHCP server and one
of the fields specifying the scope size are required - End address or Size.
138
Importing Data from a CSV File
The fields Address, DHCP server and one field specifying the scope size (Prefix, Netmask
or Size) are required. All fields are detailed in the table below.
9. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
10. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Configuring DHCP Options.
11. Click on NEXT . The page CSV import parameters opens.
12. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
13. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
15. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of scopes actually imported.
If you want to download the import report refer to the next step, otherwise go to step 17.
16. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
17. Click on CLOSE to go back to the page All scopes. The scopes are now listed.
139
Importing Data from a CSV File
When importing a file containing IPv4 scope(s), the fields Start address, DHCP server (v6) and
one of the fields specifying the scope size are required - End address or Size.
The fields Start address, DHCP server (v6), any field specifying the scope size (End address
or Prefix) are required. All fields are detailed in the table below.
9. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
10. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Configuring DHCP Options.
11. Click on NEXT . The page CSV import parameters opens.
140
Importing Data from a CSV File
12. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
13. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
15. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of scopes actually imported.
If you want to download the import report refer to the next step, otherwise go to step 17.
16. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
17. Click on CLOSE to go back to the page All scopes. The scopes are now listed.
Importing Ranges
From the page All ranges, you can import IPv4 and IPv6 ranges. These ranges must be imported
within an existing scope.
When importing a file containing IPv4 range(s), the fields Start address, DHCP server and one
of the fields specifying the scope size are required - End address or Size.
The fields Start address, DHCP server and any field specifying the range size (End address
or Size) are required. All fields are detailed in the table below.
141
Importing Data from a CSV File
Parameter Description
Class name The range class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
DHCP server The name of the server where you want to import the range. At the bottom of the list
of columns of the CSV file, the existing servers are also listed, select the server where
you want to import the range(s). This field is required.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Configuring DHCP Options.
10. Click on NEXT . The page CSV import parameters opens.
11. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
12. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
14. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of ranges actually imported.
If you want to download the import report refer to the next step, otherwise go to step 16.
15. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
16. Click on CLOSE to go back to the page All ranges. The ranges are now listed.
Note that there are no DHCP options for DHCPv6 ranges, so you cannot import them.
When importing a file containing IPv6 range(s), the fields Start address, End address and DHCP
server (v6) are required.
142
Importing Data from a CSV File
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format, Skip
the first line and set in as a Template if you want. For more details, refer to the table CSV
file basic parameters.
7. Select the columns of your CSV file you want to import.
The field Start address, End address and DHCP6 server are required. All fields are detailed
in the table below.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The page Import data from a CSV
file opens and displays a report indicating the total number of ranges actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All ranges. The ranges are now listed.
Importing Statics
From the page All statics, you can import IPv4 and IPv6 static reservations. These statics can
be imported in a DHCP server or group.
If you are importing statics with IP address in a DHCP server, keep in mind that they are managed
like leases by the server. For more details, refer to the section Adding DHCPv4 Statics.
When importing a file containing IPv4 static reservation(s), the fields DHCP server and MAC ad-
dress are required.
143
Importing Data from a CSV File
The fields MAC address and DHCP server are required. All fields are detailed in the table
below.
8. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Configuring DHCP Options.
For EfficientIP DHCP servers, you can specify the Option host-name and leave the field
DHCP static name empty to use the value of the option as the name of the static.You should
specify either the DHCP static name or the Option host-name.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
144
Importing Data from a CSV File
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of statics actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page All statics. The static reservations are now listed.
When importing a file containing IPv6 static reservation(s), the fields DHCP server, MAC address
and Client DUID are required.
The fields DHCP static name and DHCP server (v6) are required. All fields are detailed in
the table below.
8. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Configuring DHCP Options.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
145
Importing Data from a CSV File
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of statics actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page All statics. The static reservations are now listed.
Table 8.19. DNS pages where you can import CSV files
DNS page Objects that can be imported Option name in the menu Import
All zones Zones CSV zones
All RRs Resource records CSV RRs
All RPZ rules RPZ rules CSV RPZ Rules
To import zones from a BIND or VitalQIP archive file, refer to the chapter Importing DNS Data.
Importing Zones
When importing a file containing zone(s), the fields DNS zone name, DNS zone type and DNS
server name are required.
146
Importing Data from a CSV File
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format, Skip
the first line and set in as a Template if you want. For more details, refer to the table CSV
file basic parameters.
6. Select the columns of your CSV file you want to import.
The fields DNS zone name and DNS zone type and DNS server name are required. All fields
are detailed in the table below.
7. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of zones actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All zones. The zones are now listed.
147
Importing Data from a CSV File
The fields RR name, Value 1 and RR type are required. All fields are detailed in the table
below.
If you want to download the validity report refer to the next step, otherwise go to step 11.
10. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
148
Importing Data from a CSV File
11. Click on OK to accept the validity check report results. The page Import data from a CSV
file opens and displays a report indicating the total number of resource records actually im-
ported.
If you want to download the import report refer to the next step. If you do not want to download
it go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
13. Click on CLOSE to go back to the page All RRs. The records are now listed.
When importing a file containing RPZ rules, the fields RR name, Value 1 and RR type are required.
The fields RR name, Value 1 and RR type are required. All fields are detailed in the table
below.
149
Importing Data from a CSV File
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The page Check the validity of the CSV file opens and displays a report
indicating the total amount of correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The page Import data from a CSV
file opens and displays a report indicating the total number of RPZ rules actually imported.
If you want to download the import report refer to the next step. If you do not want to download
it go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All RPZ rules. The rules are now listed.
Table 8.23. NetChange pages where you can import CSV files
NetChange page Objects that can be imported Option name in the menu Import
All network devices Network devices CSV file
150
Importing Data from a CSV File
Parameter Description
SNMP version The version of the SNMP protocol used on the network device(s). It must be either 1
for SNMPv1 or 2 for SNMPv2c. For SNMPv3, one or several SNMP profiles can be
specified on the last page of the wizard. This field is optional.
Class The network device(s) class. This field is optional.
Target space An IPAM space to associate with network device(s) to help differentiate devices on
the page All network devices. This field is required. If you have classes enabled,
it will appear on the next page of the wizard.
7. Tick the box Expert mode to specify more details regarding the device(s) information retrieval.
If you have classes enabled, it will appear on the next page of the wizard. Edit the parameters
according to your needs following the table below:
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . Each available drop-down list is named after a class para-
meter or advanced property. All the fields are optional.
You must select a Target space and you can tick the Expert mode, both fields are described
in the previous step.
9. Click on NEXT . The last page opens.
You can select the SNMP profile(s) to use in order to access the SNMP agent on the devices
if they are not associated with a version or community string in the CSV file. It is the only
way to specify authentication parameters in SNMPv3.
151
Importing Data from a CSV File
If you do not select any, NetChange uses the profile standard v2c.
10. Click on OK to complete the operation. The Report opens and work for a while: the import
progression is visible. Once the import is over, the report lists the IP addresses imported as
well as the existing ones.
If you want to download the import report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
12. Click on CLOSE to go back to the page All network devices. The devices are now listed.
Table 8.27. Device Manager pages where you can import CSV files
Device Manager page Objects that can be imported Option name in the menu Import
All devices Devices CSV devices
Ports and/or interfaces CSV interfaces
All ports & interfaces Ports and/or interfaces CSV interfaces
Before importing, keep in mind that the ports and interfaces procedure below is based on imports
made on the page All ports & interfaces.You can also import the objects from the page All ports
& interfaces of a specific device, in which case the field Device is not displayed in the wizard.
Importing Devices
When importing a file containing device(s), only the field Name is required.
Only the field Name is required. All fields are detailed in the table below.
152
Importing Data from a CSV File
7. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of devices actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All devices. The devices are now listed.
Only the field Name is required. All fields are detailed in the table below.
153
Importing Data from a CSV File
Parameter Description
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Device The name of the device where you want to import the port and/or interface. At the
bottom of the list of columns of the CSV file, the existing devices are also listed, select
the device where you want to import the port(s) and/or interface(s).This field is required.
7. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of ports and/or interface(s) actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All ports & interfaces. The ports and interfaces are
now listed.
Table 8.30. VLAN Manager pages where you can import CSV files
VLAN Manager page Objects that can be imported Option name in the menu Import
All domains Domains CSV domains
Ranges CSV ranges
VLANs or VXLANs CSV VLANs
All ranges Ranges CSV ranges
VLANs or VXLANs CSV VLANs
All VLANs VLANs or VXLANs CSV VLANs
154
Importing Data from a CSV File
Before importing, keep in mind that the range and VLAN procedure below is based on imports
made on the page All ranges and All VLANs. You can also import the objects from each page
of a specific domain, in which case the field Domain is not displayed in the wizard.
The fields Name, Start ID and End ID are required. All fields are detailed in the table below.
7. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
155
Importing Data from a CSV File
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of domains actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All domains. The VLAN domains are now listed.
The fields Name, Start ID, End ID and Domain are required. All fields are detailed in the table
below.
7. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
156
Importing Data from a CSV File
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of VLAN ranges actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All ranges. The VLAN ranges are now listed.
The fields VLAN ID and Domain are required. All the fields are detailed in the table below.
157
Importing Data from a CSV File
8. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
9. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 11.
10. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
11. Click on OK to accept the validity check report results. The last page opens and displays a
report indicating the total number of VLANs or VXLANs actually imported.
If you want to download the import report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
13. Click on CLOSE to go back to the page All VLANs. The VLANs or VXLANs are now listed.
Table 8.34. VRF pages where you can import CSV files
VRF page Objects that can be imported Option name in the menu Import
All VRFs VRFs CSV VRFs
VRF Route Targets CSV VRF Route Targets
All VRF Route Targets VRF Route Targets CSV VRF Route Targets
Before importing, keep in mind that the route target procedure below is based on imports made
on the page All route targets. You can also import objects from the page All route targets of a
VRF, in which case the field VRF name is not displayed in the wizard.
Importing VRFs
When importing VRF(s), the fields VRF name and VRF RD are required.
The fields VRF name and VRF RD are required. All fields are detailed in the table below.
158
Importing Data from a CSV File
7. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . If you did not specify any class parameter on the previous
page, you can specify one by one the elements to import. Each available drop-down list is
named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of VRFs actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All VRFs. The VRFs are now listed.
159
Importing Data from a CSV File
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format, Skip
the first line and set in as a Template if you want. For more details, refer to the table CSV
file basic parameters.
6. Select the columns of your CSV file you want to import.
The fields Source RD of the VRF Route Targets and Target RD of the VRF Route Targets
are required. All fields are detailed in the table below.
If you want to download the validity report refer to the next step, otherwise go to step 11.
10. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
11. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of route targets actually imported.
If you want to download the import report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
13. Click on CLOSE to go back to the page All VRF Route Targets. The VRF Route Targets are
now listed.
From the IPAM page All networks you can import SPX allocated and assigned networks.
Table 8.37. IPAM pages where you can import SPX allocated and assigned networks
IPAM page Objects that can be imported Option name in the menu Import
All spaces SPX allocated networks SPX allocated networks
SPX assigned networks SPX assigned networks
IPv6 SPX allocated networks SPX allocated networks (v6)
IPv6 SPX assigned networks SPX assigned networks (v6)
All networks SPX allocated networks SPX allocated networks
160
Importing Data from a CSV File
IPAM page Objects that can be imported Option name in the menu Import
SPX assigned networks SPX assigned networks
All networks (v6) SPX IPv6 allocated networks SPX allocated networks (v6)
SPX assigned networks (v6) SPX assigned networks (v6)
From the Administration page All users you can import SPX users, i.e. persons.
Table 8.38. Administration page where you can import SPX users
Administration page Objects that can be imported Option name in the menu Import
Users SPX users SPX persons
From the SPX page All AS Numbers you can import SPX aut-nums.
Table 8.39. SPX page where you can import CSV files
SPX page Objects that can be imported Option name in the menu Import
All AS Numbers SPX aut-nums SPX aut-nums
During the import, the option (box) Use the "ripe.db.inetnum" file stored in the Local files listing
allows you to use the "ripe.db.inetnum" file if you uploaded it to the Local files listing before per-
forming the import. It allows to work with the file content rather than connecting to the RIPE or
APNIC using an Internet connection to obtain the assigned network details. For more details re-
garding how to upload a file to the Local files listing, refer to the section Managing Files from the
Local Files Listing.
Note that, following the IPAM hierarchy, your allocated network(s) must belong to a space.
161
Importing Data from a CSV File
During the import, the option (box) Use the "ripe.db.inetnum" file stored in the Local files listing
allows you to use the "ripe.db.inetnum" file if you uploaded it to the Local files listing before per-
forming the import. It allows to work with the file content rather than connecting to the RIPE or
APNIC using an Internet connection to obtain the assigned network details. For more details re-
garding how to upload a file to the Local files listing, refer to the section Managing Files from the
Local Files Listing.
Once you imported your network objects, editing the content of your assigned networks follows
the same procedures as regular assigned networks. For more details, refer to the chapters
Managing Pools and Managing IP Addresses.
162
Importing Data from a CSV File
8. In the drop-down list PI Assigned network class, you can choose a class if you manage
assigned networks of Provider Independent IP addresses.
9. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The assigned networks are listed.
Once you imported your assigned networks, you can edit them from the GUI. Any change is sent
to the RIPE or APNIC using the update method that you selected during the maintainer configur-
ation (post or email).
You can also add assigned networks from the GUI. These new objects are also communicated
to the RIPE or APNIC. For more details, refer to the section Adding SPX Assigned Networks.
You can create a group for your SPX persons to gather them but, unlike standard users managed
via the appliance, there is no need to grant them specific rights.
The SPX persons listed on the Users page do not have access to the appliance if you do not
grant them rights (through the group they belong to) or configure credentials for them.
163
Importing Data from a CSV File
5. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The SPX persons are listed among the users.
Importing of AS Numbers also imports AS routing policies. The routing policy is described by
enumerating all neighboring AS Number with which routing information is exchanged, they are
all listed in the page All policies. For each neighbor, the routing policy is described in terms of
exactly what is being sent (announced) and allowed (accepted). That way, each aut-num contains
policies that describes what can be implemented and enforced locally by said AS Number.
Keep in mind the page All policies is accessible from the page All AS Numbers. You can access
it through the breadcrumb.
Table 8.40. Administration pages where you can import CSV files
Administration page Objects that can be imported Option name in the menu Import
Groups Groups of users CSV groups
Users Users CSV file
Custom data Custom data CSV custom data
To import RIPE or APNIC users, i.e. persons, refer to the section Importing SPX Persons.
164
Importing Data from a CSV File
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format, Skip
the first line and set in as a Template if you want. For more details, refer to the table CSV
file basic parameters.
7. Select the columns of your CSV file you want to import.
Only the field Name is required. All fields are detailed in the table below.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . Each available drop-down list is named after a class para-
meter or advanced property. All the fields are optional.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of groups actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page Groups. The groups are now listed.
Importing Users
When importing a file containing user(s), only the field Login is required.
To import RIPE or APNIC users, i.e. persons, refer to the section Importing SPX Persons.
165
Importing Data from a CSV File
3. In the menu, select Import > CSV file. The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format, Skip
the first line and set in as a Template if you want. For more details, refer to the table CSV
file basic parameters.
7. Select the columns of your CSV file you want to import.
Only the field Name is required. All fields are detailed in the table below.
8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . Each available drop-down list is named after a class para-
meter or advanced property. All the fields are optional.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of users actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page Users. The users are now listed.
166
Importing Data from a CSV File
Only the field Value 1 is required. There are in total 10 fields named Value 1 through to Value
10.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of custom data entries actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page Custom data. The entries are now listed.
This page is composed of as many panels as there are pages where you can import data in the
module. Each panel lists all the templates configured on the page, the import templates are listed
as follows: Import: <template_name>.
167
Importing Data from a CSV File
3. In the panel of your choice, select the Import: <template_name> you want to rename.
4. Click on RENAME . The wizard Rename template opens.
5. In the field New Name, rename your template.
6. Click on OK to complete the operation. The report opens and closes. The name changes in
the list.
3. In the panel of your choice, select the Import: <template_name> you want to delete.
4. Click on DELETE . The wizard Delete template opens.
5. Click on OK to complete the operation. The report opens and closes. The template is no
longer listed.
168
Chapter 9. Importing IPAM Data
SOLIDserver offers several ways of importing existing IP addresses organizations without having
to recreate them manually in the GUI.
169
Importing IPAM Data
Note that all the data the space contains is imported as well (block-type networks, subnet-
type networks and addresses).
1
7. In the drop-down list Network (block) class, select an existing class to be applied to the
block-type networks you are importing. If no class exists or is enabled, only None is listed.
8. In the drop-down list Network (subnet) class, select an existing class to be applied to the
subnet-type networks you are importing. If no class exists or is enabled, only None is listed.
9. Click on OK to complete the operation. The report opens and closes. The data is listed ac-
cording to your import configuration.
To avoid missing any parameters or losing any data, we recommend that you follow the module
hierarchy during these imports in an existing space: block-type networks, subnet-type networks
and finally IP addresses .
For more details regarding CSV imports, refer to the section Importing Data to the IPAM in the
chapter Importing Data from a CSV File.
Table 9.2. Nortel NetID network fields name when importing networks
Nortel NetID field SOLIDserver field
Network number First address
Network name Name
Subnet type -
CIDR mask -
Subnet mask Netmask
For more details regarding CSV imports, refer to the section Importing Data to the IPAM in the
chapter Importing Data from a CSV File.
Table 9.3. Nortel NetID subnet fields name when importing networks
Nortel NetID field SOLIDserver field
Network number Address
Network name Name
1
The classes listed were created and enabled on the page Class Studio and apply to the IPAM networks. For more details, refer to the
chapter Configuring Classes.
170
Importing IPAM Data
For more details regarding CSV imports, refer to the section Importing Data to the IPAM in the
chapter Importing Data from a CSV File.
Table 9.4. Nortel NetID host addresses fields name when importing networks
Nortel NetID field SOLIDserver field
Host address IP address
Domain name Domain
Client ID -
MAC address MAC address
ClMAC type -
Custom fields -
For more details regarding CSV imports, refer to the section Importing Data to the IPAM in the
chapter Importing Data from a CSV File.
171
Chapter 10. Importing DHCP Data
SOLIDserver offers several ways of importing data from legacy DHCP to all other DHCP servers
managed from the GUI, these wizards are all the more useful during a migration.You can import:
• ISC configuration files.
• Alcatel-Lucent VitalQIP configuration files.
• Microsoft configuration files.
• Infoblox configuration files.
• MetaIP configuration files.
• Nortel NetID configuration files.
To import DHCP or DHCPv6 scopes, ranges and statics, refer to the section Importing Data to
the DHCP in the chapter Importing Data from a CSV File.
The ISC DHCP loads its configuration from the file named dhcpd.conf. This file contains the whole
configuration of the DHCP server.You can import this file directly from SOLIDserver GUI at scope
level.
EfficientIP recommends reducing all lease times to one hour before switching to the new
DHCP server in order to minimize the risk of duplicating IP address assignments during the
transition from the legacy DHCP server to SOLIDserver. This measure ensures that when you
turn off your legacy DHCP servers, the DHCP clients quickly move to SOLIDserver when their
172
Importing DHCP Data
lease renewal efforts fail: they broadcast their first DISCOVER message and get an answer
within the hour.
This procedure also works from the page All scopes of the server for which you want to import
the ISC configuration: at server level click on the name of the server concerned, once on the
page All scopes, follow the procedure from step 4. The server is automatically selected in the
drop-down list DHCP server.
Several ISC configuration files can be imported one after the other on the same target DHCP
server. It allows to merge different DHCP configurations on one unique DHCP server. Through
all the imports, no data is deleted: if the configurations conflict with each other all the different
elements are added. In the same way, if two configuration files have a scope in common but
named differently, the first scope name imported is overwritten by the new scope name.
173
Importing DHCP Data
• Ranges.
• Range options.
• Address pools.
• Static reservations.
• Static reservations options.
• DHCP option definitions.
EfficientIP recommends reducing all lease times to one hour before switching to the new
DHCP server in order to minimize the risk of duplicating IP address assignments during the
transition from the legacy DHCP server to SOLIDserver. This measure ensures that when you
turn off your legacy DHCP servers, the DHCP clients quickly move to SOLIDserver when their
lease renewal efforts fail: they broadcast their first DISCOVER message and get an answer
within the hour.
174
Importing DHCP Data
Microsoft netsh commands for DHCP offer a command-line tool that helps administrating the
DHCP servers and provides an equivalent alternative to console-based management. You can
run these commands from the command prompt of a Windows Server or from the command
prompt for the netsh DHCP context.
To run netsh commands from the command prompt of a Windows Server, you must include
"netsh dhcp" before every command and parameter as detailed below:
C:\netsh dhcp server \\myservername dump > C:\dump_dhcp.txt
This command, generated from your Microsoft DHCP server, allows to import its whole configur-
ation including:
• Definition of DHCP server options.
• Scopes.
• Scope options.
• Ranges.
• Address pools.
• Reservations.
• Reservation options.
• Exclusions.
Because several Microsoft DHCP configuration files can be imported into the same EfficientIP
DHCP server, DHCP options are not imported at the server level. They must be manually con-
figured.
Microsoft allows to create only one range per network (i.e. scope) and then exclude the ranges
of IP addresses you do not need. Unlike Microsoft, from SOLIDserver you can configure several
ranges in one scope. On the page All ranges, the list of Microsoft imported ranges does not display
exclusion ranges, it only lists the ranges created. For more details this management difference,
refer to the section Understanding the Range Management on Microsoft Servers.
In the same way, when a Microsoft DHCP range contains a reservation, EfficientIP imports a
reservation wrapped around two DHCP ranges.
175
Importing DHCP Data
Several Microsoft configuration files can be imported one after the other on the same target
DHCP server. It allows to merge different DHCP configurations on one unique DHCP server.
Through all the imports, no data is deleted. If two configuration files have a scope in common
but named differently, the first scope name imported is overwritten by the new scope name.
Note that, for large configurations, SOLIDserver runs the import process in the background. As
it can take a while, the result is not displayed immediately.
The Infoblox DHCP loads its configuration from the file named dhcpd.conf. This file contains the
whole configuration of the DHCP server. Within SOLIDserver:
• You must import your configuration at scope level within a specific DHCP server.
176
Importing DHCP Data
• You can import your configuration in a smart architecture as long as it is a One-to-One, a One-
to-Many or a Single-Server smart architecture. It is impossible to import this configuration in a
Split-Scope or a Stateless architecture.
This procedure also works from the page All scopes of the server for which you want to import
the Infoblox configuration: at server level click on the name of the server concerned, once on the
page All scopes, follow the procedure from step 4. The server is automatically selected in the
drop-down list DHCP server.
Several Infoblox configuration files can be imported one after the other on the same target DHCP
server. It allows to merge different DHCP configurations on one unique DHCP server. Through
all the imports, no data is deleted: if the configurations conflict with each other all the different
elements are added. In the same way, if two configuration files have a scope in common but
named differently, the first scope name imported is overwritten by the new scope name.
The Meta IP DHCP loads its configuration from the file named dhcpd.conf. This file contains the
whole configuration of the DHCP server. You can import this file directly from SOLIDserver GUI
at scope level..
177
Importing DHCP Data
3. In the menu, select Import > Meta IP DHCP. The wizard Import a Meta IP dhcpd.conf
file opens.
4. Click on BROWSE to find the Meta IP dhcpd.conf file. Once you clicked on Open, the file is
displayed in the field File name.
5. In the drop-down list DHCP server, select the target server.
6. Click on OK to complete the operation. The report opens and closes.
This procedure also works from the page All scopes of the server for which you want to import
the Meta IP configuration: at server level click on the name of the server concerned, once on the
page All scopes, follow the procedure from step 4. The server is automatically selected in the
drop-down list DHCP server.
Several Meta IP configuration files can be imported one after the other on the same target DHCP
server. It allows to merge different DHCP configurations on one unique DHCP server. Through
all the imports, no data is deleted: if the configurations conflict with each other all the different
elements are added. In the same way, if two configuration files have a scope in common but
named differently, the first scope name imported is overwritten by the new scope name.
The NetID DHCP loads its configuration from the file named dhcpcfg.cur. This file contains the
whole configuration of the NetID DHCP server. SOLIDserver allows importing this file directly
from its graphical user interface at scope level of the DHCP organization.
178
Importing DHCP Data
Option Description
Scopes options Specify if you want to import the options tied to the scopes from the configuration file.
Ranges Specify if you want to import the ranges from the configuration file.
Ranges options Specify if you want to import the options tied to the ranges from the configuration file.
Statics Specify if you want to import the reservations (statics) from the configuration file.
Statics options Specify if you want to import the options tied to the reservations (statics) from the
configuration file.
Several NetID configuration files can be imported one after the other on the same target DHCP
server. It allows to merge different DHCP configurations on one unique DHCP server. Through
all the imports, no data is deleted: if the configurations conflict with each other all the different
elements are added. In the same way, if two configuration files have a scope in common but
named differently, the first scope name imported is overwritten by the new scope name.
179
Chapter 11. Importing DNS Data
SOLIDserver offers several ways of importing zones and RRs from legacy DNS servers to Effi-
cientIP DNS servers. The DNS data can be downloaded or transferred from the GUI without
having to install any tools on the remote system. You can import:
• BIND archive files.
• VitalQIP archive files.
To import zones and records via CSV, refer to the section Importing Data to the DNS in the
chapter Importing Data from a CSV File.
Prerequisites
• The archive file must be imported in a DNS server, preferably an EfficientIP DNS server, an
EfficientIP DNS Package server or a smart architecture.
• The archive file must contain all the directories of your BIND configuration including: the
file named.conf, the zone files and any other necessary files whether they belong to the same
directory or other sub directories.
• The archive file must have one of the following extensions: .tar, .tgz, .gz or .zip . It is not ne-
cessary to change the directory paths of your zone files in the file named.conf , if you are not
able to provide the whole directory organizations in the archive file, the system can retrieve
the files in the archive (several zone files may use the same name in different directories).
Limitations
• You cannot use the characters "_", "@" and ":" when importing a BIND archive file. Make
sure you did not use any of these characters in zone names, record names, etc. as it would
trigger either parsing errors (and not import the file) or import everything but the line containing
these characters. For more details, refer to the RFC 1034Domain Names - Concepts and Fa-
cilities.
• The archive must only contain supported BIND options. Any non-supported BIND option
declared in the archive file is ignored. Once the archive file is imported, you can configure
these extra options following the appendix Configuring Non-Supported BIND Options.
• The file named.conf can contain include directives linking to other files if any include directive
is declared outside existing clauses. Any include directive declared within existing clauses
like option {}, zone {}, etc. is ignored. The file(s) declared in the directive include must be part
of the archive file.
• The archive cannot contain the directive $GENERATE, this directive is not supported.
180
Importing DNS Data
3. In the menu, select Import > BIND archive file. The wizard Importing a BIND archive
file opens.
4. Click on BROWSE to select the BIND archive file to import.
5. In the field File name, the file is displayed.
6. In the drop-down list Action, you can either Import the zone files or Check the zone files.
7. If you selected Import the zone files, you can tick the box Also import server options if you
want to import the global configuration settings that apply to all the zones.
8. Click on OK to complete the operation. The report opens and works for a while before dis-
playing the import result and potential errors.
9. In the section Export format, you can download the import result report in TEXT , HTML or
EXCEL .
10. Click on CLOSE to go back to the page All zones. The zones are now listed.
This import relies directly on the BIND zone file itself, <zone-name>, without extension located
in the DNS database.
Note that the import file includes VitalQIP DNS as well as IPAM data at the same time. If the
archive file includes *_aud.qef files the import might take longer.
181
Importing DNS Data
182
Chapter 12. Exporting Data
Within SOLIDserver, exporting data follows a set of rules:
• The object parameters that you can export correspond to the columns of the page
That way, on the one hand you can export the name of the object container: if you export a list
of zones you can also export the name of the server and view they belong to. And on the other
hand, you can export the customized parameters that you created through Class Studio and
displayed as columns.These columns are preceded by the mention Class param: in the wizard.
• An export is generated one level at a time
If you are exporting zones from the page All zones in the DNS, you only export the zones
themselves but not the RRs they contain.
• An export can be generated in five different formats
1
You can export lists of objects in .csv, .html, .xml, .xls and .pdf . Only the .csv file format provides
the possibility to reimport the list again in the GUI.
• An export can take into account from 1 to n objects
On any page, exporting data takes into account every object listed. However, if you tick one
or more elements, only the parameters of the ones you ticked are exported.
• An export can be done at a specific time or scheduled to be generated regularly
From the export wizard, you can choose to export the data right away or later on, even on a
regular basis and at the frequency of your choosing.
• An export name provides time and format information
An export is always named after its format and moment of generation, never after what it con-
tains. Each export is named as follows: export_<extension>_<date>_<time>.<extension>.
Where extension refers to the export format; date is displayed as such: YYYYMMDD and time
as such: HHMMSS. For instance, "export_excel_20130301_073042.xls" is an export generated
in EXCEL on March 1st, 2013 at 07:30:42.
• If the page does not have the menu Report, you cannot export the data listed
Within SOLIDserver, almost any page allows to export data. To see the whole list of pages
where you can export data, refer to the section Pages where you can export data below.
All exports are displayed on a single page, however the configuration files of the scheduled exports
are displayed on their own page.
1
Keep in mind when exporting data to a PDF file that the number of columns is limited to 40 and affects the final display and might
generate a file very hard to read.
183
Exporting Data
You can export data from almost any page. The menu Report indicates which pages are con-
cerned:
184
Exporting Data
Template is a drop-down list that allows you to save all your configuration as a template for
later exports of the list.
When exporting CSV files, you can find two extra fields. First, the drop-down list Delimiter
allows you to select which delimiter you want to use during the data export. Second, the
2
box The export might be reimported can be ticked if you want to reimport the data in a
SOLIDserver appliance: this basically exports the list as raw data that is easier (and therefore
faster) to reimport.
Action is a drop-down list that allows you to export right away your list or schedule the export
it at the frequency of your choice.
Columns is a list that allows you to select the columns, i.e. parameters, of your choice. This
list contains all the columns that you can display on the page as well as the class parameters
related to the objects of the list.
Selected is a list that sums up all the columns that you selected and which data you are
about to export. It also allows you to order the data according to your needs.
Only the scheduled exports are available on the page Local files listing.The schedule configuration
is available on the page Scheduled exports.
2
Exporting data without ticking this box might trigger some errors. Some columns might not be imported at all, for instance the value
of the column Network is terminal cannot be imported if the box is not ticked.
185
Exporting Data
Configuring Exports
The export can be of numerous forms as you can choose an export format, to schedule it or not
and finally save your columns configuration in a template and later on use the template as is or
use it as a basis during another export.
Once the export is generated, you can rename or delete the templates if need be. For
more details, refer to the section Managing Export Templates below.
5. If you chose to export a CSV file:
a. In the drop-down list Delimiter, select comma, semi-colon or tab.
3
b. Tick the box The export might be reimported to export the list or selected objects as
raw data.
6. In the drop-down list Action, select Generate new data.
7. In the list Columns, select one by one the columns that you want to export and click on .
They are moved to the list Selected.
8. In the list Selected, you can order the columns according to your needs using and . To
remove a column from the export, select it and click on . It is moved back to the list Columns.
9. The box Translate the columns name is ticked by default. If you do not want to export the
columns name as they are displayed in the GUI, untick the box.
10. Click on OK to complete the operation. The report opens and works for a while.
11. You can click on DOWNLOAD to save the export. The page refreshes when the export is over.
12. Click on CLOSE to go back to the page.
From the menu Report you can also schedule exports. Keep in mind that these exports are
managed differently: the generated file is available in the Local files Listing, plus scheduling an
export creates a configuration that you can manage on the page Scheduled exports. For more
details, refer to the section Managing Scheduled Exports Configuration Files below.
To schedule an export
1. Go to the page of your choice.
3
This option must be ticked if you plan on reimporting some data, for instance the value of the Terminal column.
186
Exporting Data
2. Tick the objects of your choice or none if you want to export the whole list.
3. In the menu, select Report > Export > <format of your choice>. The wizard Export
<format> file opens.
4. In the drop-down list Template, you can:
a. Choose not to create a template by selecting None and export your data.
b. Choose to create a template by selecting New template. The field Template name ap-
pears, name your template. The template saves the columns you select as well as the
delimiter if you export the list in a .csv file.
5. If you chose to export a CSV file:
a. In the drop-down list Delimiter, select comma, semi-colon or tab.
b. In the section The export might be reimported, tick the box to export the list or selected
objects as raw data.
6. In the drop-down list Action, select Schedule the report. The page refreshes.
7. In the list Columns, select one by one the columns that you want to export and click on .
They are moved to the list Selected.
8. In the list Selected, you can order the columns according to your needs using and . To
remove a column from the export, select it and click on . It is moved back to the list Columns.
9. The box Translate the columns name is ticked by default. If you do not want to export the
columns name as they are displayed in the GUI, untick the box.
10. Click on NEXT . The last page opens.
11. Configure the export frequency or date and time (UTC) of the scheduled export using the
table below.
12. Click on OK to complete the operation. The report works and displays the export report.
13. Click on CLOSE to go back to the page.
187
Exporting Data
The export configuration is available on the page Scheduled exports. For more details, refer
to the procedure To display the scheduled exports configuration.
When the export is generated, it is available on the page Local files listing. For more details,
refer to the procedure To display the scheduled exports.
In the sections below, we will only detail the required fields, i.e. columns. For more details on the
available fields for each module and page, refer to the chapter Importing Data from a CSV File.
Keep in mind that the field Space name of the import wizard allows you to:
• Select the corresponding column of your CSV file
• Select one space among the ones in your database or the option Use best space, with IPv4,
the option uses the IP address and size to place the object in the best space, block-type network
and/or subnet-type network possible.
188
Exporting Data
Object Listing page required Column name in the ex- Column name in the im-
column(s) port wizard port wizard
Space Space name Space name
On the page All pools
Pool Start address Pool start address First address
Name Pool name Name
Space Space name Space name
Pools (v6) Start address Pool start address First address
End address Pool end address Last address
Name Pool name Name
Space Space name Space name
On the page All addresses
IP address Address IP address IP address
Name IP name Name
Space Space name Space name
IP address (v6) Address IP address IP address
Name IP name Name
Space Space name Space name
a
This field can be used to export and reimport the network start address and size.
Keep in mind that the DHCP server and DHCP6 server fields of the import wizard allow you to:
• Select the corresponding column of your CSV file
• Select one server among the ones in your database.
189
Exporting Data
DHCP page Listing page required Column name in the ex- Column name in the im-
column(s) port wizard port wizard
Server Server DHCP6 server
However, you cannot import, or reimport data on the page All RPZ zones.
190
Exporting Data
191
Exporting Data
However, you can only import, or reimport, data on the pages Groups, Users and Custom data.
For more details, refer to the section Importing Data to the Administration Module.
Each column on the page corresponds to the parameters configured during the export configur-
ation. You can sort the list through each column, you can filter it through the columns Name,
Type and Owner. You cannot edit the listing layout of this page or access a properties page as
all the information is displayed.
All the configuration files are listed and each column corresponds to the parameters configured
during the scheduled export creation.You can sort and filter the list through each column but you
cannot edit the listing layout of this page. The scheduled exports do not have a properties page
as all the information is displayed.
192
Exporting Data
2. In the section Monitoring, next to Exports, click on Scheduled. The page Scheduled exports
opens.
3. Tick the configuration file(s) of your choice.
4. In the menu, select Edit > Enable or Disable. The wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The file is marked OK
or Disabled.
This page is composed of as many panels as there are pages where you can import data in the
module. Each panel lists all the templates configured on the page, the export templates are listed
as follows: Export: <template_name>.
3. In the panel of your choice, select the Export: <template_name> you want to rename.
4. Click on RENAME . The wizard Rename template opens.
5. In the field New Name, rename your template.
6. Click on OK to complete the operation. The report opens and closes. The name changes in
the list.
3. In the panel of your choice, select the Export: <template_name> you want to delete.
4. Click on DELETE . The wizard Delete template opens.
5. Click on OK to complete the operation. The report opens and closes. The template is no
longer listed.
193
Part IV. Dashboards
Dashboards is the first module you see when you connect to SOLIDserver.
The Main dashboard is the appliance homepage. For the superuser, it provides an overview of the appliance
configurations and services.
The dashboards are organized per module. On each one you can gather gadgets to monitor data or set up
custom shortcuts and search engines to ease up the management.
195
Chapter 13. Building Dashboards
Most modules have a dedicated dashboard where you can add and organize gadgets to set up
a customized display of information. For more details regarding gadgets, refer to the chapter
Managing Gadgets.
To display a dashboard
1. In the sidebar, click on Dashboards. The page refreshes.
2. In the drop-down list, select one of the available dashboards detailed below. The page re-
freshes.
Note that the modules Application, Guardian, VRF, SPX and Identity Manager do not provide
a dashboard.
196
Building Dashboards
The button opens the wizard Add a gadget where you can select an existing gadget to
display on the dashboard.
If you no longer want to display a gadget on a dashboard, refer to the section Hiding Gadgets
from a Dashboard.
If you want to create, edit, disable, control the visibility or delete a gadget, refer to the chapter
Managing Gadgets.
Moving a Gadget
You can drag and drop the gadgets to place them elsewhere on each dashboard.
When you put the mouse pointer in the gadget drag bar, it changes shape and you can see the
former position of the gadget and how much space it takes up in the new spot.
197
Building Dashboards
Once collapsed, the gadget is displayed as a simple line. Only its drag bar is visible, it contains
its name and buttons.
Next to the gadget name, you can use the buttons to expand the gadget again.
Hiding a gadget means that it is no longer visible on the dashboard, it does delete it. To display
it again, refer to the section Assigning a Gadget from the Dashboard.
198
Chapter 14. Managing Gadgets
The gadgets allow you to monitor the appliance and customize your dashboards.You can create,
assign, hide and/or delete gadgets. Some can even be edited.
The upper gray part is the gadget drag bar. It contains the gadget name and the buttons
to collapse, expand or hide it. On some gadgets, the button allows to edit them.
The lower white part contains the information. Its content differs for every type of gadget.
You can manage existing charts like gadgets. By default, a set of gadgets are available on the
page the Gadgets Library, for more details refer to the appendix Default Gadgets and .
Browsing Gadgets
The gadgets are available on three pages:
• My Gadgets where you can manage all the gadgets already assigned to at least one dashboard.
• Gadgets Library where you can manage all the existing gadgets.
• System statistics that contains the appliance statistics. Every chart on the page can be used
as a gadget and assigned to a dashboard.
• Any properties page containing charts. For more details, refer to the section Assigning a
Chart on a Properties Page as Gadget.
A number of gadgets are displayed by default on some dashboards, as detailed in the section
Gadgets Displayed by Default.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. To display the gadgets of a specific dashboard, in the search engine of the column Dashboard,
type in the name of the dashboard of your choice.
The page contains the following columns, you cannot edit the list layout.
199
Managing Gadgets
Table 14.1. The columns of the pages Gadgets Library and My Gadgets
Column Description
Name The gadget name.
All users The gadget visibility: Yes means it is visible to all users, No means it is only visible for the user
who created it.
Type The gadget type: Chart, Configuration, Descriptive, Quick Search, Shortcut or Top List. For
more details, refer to the section Understanding the Gadget Types.
Dashboard The name of the dashboard(s) where the gadget is assigned.
Status The gadget status: Enabled or Disabled.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. In the column Name, click on the gadget of your choice. The page My Gadgets opens and
lists the gadget as many times as it has been assigned. In the column Dashboard, the name
of the dashboard where the gadget is assigned is listed once. If the list is empty, it means
that the gadget is not assigned.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. At the end of the line of the gadget of your choice, click on . The properties page opens.
The panel Main properties sums up the gadget name, type, visibility and status. If it contains
the button EDIT , you can edit the gadget. For more details, refer to the section Editing Gadgets.
200
Managing Gadgets
These charts are not listed on the page Gadgets Library, but once assigned they are listed on
the page My Gadgets.
All the charts on the page, except Processes state, can be used as a gadget. The charts return:
• Traffic information, in the panels DNS traffic, DHCP traffic, HTTP traffic, SNMP traffic and
Database replication traffic.
• System information, in the panels Load average, CPU per process, Memory usage per process,
Disk operations, I/Os per process, SQL queries, Threads, User sessions and Disk Usage.
To display a chart on a dashboard, refer to the section Assigning a Chart of the Page System
Statistics as Gadget.
Keep in mind that these charts are empty during the first appliance use, without any traffic, there
is no data to display.
In addition, there are two gadget types, the Descriptive and Configuration gadgets. You cannot
create gadgets of these types, they are displayed by default. For more details, refer to the section
Gadgets Displayed by Default.
1
You can display the statistics of a remote appliance on the page but these charts cannot be used as gadgets.
201
Managing Gadgets
Chart
The chart allows to compare values and labels and create graphical representations of resources
activity or repartition via a pie chart or a bar chart. For instance, the DNS resource records type
distribution among the zones of a server.
202
Managing Gadgets
Top List
The Top List allows you to create a specific list displaying from 5 to 25 items from a listing page.
Once created, it looks like a table composed of a maximum of 4 columns that display the entries
you want. They can match a filtered display of the source page. For instance, a list of the five
most heavily used terminal networks.
The Top List can be edited thanks to the button . For more details, refer to the sections Creating
a Top List Gadget and Editing Gadgets.
Quick Search
The Quick Search allows you to create a filtering tool based on the columns of a page. It is
composed of fields matching the columns search engines in the target listing page.
In the gadget, the selected columns are displayed as input fields. When you click on SEARCH , you
execute a search that automatically opens the target page and applies the filters of the gadget
to only return the matching results.
Thanks to this gadget, you can filter pages using several columns from any dashboard. For in-
stance, you can search for specific zones through their name, type and DNSSEC configuration
within a server from any module dashboard.
The Quick Search can be edited thanks to the button . For more details, refer to the sections
Creating a Quick Search Gadget and Editing Gadgets.
203
Managing Gadgets
Shortcut
The Shortcut contains link buttons toward specific pages. They are only used for quick wizards
and bookmarks. For more details, refer to the section Shortcuts.
This gadget contains links toward your quick wizards. It can only be displayed once on each
dashboard.
You can customize the gadget content on each dashboard with . For more details, refer to the
sections Creating a Quick Wizards Gadget and Editing Gadgets.
This gadget contains links toward the bookmarks of your choice. You can display it on any
dashboard.
For more details, refer to the sections Creating a Gadget Bookmarks and Editing Gadgets.
204
Managing Gadgets
System Information
This descriptive gadget is available by default on the Main dashboard of ipmadmin (the superuser
session).
The name of the user connected. Click on the user name (ipmadmin in the image above) to
open the wizard Configure user settings that allows to set the user account preferences.
For more details, refer to the section Account Configuration.
Version
The appliance current date and time. If it is not accurate, the License type and finally the
support used (Manufacturer, Product and Serial).
License type
The appliance license type, either Temporary (with the End date between brackets) or Official
(it has no end date, it is permanent).
End of Maintenance
The appliance manufacturer name. It indicates if the appliance is installed on a virtual machine
or a physical hardware appliance.
Product
The product name, either hardware (with its size) or software. It depends on the manufacturer.
Serial number
The appliance serial number. For hardware appliances, it is composed of 6 hexadecimal digits.
For virtual appliances, it is only visible on the page Centralized Management.
205
Managing Gadgets
General Information
This descriptive gadget is available by default on the Main dashboard of ipmadmin.
The main services statuses: running , disabled or not yet configured . Click on each
service name to manage them. A running service can be disabled from the dashboard. The
services that are disabled or not configured yet provide a link to the page Services Configur-
ation. For more details, refer to the chapter Configuring the Services.
Hostname
The appliance hostname. Click on its name (solid.intranet in the image above) to open the
page Network Configuration and edit it. For more details, refer to the chapter Configuring the
Network.
IP Addresses
The appliance interface(s) IP address. The default interface indicates the IP address you
configured to connect to SOLIDserver. Click on the interface name (DEFAULT_INTERFACE
in the image above) to open the page Network Configuration and edit it. For more details,
refer to the chapter Configuring the Network.
Default gateways
The appliance default gateway. Click on its IP address to open the page Network Configuration
and edit it. For more details, refer to the chapter Configuring the Network.
SOLIDserver role
The appliance role: Standalone, Master or Hot Standby. The last two roles imply that your
SOLIDserver is configured in high availability (HA). Click on the role to open the page Cent-
ralized Management. For more details, refer to the chapter Centralized Management.
Status
The appliance status. A Standalone appliance is always OK. The appliances configured
in HA can be marked , to indicate that the configuration is not working properly. Click on
the status to open the page Centralized Management. For more details, refer to the chapter
Centralized Management.
206
Managing Gadgets
Only ipmadmin can share it to allow other users to display it, even if they belong to the group
admin.
This gadget provides a set of shortcuts to assist you in setting SOLIDserver main configurations
and making sure that your appliance is used at the best of its potential from the first connexion
onward. Any line marked is not configured yet, the completed configurations are marked .
The gadget provides a checklist and shortcuts toward specific configuration wizards:
Local SOLIDserver
Allows to configure locally the appliance from the gadget. Click on Configuration to open the
wizard Configure local SOLIDserver. For more details, refer to the section Configuring
SOLIDserver to Remotely Manage Other Appliances.
Remote SOLIDserver
Allows to add remote appliances to the page Centralized Management from the gadget. Click
on Add to open the wizard Add/modify remote SOLIDserver. For more details, refer to the
section Adding Remote Appliances.
NTP servers configuration
Allows to add NTP servers from the gadget. Click on Configuration to open the wizard NTP
servers configuration. For more details, refer to the section Configuring NTP Servers.
DNS smart architecture
Allows to create a DNS smart architecture from the gadget. Click on Add to open the wizard
Add a DNS server. For more details regarding smart architectures, refer to the section Adding
a DNS Smart Architecture.
DHCP smart architecture
Allows to create a DHCPv4 smart architecture from the gadget. Click on Add to open the
wizard Add a DHCP server. For more details regarding smart architectures, refer to the section
Adding a DHCPv4 Smart Architecture.
207
Managing Gadgets
Backup
Allows to archive the appliance backup on a remote server from the gadget. Click on Config-
uration to open the wizard Archive server parameters. For more details regarding remote
FTP configuration, refer to the section Archiving the Backup Files on an FTP or SFTP server.
Change ipmadmin password
Allows the superuser, ipmadmin, to edit their SOLIDserver connexion password from the
gadget. Click on Configuration to open the wizard Modify user password. For more details,
refer to the section Changing the Session Password.
Change SSH password
Allows the superuser, ipmadmin, to edit the SSH admin account password from the gadget.
This account is used to authenticate users who add/edit EfficientIP DNS and DHCP servers
and remote appliances. If you change the password from the gadget, you must also edit the
existing servers and appliances to specify the new password. Click on Configuration to open
the wizard Change SSH password. For more details, refer to the sections Editing DNS
Servers, Editing a DHCP Server and/or to the section Editing Remote Appliances.
Authentication (AD, LDAP, RADIUS)
Allows you to add one by one the three rules that configure the remote user authentication
via AD, RADIUS or LDAP. Click on Configuration to open the wizard Add a rule. For more
details regarding remote authentication, refer to the chapter Managing Authentication Rules.
Group
Allows you to add groups of users from the gadget. Click on Add to open the wizard Add a
group. For more details, refer to the section Adding Groups of Users.
Internal module setup
Allows to set the modules advanced properties interaction of the appliance. Click on Config-
uration to open the wizard Internal module setup. For more details, refer to the section De-
fining the Internal Module Setup.
This gadget provides links to help the connected user set their preferences:
Gadgets Library
This button is a link toward the page Gadgets Library in the module Administration.
Set language
This button opens the wizard Change Language. For more details, refer to the section Account
Configuration.
208
Managing Gadgets
Shortcuts
This shortcut gadget is available by default on the Main dashboard of ipmadmin.
This gadget cannot be edited and provides links to key pages of the modules IPAM, DNS and
DHCP:
All networks
This button provides a shortcut toward the page All networks in the module IPAM. For more
details, refer to the chapter Managing Networks.
All scopes
This button provides a shortcut toward the page All scopes in the DHCP. For more details,
refer to the chapter Managing DHCP Scopes.
All zones
This button provides a shortcut toward the page All zones in the DNS. For more details, refer
to the chapter Managing DNS Zones.
209
Managing Gadgets
This gadget represents all the vendor distribution of the ports listed on the page All ports, it indic-
ates the number of ports for each by vendor. For more details, refer to the chapter Managing
Ports.
This gadget represents the active ports listed on the page All ports distributed by port speed, in
bits per second, with the number of ports matching each speed. For more details, refer to the
chapter Managing Ports.
210
Managing Gadgets
This gadget represents all the ports listed on the page All ports distributed by status, with the
number of ports marked with each status. For more details, refer to the chapter Managing Ports.
This gadget represents the network device repartition of all the ports listed on the page All ports,
with the number of ports for each network device. For more details, refer to the chapter Managing
Ports.
211
Managing Gadgets
This pie chart represents all the used ports listed on the page All ports & interfaces distributed
by device. For more details, refer to the chapter Managing Ports.
This pie chart represents all the used interfaces listed on the page All ports & interfaces distributed
by device. For more details, refer to the chapter Managing Ports and Interfaces.
212
Managing Gadgets
This gadget provides a Top 5 list of the ports and interfaces that are marked Drift in the column
Reconciliation. For more details, refer to the chapter Managing Ports and Interfaces.
You can edit this Top List to display up to 25 entries in the table or edit the columns it contains.
For more details, refer to the section Editing a Top List Gadget.
Creating Gadgets
Each type of gadget has a specific addition and edition methods. For this reason, the creation of
Charts, Top List, Quick Search, Quick Wizards and Bookmarks gadgets is detailed separately.
Note that:
• You can create gadgets from any page of the module IPAM, DHCP, DNS, Application,
NetChange, Workflow, Device Manager or VLAN Manager and some pages of the module
Administration.
• The descriptive and configuration gadgets are default gadgets, you cannot create new ones
or delete them, you can only enable or disable them and change their visibility.
Once a gadget has been created, you can assign it on any dashboard or share it with other users.
For more details, refer to the sections Assigning Gadgets to a Dashboard and Granting Other
Users Access to the Gadgets.
In the GUI, some charts are already available on the page System Statistics or on the properties
page of some resources. These charts can be assigned as gadget thanks to the button in the
drag bar. For more details, refer to the section Assigning Gadgets to a Dashboard.
213
Managing Gadgets
Note that:
• Charts remain empty as long as there is no data to retrieve on the page they are created from.
• When you hover over a segment of a chart, a tooltip containing information about the segment
is displayed.
• Chart gadgets provide specific buttons:
• The icon allows to zoom in on the chart in a pop-up window above the page.
• The icon allows to refresh the data displayed.
• From the legend you can click on any entry to hide or display data. For more details, refer
to the section Charts.
• Once a chart is created, you cannot edit it. If the data you configured it with no longer suits to
your needs, you have to delete the gadget and create a new one. For more details, refer to
the section Deleting Gadgets.
Keep in mind that in the module Administration, you can only create a gadget Top List gadgets
from the pages Session tracking, User tracking and Alerts.
214
Managing Gadgets
• To remove a column from the Top List, select it among the Selected columns (Max:
4) and click on . The column is moved back in the list Columns.
• To order the columns of the Top List, select them one by one and click on the arrows
to move them up or down .
e. In the field Limit, specify the number of items to display in the final gadget: 5, 10, 15,
20 or 25.
5. For Top List gadgets created from the DNS page Analytics displaying Guardian data, in the
drop-down list Period, select the overall period of data to retrieve, either the last 1h, 3h or
6h.
6. Click on OK to complete the operation. The report opens and closes. The gadget is visible
on the dashboard you selected. It is named Top X list: <your-gadget-name>, where X is the
Limit you selected.
You can edit the Top Lists gadgets. For more details, refer to the section Editing a Top List
Gadget.
The fields available to configure the Quick Search depend on the list the gadget is set from.
4. For Quick Search gadgets created from the DNS page Analytics displaying Guardian data,
in the drop-down list Period, select the overall period of data to retrieve, either the last 1h,
3h or 6h.
5. Click on OK to complete the operation. The report opens and closes. The Quick Search is
visible on the dashboard you selected.
You can edit the Quick Search gadgets. For more details, refer to the section Editing a Quick
Search Gadget.
215
Managing Gadgets
Note that during the addition of a quick wizard you can only indicate one access location, either
a dashboard for the gadget or the menu Quick Access. However, you can edit the quick wizard
from the My Quick Wizards to specify more dashboards.
For more details regarding the quick wizards themselves, refer to the section Quick Wizards.
To create a link in the Quick Wizards gadget toward the Quick Wizard you are
creating
1. On the wizard you want to save, click on in the wizard drag bar. The wizard Add a Quick
Wizard opens.
2. In the field Name, type in the the quick wizard name.
3. In the drop-down list Save in, select the dashboard of your choice.
4. In the field Description, you can add a description.
5. Click on OK to complete the operation. The report opens and closes. The Quick Wizards
gadget is now displayed on the selected module dashboard, it contains a button named after
your quick wizard.
To create a link in the Quick Wizards gadget toward the Quick Wizard you are
editing
1. From any page, in the top bar, select My account > My Quick Wizards. The page My
Quick Wizards opens.
2. Click on the name of a quick wizard you want to edit. The wizard Edit: Quick Wizard opens.
3. If need be, edit the fields Name and Description.
4. In the list Available, select one by one the module dashboards where the quick wizard should
be included to the Quick Wizards gadget.
You can also select Quick access menu to add a shortcut toward the quick wizard in the
menu Quick Access.For more details, refer to the section Accessing Quick Wizards.
5. Click on . Your selection is moved to the list Configured. If you want to remove an item
from the list, select it and click on , the item is moved back to the list Available.
6. Tick or untick the box Share with other users according to your needs. Sharing a quick
wizard makes it available for all users.
7. Click on OK to complete the operation. The report opens and closes. The Quick Wizards
gadget is now displayed on the dashboard of the selected modules and it contains a button
named after your quick wizard.
Note that once created, you can assign the Quick Wizards gadget from a dashboard. For more
details, refer to the section Assigning a Gadget from the Dashboard.
You can edit the content of a Quick Wizards gadget. For more details, refer to the section Editing
a Quick Wizards Gadget.
You cannot create the gadget Bookmarks on its own, you must create it when you are bookmarking
a page.
216
Managing Gadgets
The gadget is not displayed on any dashboard yet, to assign it, refer to the section Assigning
Gadgets to a Dashboard.
You can assign gadgets from the dashboard itself, as detailed in the section Assigning a Gadget
from the Dashboard, or you can:
• Assign a chart as gadget from the page System statistics and any properties page containing
charts.
• Assign a gadget to a dashboard, or several gadgets to several dashboards at once, from the
page Gadgets Library.
• Assign a gadget to a dashboard from the page My Gadgets.
Note that on the DNS page Analytics, the chart available for Guardian analytics cannot be assigned
as a gadget. Its only purpose is to narrow the data to return. For more details, refer to the section
Monitoring Guardian Analytics in the chapter Managing Guardian Statistics.
217
Managing Gadgets
2. In the section Monitoring, click on System statistics. The page System statistics opens.
3. Click on Collapse all in the upper right corner of the page to close all the panels.
4. In the panel of the chart of your choice, click on . The wizard Use the Chart as a Gadget
opens.
5. In the list Dashboard, select the dashboard of your choice.
6. Click on OK to complete the operation. The page refreshes. The gadget is now displayed
on the selected dashboard.
All the existing gadgets are listed on the page, even if they are not displayed on any dashboard
yet.
To assign gadgets to one or several dashboards from the page Gadgets Library
1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Tick the gadget(s) you want to assign to a dashboard.
4. In the menu, select Edit > Assign Gadget(s). The wizard Gadget configuration opens.
5. In the list Available, double-click on the name of the dashboard you want the gadget to be
displayed on. The name is moved to the list Configured.You can select several dashboards.
Keep in mind that if you selected several gadgets already assigned, their current dashboard
configuration is not displayed and is overwritten if you assign them to a new dashboard.
6. Click on OK to complete the operation. The report opens and closes. The gadget is now
displayed on the selected dashboard(s).
218
Managing Gadgets
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the menu, select Edit > Assign a gadget. The wizard Gadget Configuration opens.
3. Select the Type that suits your needs. Other contains the descriptive gadgets, the gadget
Bookmarks and the Quick Wizards gadget.
4. Click on NEXT . The list Gadget displays the available gadgets of the selected type.
5. Select the gadget you want. If there is no gadget of this type yet, the list is empty.
6. Click on NEXT . The last page opens.
7. In the list Available, double-click on the name of the dashboard of your choice. The name
is moved to the list Configured. You can select several dashboards if you want.
8. Click on OK to complete the operation. The report opens and closes. The gadget is now
displayed on the selected dashboard(s).
To assign a gadget directly from a dashboard, refer to the section Assigning a Gadget from the
Dashboard.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. Filter the list if need be.
3. For the gadget you want to hide, in the column Status, click on Visible. The wizard Disable
Gadget opens.
4. Click on OK to complete the operation. The report opens and closes. The gadget is marked
as Hidden and no longer visible on the dashboard.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. Filter the list if need be.
3. For the gadget you want to display, in the column Status, click on Hidden. The wizard Enable
Gadget opens.
219
Managing Gadgets
4. Click on OK to complete the operation. The report opens and closes. The gadget is marked
as Visible and displayed on the dashboard it was assigned to.
If you want to hide a gadget from several dashboards at once, refer to the section Enabling or
Disabling Gadgets.
Editing Gadgets
You can edit some gadgets:
• The gadgets Top list, Quick Search and Quick Wizards can be edited from the dashboard
they are displayed on. The gadgets Top List and Quick Search can also be edited from their
properties page.
• The gadget Bookmarks can only be edited from the page My Bookmarks.
Any other type of gadget cannot be edited. You have to create a new gadget again and delete
the one you no longer need.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Filter the column Type to only display Top Lists.
4. At the end of the line of the gadget of your choice, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a Top List opens.
6. Edit the fields Name, Columns, Selected columns (Max: 4) and Limit according to your
needs.
7. Click on OK to complete the operation. The report opens and closes. The gadget content is
now updated.
220
Managing Gadgets
Any changes performed on a Quick Search gadget apply to all the dashboards it is displayed on.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Filter the column Type to only display Quick Search gadgets.
4. At the end of the line of the gadget of your choice, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a Quick Search opens.
6. Edit the fields Name, Dashboard, Columns and Selected columns according to your needs.
7. Click on OK to complete the operation. The report opens and closes. The gadget content is
now updated.
You can make unique changes to a Quick Wizards gadget. Any change performed on the gadget
only apply to the dashboard where you edited the gadget.
221
Managing Gadgets
Any changes performed on the gadget Bookmarks apply to all the dashboards it is displayed on.
Standard users can create, edit or delete their gadgets, if their group is granted the proper per-
missions, but they cannot set the visibility of their gadgets.
222
Managing Gadgets
3. Click on the Name of the group of your choice. The page Resources opens.
4. In the breadcrumb, click on Rights. The page Rights opens.
5. In the search engine of the column Right, type in gadget to only display the gadget related
rights.
6. Tick the rights that suite your needs.
7. In the menu, select Edit > Allow. The wizard Enable opens.
8. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
Do not forget to include users to the group. For more details regarding user permissions refer to
the part Rights Management.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Tick the gadget(s) you want to make visible to all the other users.
4. In the menu, select Edit > Visible to all users > Yes. The wizard Gadget visibility opens.
5. Click on OK to complete the operation. The report opens and closes. In the column All Users,
the gadget is marked Yes.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
223
Managing Gadgets
You can only enable or disable a gadget from the page Gadgets Library from the listing itself or
the menu.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Filter the list if need be.
4. In the column Status:
a. To enable a gadget, click on Disabled. The wizard Enable Gadget opens.
b. To disable a gadget, click on Enabled. The wizard Disable Gadget opens.
5. Click on OK to complete the operation. The report opens and closes. The gadget is marked
Enabled or Disabled.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Filter the list if need be.
4. Tick the gadget(s) your choice.
5. In the menu:
a. To enable the gadget(s), select Edit > Status > Enable. The wizard opens.
b. To disable the gadget(s), select Edit > Status > Disable. The wizard opens.
6. Click on OK to complete the operation. The report opens and closes. The gadget is marked
Enabled or Disabled.
224
Managing Gadgets
Deleting Gadgets
You can only delete gadgets from the page Gadgets Library. Deleting a gadget removes it from
the appliance altogether and no matter on how many dashboards it is displayed.
To delete a gadget
1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
Each gadget is listed one or more times, depending on how many dashboards it is assigned.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Tick the gadget(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The gadget is now re-
moved from the dashboard(s) it was displayed on and from the pages Gadgets Library and
My Gadgets.
225
EAST ASIA
RIO DE
JANEIRO
Part V. IPAM
The Internet Protocol Address Management (IPAM) was designed to plan, track, organize and manage IP
addresses into networks. This organization can rely on IPv4 that manages 32-bit addresses or on IPv6 that
manages 128-bit addresses.
CLIENTS
USA CHINA
BRAZIL INDIA
AFRICA
BRASILIA NEW DELHI
OCEANIA
The IP address management requires to create a space, within which you create a block-type network, that
contains at least one subnet-type network that manages your IP addresses. You can also add a pool to
configure some or all of your IP addresses with extra parameters. If you want to import an existing IPAM
organization, refer to the part Imports and Exports.
Note that you can customize your organization display in the Tree view. For more details, refer to the section
Tree View of the chapter Understanding the GUI.
Note that from the module Dashboards, you can gather gadgets and charts on the IPAM dashboard to
monitor the module data or set up custom shortcuts and search engines. For more details, refer to the part
Dashboards.
Table of Contents
15. Managing Spaces .................................................................................................... 230
Browsing Spaces .................................................................................................. 230
Adding a Space .................................................................................................... 230
Editing a Space ..................................................................................................... 231
Automating the IPv4 to IPv6 Transition .................................................................... 232
Exporting Spaces .................................................................................................. 232
Deleting a Space ................................................................................................... 232
Defining a Space as a Group Resource .................................................................. 233
16. Managing Networks ................................................................................................. 234
Browsing Networks ............................................................................................... 234
Adding Networks ................................................................................................... 236
Editing Networks ................................................................................................... 242
Splitting Networks ................................................................................................. 243
Merging Networks ................................................................................................. 243
Moving Networks .................................................................................................. 244
Discovering the Assigned IP Addresses in a Network .............................................. 245
Using Network Map to Display Assigned IP Addresses ............................................ 245
Managing or Unmanaging Networks ....................................................................... 247
Creating Networks from NetChange ....................................................................... 247
Automating the IPv4 to IPv6 Transition .................................................................... 247
Adding Pools from the Page All networks ................................................................ 247
Adding IP Addresses from the Page All networks .................................................... 248
Adding DHCP Scopes from the Page All networks ................................................... 248
Adding or Updating DNS Zones from the Page All networks ..................................... 248
Adding VLANs from the Page All networks .............................................................. 248
Exporting Networks ............................................................................................... 248
Deleting Networks ................................................................................................. 249
Defining a Network as a Group Resource ............................................................... 249
17. Managing Pools ....................................................................................................... 250
Browsing Pools ..................................................................................................... 250
Adding a Pool ....................................................................................................... 251
Reserving a Pool ................................................................................................... 252
Resizing a Pool ..................................................................................................... 252
Adding Pools at Network Level ............................................................................... 253
Adding DHCP Ranges from the Page All pools ........................................................ 253
Exporting Pools ..................................................................................................... 253
Deleting a Pool ...................................................................................................... 253
Defining a Pool as a Group Resource ..................................................................... 253
18. Managing IP Addresses ........................................................................................... 255
Browsing IP Addresses .......................................................................................... 255
Adding an IP Address ............................................................................................ 257
Editing an IP Address ............................................................................................ 261
Configuring and Managing IP Address Aliases ........................................................ 262
Configuring Multiple A Records for an IP Address ................................................... 264
Renaming IPv4 Addresses Massively ..................................................................... 266
Moving IP Addresses ............................................................................................ 267
Pinging an IP Address ........................................................................................... 269
Populating Device Manager ................................................................................... 269
Adding Gateway IP Addresses at Network Level ..................................................... 269
Automating the IPv4 to IPv6 Transition .................................................................... 270
Updating DHCP Scopes from the Page All addresses .............................................. 270
228
IPAM
Adding DHCP Statics from the Page All addresses .................................................. 270
Adding DNS Records from the Page All addresses .................................................. 270
Adding Devices from the Page All addresses .......................................................... 270
Updating Ports and Interfaces from the Page All addresses ..................................... 271
Adding IP Addresses from the DHCP ..................................................................... 271
Adding IP Addresses from the DNS ........................................................................ 271
Exporting IP Addresses ......................................................................................... 271
Deleting an IP Address .......................................................................................... 271
Restoring an IP Address ........................................................................................ 272
19. Managing IPAM Templates ....................................................................................... 273
1. Adding Template Classes in Class Studio ............................................................ 274
2. Configuring Templates ....................................................................................... 275
3. Deploying Templates .......................................................................................... 281
20. Using VLSM to Manage Your IPAM Network ............................................................... 284
Choosing the Method That Suits Your Needs ........................................................... 284
Managing a Space-Based VLSM Organization ........................................................ 288
Managing a Network-Based VLSM Organization ..................................................... 298
Using the VLSM Hierarchy to Delegate Management ............................................... 303
21. Managing Cloud Synchronization .............................................................................. 306
Prerequisites ........................................................................................................ 306
Limitations ............................................................................................................ 306
Configuring a Proxy Server .................................................................................... 307
Configuring AWS Synchronization .......................................................................... 307
Configuring Azure Synchronization ......................................................................... 310
Monitoring the Synchronization .............................................................................. 313
Disabling Cloud Synchronization ............................................................................ 314
229
Chapter 15. Managing Spaces
The space is the highest level in the IPAM module's organization, the entry point of any IPv4 or
IPv6 addressing plan. It allows to manage unique ranges of IP addresses.
Browsing Spaces
Spaces are managed on the page All spaces. They contain the networks, pools and IP addresses.
ALIAS
Spaces provide uniformity and consistency check that ensure uniqueness of IP resources: there
cannot be two identical configurations of IP addresses, pools or networks within one space. To
manage identical N address plans, you can create N spaces in the IPAM module.
You can create as many spaces as you want to organize your addressing plan(s) or set up multiple
private networks following RFC 1918. Each space can contain as many block-type networks as
you need, their size defines the number subnet-type network, pools and IP addresses that you
actually manage.
By default, the space Local is present on the page All spaces. It is configured to receive all the
DHCP and DNS resources configured with replication that are not attached to any space.
Adding a Space
Spaces allow to set up addressing plans containing either IPv4 or IPv6 addresses.You can create
as many spaces as you need or use the space Local, created by default.
230
Managing Spaces
Note that you can also import spaces, for more details refer to the section Importing Spaces in
the chapter Importing Data from a CSV File.
To add spaces, you can use the menu or click on the button in the upper-right corner of the
page All spaces.
If you plan on adding different spaces with similar properties, creating a template might be useful.
For more details, refer to the chapter Managing IPAM Templates.
To add a space
1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. In the menu, click on Add. The wizard Add a space opens.
3. In the list VLSM parent space, select None or one of the existing empty spaces. If you select
an existing space as VLSM parent space, the new space is affiliated to the space you selec-
ted. For more details, refer to the chapter Using VLSM to Manage Your IPAM Network.
4. Click on NEXT . The next page opens.
5. If you or your administrator created classes at space level, in the list Space class, select a
class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field Space name, name the space.
7. In the field Description, you can type in a description of the space.
8. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
9. Click on OK to complete the operation. The report opens and closes. The new space is listed.
Editing a Space
At any time you can edit an existing space. You can either edit it from its properties page or via
the contextual menu on the page All spaces.
To edit a space
1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. At the end of the line of the space of your choice, click on . The space properties pages
opens.
3. In the panel Main properties, click on EDIT .
4. The wizard Edit a space opens.
5. In the list VLSM parent space, select a parent space if need be.
6. Click on NEXT . The next page opens.
7. If you or your administrator created classes at space level, in the list Space class, select a
class or None.
231
Managing Spaces
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
8. Edit the fields Space name and/or Description according to your needs.
9. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
10. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
For more details, refer to the chapter Managing Advanced Properties in the section Configuring
the Transition from IPv4 to IPv6.
Exporting Spaces
From the page All spaces, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting a Space
At any time you can delete a space. Keep in mind that:
• Deleting a space also deletes all the addresses, pools and networks it contains.
• You cannot delete a space containing other spaces. For more details regarding Variable Length
Subnet Masking, refer to the chapter Using VLSM to Manage Your IPAM Network.
• None of the resources created in the DNS and DHCP from the IPAM, through the advanced
properties, are deleted. This is a safety measure in case a space is deleted by mistake.
To delete a space
1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Tick the space(s) you want to delete.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The selected spaces
are no longer listed.
232
Managing Spaces
Granting access to a space as a resource also grants access to every item it contains. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
233
Chapter 16. Managing Networks
Within the IPAM hierarchy the networks are a key level where you define ranges of IP addresses
to work with. Their management follows the recommendations introduced with the RFC 950, that
was aimed at providing a solution to the problems that the Internet community was facing with
dual hierarchical address levels.
The networks help you set the organization that suits your needs: it can allow to set a range of
addresses dedicated to your customers, and within that range a network for the customers of
specific country/city; or it can help delegate terminal network management tasks to administrators.
You can manage IPv4 and IPv6 networks, within one space. To successfully set up your address-
ing organization, you must add within a space:
1. A block-type network, where you set the range of addresses you want to manage. This net-
work is by essence non-terminal. That network contains:
2. One or several subnet-type networks. These networks can be terminal so you can assign
the IP addresses they contain, or non-terminal and contain other subnet-type networks. For
more details, refer to the chapter Using VLSM to Manage Your IPAM Network.
If you want to manage RIPE or APNIC networks and objects, refer to the part SPX.
You can synchronize cloud providers objects with networks. For more details, refer to the chapter
Managing Cloud Synchronization.
Browsing Networks
The page All networks manages both block-type and subnet-type networks, these subnet-type
networks can be terminal or not.
Block-type networks, or level 0 networks, belong to spaces and are the second level of the IPAM
hierarchy. They set the range of IPv4 or IPv6 addresses that you can divide into subnet-type
networks. On the page they are preceded by .
ALIAS
234
Managing Networks
1
Subnet-type networks, or level 1 (to n) networks, belong to block-type networks and are the third
level of the IPAM hierarchy. Terminal networks contain IPv4 or IPv6 addresses that you can assign.
On the page they are preceded by .
ALIAS
You can divide the IP addresses of a subnet-type network into pools. For more details, refer to
the chapter Managing Pools.
The icon color provides information on the network. When is blue it indicates small sized network
managing 2 or 1 IP address. It precedes /31 and /32 networks in IPv4, and /127 and /128 networks
in IPv6.
If you or your administrator configured IPAM to DHCP advanced properties, some subnet-type
networks have a panel DHCP options on their properties page, to configure DHCP options for
the scope associated with the network. For more details, refer to the chapters Managing Advanced
Properties and Setting DHCP Options.
1
Subnet-type networks can also belong to non-terminal subnet-type networks. For more details, refer to the chapter Using VLSM to
Manage Your IPAM Network.
235
Managing Networks
The page also provides columns specific to the management of SPX networks, whether
RIPE or APNIC, such as Waiting state or Assigned networks. For more details, refer to the part
SPX.
Creating The delayed status while you wait for the RIPE or APNIC to confirm the network creation.
Deleting The delayed status while you wait for the RIPE or APNIC to confirm the network deletion.
NOT VALID The subnet-type network size does not fit in the block-type network although it was validated
by the RIPE or APNIC. For more details, refer to the part SPX.
Adding Networks
To manage IP addresses, you must define a range of IP addresses to work with, with a block-
type network, and then set the range of addresses you can assign, with a terminal subnet-type
network.
To add a subnet-type network, refer to the section Adding Networks Manually or Adding Networks
Using the Option By Search. The option By search allows to find the first available section of free
IP addresses within a space based on a network size.
Note that you can import networks from a CSV file, for more details refer to the section Importing
Networks in the chapter Importing Data from a CSV File.
You can also add networks from NetChange routes. For more details, refer to the section Creating
Routes in the IPAM.
236
Managing Networks
2. Second, you can add a terminal subnet-type network. If you add non-terminal networks, you
need at least one terminal network where you can assign IP addresses.
By default, the first and last IP address of a terminal network you add are reserved for the network
and broadcast. The networks managing two or fewer addresses do not reserve any IP address.
6. If you or your administrator added classes at network level, in the list Network class select
a class or None.
Click on NEXT . The page Add an IPv4 network or Add an IPv6 network opens.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the field Network Name, name the network.
8. In the field Description, you can type in a description.
9. In the field Address, type in the start address.
10. If you are adding an IPv4 network:
a. In the drop-down list Netmask select a netmask. The netmask value automatically edits
the Prefix.
b. In the drop-down list Prefix, select a value if you did not choose a netmask. The prefix
value automatically edits the Netmask.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between /16 and /128. For more details, refer to the section Enabling the
Creation of IPv6 Terminal Networks with Non-Standard Prefixes.
2
If your group's permissions do not include the addition of both block-type and subnet-type networks, the page is automatically skipped.
237
Managing Networks
12. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The network is listed.
Once you added a block-type network, you can add the subnet-type networks it contains.
6. You can tick the box Allow network reparenting. For more details, refer to the section Re-
parenting subnet-type networks in the chapter Using VLSM to Manage Your IPAM Network.
7. If you or your administrator added classes at network level, in the list Network class select
a class or None.
Click on NEXT . The page Add an IPv4 network or Add an IPv6 network opens.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
8. In the field Network Name, name the network.
9. In the field Description, you can type in a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
10. In the field Address, type in the start address. By default, the start address of the block-type
network you selected is displayed in the field.
11. If you are adding an IPv4 network:
a. In the drop-down list Netmask, select a netmask. The netmask value automatically edits
the Prefix.
b. In the drop-down list Prefix, select a value if you did not choose a netmask. The prefix
value automatically edits the Netmask.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between /16 and /128. For more details, refer to the section Enabling the
Creation of IPv6 Terminal Networks with Non-Standard Prefixes.
3
If your group's permissions do not include the addition of both block-type and subnet-type networks, the page is automatically skipped.
238
Managing Networks
13. The box Terminal network is ticked by default to add a terminal network. You can untick the
box to add a non-terminal network, for more details refer to the section Setting Up a Network-
Based VLSM Organization.
If the box Terminal network is ticked, the network has a Gateway. Depending on your admin-
istrator advanced property display:
• The field Gateway can be displayed and editable.
• The field Gateway can be hidden but the gateway is added anyway.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.
14. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
15. Click on OK to complete the operation. The report opens and closes. The network is listed.
Before creating a network using the option By search keep in mind that:
• Several networks can be named the same.
• The option only allows to add subnet-type networks, they can be terminal or non-terminal.
• The wizard offers a list of the available start addresses matching your network size criteria.
These results are displayed in ascending order from the non-terminal network with the most
important fragmentation to the one with the least fragmentation. The hierarchy is symbolized
by stars, three stars being the most.
• Several subnet-type networks cannot overlap each other in one non-terminal network.
• By default in IPv6, you can only add /64, /127 or /128 terminal networks. If you want to configure
them with a different prefix, refer to the section Enabling the Creation of IPv6 Terminal Networks
with Non-Standard Prefixes.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
239
Managing Networks
6. If you or your administrator added classes at network level, in the list Network class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. Select a Size, Prefix or Netmask for your network. Selecting one value automatically changes
the other two. Click on NEXT . The page Search result opens.
8. In the list Network address, select a start address. Click on NEXT . The page Add an IPv4
subnet opens.
9. In the field Network Name, name the network.
10. In the field Description, you can type in a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
11. The fields Address and Prefix display the values set on the pages Network size and Search
result.
12. The box Terminal network is ticked by default to add a terminal network. You can untick the
box to add a non-terminal network, for more details refer to the section Setting Up a Network-
Based VLSM Organization.
If the box Terminal network is ticked, the network has a Gateway. Depending on your admin-
istrator advanced property display:
• The field Gateway can be displayed and editable.
• The field Gateway can be hidden but the gateway is added anyway.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.
13. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
14. Click on OK to complete the operation. The report opens and closes. The network is listed.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
240
Managing Networks
6. If you or your administrator added classes at network level, in the list Network class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. The box Terminal network is ticked by default. You can untick it if you want to add a non-
terminal network that can contain other networks. For more details, refer to the section Setting
Up a Network-Based VLSM Organization.
8. In the drop-down list Network prefix, select the network prefix.
a. If the box Terminal network is ticked, select 64 bits, 127 bits or 128 bits.
b. If the box Terminal network is not ticked, select a prefix between 8 bits and 64 bits.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between 8 bits and 128 bits whether the network is terminal or not. For more
details, refer to the section Enabling the Creation of IPv6 Terminal Networks with Non-
Standard Prefixes.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.
14. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
15. Click on OK to complete the operation. The report opens and closes. The network is listed.
If want to configure terminal networks with other, non-standard, prefixes, your administrator can
break the compliance with RFC 4291 by enabling the registry database entry module.ip.viol-
241
Managing Networks
ate.rfc4291. Once the registry entry is enabled, any prefix matching the terminal network start
address is returned by the drop-down list Network prefix.
Note that enabling the registry database also modifies the content of drop-down list Network
prefix for non-terminal networks.
To edit the registry key that enforces the compliance with RFC 4291
Editing Networks
You can edit networks from the page All networks via the contextual menu or from their properties
page. Other network editions like splitting, merging or moving are detailed in the following sections.
Before editing a network properties keep in mind that you cannot edit networks added using a
template. For more details, refer to the chapter Managing IPAM Templates.
To edit a network
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the network of your choice, click on . The properties pages opens.
4. In the panel Main properties, click on EDIT . The wizard opens.
5. If you or your administrator added classes at network level, in the list Network class select
a class or None.
Click on NEXT . The page Edit an IPv4 network or Edit an IPv6 network opens.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Edit the Network name, Description according to your needs.
7. If you are editing a subnet-type network, the box Terminal network is displayed. You can
either:
a. Tick the box to make the network terminal. In that case, it has a Gateway that may be
displayed or hidden, depending on your administrator display configuration.
b. Untick the box to make the network non-terminal. In that case, it can contain other net-
works. For more details, refer to the section Setting Up a Network-Based VLSM Organ-
ization.
242
Managing Networks
Keep in mind that you cannot make a terminal network non-terminal or vice versa if they
contain other networks or pools.
8. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
9. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
Splitting Networks
You can split IPv4 or IPv6 networks to manage the IP addresses they contain in separate networks.
Before splitting network, keep in mind that:
• You can split a network into 2, 4 or 8 smaller networks of same size.
• The new networks are all named after the network you split.
• When splitting a terminal network, the new smaller networks all use the first available IP address
as their gateway.
• You can split a network containing other networks only if the operation does not impact the
networks it contains.
• If the networks are configured with advanced properties, splitting them might compromise your
original configuration.
• You cannot split unmanaged networks.
To split a network
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the network(s) you want to split.
4. In the menu, select Edit > Split. The wizard Splitting networks opens.
5. In the drop-down list Number of networks to create, select 2, 4 or 8. By default, 2 is selected.
6. Click on OK to complete the operation. The report opens and closes. The networks are listed.
Merging Networks
You can merge IPv4 or IPv6 subnet-type networks, to manage more addresses. Before merging
networks, keep in mind that:
• You can merge subnet-type networks if:
• They belong to the same non-terminal network, either a non-terminal subnet-type network
or a block-type network.
• They are contiguous networks.
• They are of equal size.
• The new network is named after the very first network in the list that manages all the IP ad-
dresses of the selected networks.
• The number of networks before the merge must be a power of two (2, 4, 8, 16, 32, 64, ...).
• The new larger network uses one of the existing gateway addresses as gateway for the new
network.
243
Managing Networks
• The result of the merge must produce a network with a netmask address boundary.
• You cannot merge:
• Unmanaged networks or block-type networks.
• Terminal networks and non-terminal subnet-type networks, you can either select only terminal
networks or only non-terminal networks.
• Subnet-type networks that are associated with different VLANs. For more details on IPAM
/ VLAN Manager interactions, refer to the chapter Managing Advanced Properties in the
section Network Advanced Properties.
Keep in mind that if the merge you are trying to execute is impossible, an error message appears
on the report page and only a partial report of some networks is executed.
Moving Networks
You can move IPv4 or IPv6 networks from one space to the other. Before moving a network keep
in mind that:
• The migration of a block-type network also moves the networks, pools and IP addresses it
contains.
• The migration of a subnet-type network is only possible if the target space contains a block-
type network that can receive it.
• You can overwrite an existing network in the target space if both networks have the same size.
• You cannot move a network if it overlaps partially an existing network in the target space.
• You cannot move an unmanaged network.
244
Managing Networks
7. Click on OK to complete the operation. The report opens and closes. The selected network's
space has changed.
The option Discover networks names the assigned IP addresses if the DNS resolver of the appli-
ance is properly configured and if these IP addresses are declared in a valid PTR record. For
more details, refer to the sections Setting the DNS Resolver and Adding a PTR Record.
Considering that pinging all the IP addresses of a network can take some time, you can choose
to perform this scan at different speeds: it can be fast, normal or slow. The slower the discovery,
the more likely you are to properly scan the network. The discovery mechanism sends 32 ICMP
echoes at once on the network. For more details, refer to the table below.
Table 16.2. The available speeds for the option Discover networks
Speed Timeout Retry
Slow 3 seconds 2 attempts
Normal 2 seconds 1 attempt
Fast 1 second no retry
When the operation is over, the assigned IP addresses are the ones that responded to the ping.
They are marked In use in the column Status and they have a Name if they are properly declared
in a PTR record.
Network map allows to see the occupancy rate of IPv4 block-type or subnet-type non-terminal
networks and to make sure you did not forget any IP addresses in your addressing strategy.
245
Managing Networks
On the page Network map, non-terminal networks are divided into lines of /24 terminal networks,
where free ranges are gray and used ranges are blue.
This column indicates the first IP address of the networks. Every simple line represents a
segment of 256 consecutive IP addresses, free or belonging to a network.
The blue areas indicate used IP addresses within the non-terminal network. On this image,
three existing networks are highlighted:
• 3.2.12.0-3.2.15.255: This network is dark and light blue because it uses more than 256
addresses. The light area indicates that no IP address is free in the portion of the non-
terminal network.
• 3.2.50.0-3.2.50.255: This network is dark blue because it uses exactly 256 addresses.
• 3.2.255.0-3.2.255.63: This network uses only a portion of a /24 network, so it is directly
followed by a gray area that extends to the next existing network to highlight all the free
IP addresses between the two networks.
The gray areas indicates the free IP addresses within the non-terminal network. On this
image, the segment 3.3.4.0-3.3.255.255 is free.
Put your mouse over any blue area to display the network details: name, start and end IP
addresses and size. If you click on the blue area the properties page of the network opens.
246
Managing Networks
The option can be useful, for instance, if you are allocated a particular range of addresses by the
RIPE or APNIC through SPX, especially if you are still waiting on this range to be officially allocated
to you. As any network set as unmanaged is virtually non existent in the database, it gives you
time to add new networks managing the same start IP address and prefix as an existing unman-
aged network and assign in advance the addresses it contains if need be.
For more details, refer to the chapter Managing Advanced Properties in the section Configuring
the Transition from IPv4 to IPv6.
247
Managing Networks
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
The new scope is added in the selected DHCP cluster and automatically set with the network
Gateway address as value of the option routers. In addition, all the IP addresses you add within
these networks can automatically add statics.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
Exporting Networks
From the page All networks, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
248
Managing Networks
Deleting Networks
At any time you can delete networks. But keep in mind that:
• As a safety measure:
• Deleting a block-type network does not erase it from the database. If it contains objects -
networks, pools, used IP addresses - it is renamed Orphan Network and the objects it con-
tained are managed by the next block-type network added that matches the deleted network
configuration, i.e. the same start IP address, size and advanced properties.
• Deleting a subnet-type network puts its used IP addresses in an Orphan Network. The free
IP addresses are deleted.
If you really want to delete a network, you must delete its content first, starting with its used IP
addresses and up the IPAM hierarchy until the network you want to delete is empty. For more
details, refer to the chapters Managing IP Addresses and Managing Pools.
• Deleting a network configured with the advanced property DNS server for reverse zones or
DNS view for reverse zones also deletes the corresponding reverse zone from the DNS, if it
only contains the default SOA and NS records.
To delete networks from a VLSM organization, refer to the chapter Using VLSM to Manage Your
IPAM Network.
To delete a network
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the networks(s) you want to delete.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. Selected networks are
no longer listed, they might be replaced by Orphan networks or Orphan Addresses.
Granting access to a network as a resource also grants access to every item it contains. For
more details, refer to the section Assigning Resources to a Group in the chapter Managing
Groups.
249
Chapter 17. Managing Pools
Within the IPAM hierarchy, pools are the fourth level of the IPAM module hierarchy, they are the
last container level. They can be added within terminal networks to manage IP addresses, their
use is optional.
Pools allow reserving IP addresses for restricted usage such as: address provisioning, planning
or migrations. Pools can also be used to delegate one or several ranges of IP addresses to groups
of administrators or to restrict access to users.
Browsing Pools
The pools belong to terminal networks and contain IPv4 or IPv6 addresses. They are managed
in the page All pools.
ALIAS
Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.
250
Managing Pools
Adding a Pool
Within any terminal network, a subnet-type network, you can add pools to organize further your
IP addresses and/or configure them with a common set of options. Note that:
• You can add pools at pool level. The procedure below details how to add them from the page
All pools.
• You can add pools at network level. Pools can be added either from the properties page of
terminal networks, in the panel IP address pool, or when you add terminal networks configured
with the relevant advanced properties. For more details, refer to the section Network Advanced
Properties in the chapter Managing Advanced Properties.
• You can import pools, for more details refer to the section Importing Pools in the chapter Im-
porting Data from a CSV File.
To add a pool
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Click on the name of the subnet-type network of your choice. The page All addresses of this
network opens.
4. In the breadcrumb, click on All pools. The page All pools of the network opens.
5. In the menu, click on Add. The wizard opens.
6. If you or your administrator created classes at pool level, n the list IP pool class, select a
class or None.
Click on NEXT . The page Add an IPv4 pool or Add an IPv6 pool opens.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the field Pool name, name the pool.
8. The box Pool read-only allows to reserve the pool, mark it as read-only. By default, the box
is not ticked. For more details, refer to the section Reserving a Pool.
9. In the field Start address, type in the first address of the pool.
10. In the field End address, type in the last address of the pool. By default, the last address of
the parent network is displayed. The value of the End address automatically updates the
value of the field Size, based on the Start address.
11. In the field Size, you can type in the number of IP addresses you want the pool to manage.
The value of the Size automatically updates the value of the field End address, based on
the Start address.
12. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The pool is listed. On
the page All addresses, the column Pool indicates the pool name next to all the addresses
it manages.
251
Managing Pools
Reserving a Pool
You can reserve a pool when creating or editing a pool thanks to the box Pool read-only. This
reservation may be useful to dedicate the use of IP addresses to the DHCP, identify a bunch of
printers, etc.
Click on NEXT . The page Edit an IPv4 pool or Edit an IPv6 pool opens.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Tick the box Pool read-only to reserve the pool.
5. Click on OK to complete the operation. The report opens and closes. The pool is now marked
Yes in the section Read-only of the panel Main properties.
When adding a pool, you can tick the box as well to reserve it.
Resizing a Pool
You can resize IPv4 pools to manage more or less addresses than they did when you created
them. Resizing a pool shifts the start and/or end IP address of the pool, you can specify a number
of addresses to include/exclude.
So, if your pool managed the addresses 192.168.100.10-192.168.100.125 you can decide to
resize it to manage the addresses 192.168.100.100-192.168.100.105 indicating a start address
shift of "90" and an end address shift of "-20".
You cannot resize a pool if the addresses you include or exclude are already used or belong to
another pool.
252
Managing Pools
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
The range is added in the DHCP cluster you configured at network level.
For more details, refer to the chapter Managing Advanced Properties in the section Pool Advanced
Properties.
Exporting Pools
From the page All pools, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting a Pool
At any time, you can delete pools. Note that if you delete a pool you do not delete the ad-
dresses it contains or create an orphan container. You only delete the pool itself and the para-
meters it was set with.
If addresses inherited class parameters from the deleted pool, their value and the source of their
value remain the same: the Inheritance property of each class parameter is forced to Inherit or
Set to match the configuration of the deleted pool.
To delete a pool
1. In the sidebar, go to IPAM > Pools. The page All pools opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the pool(s) you want to delete.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The pool is no longer
listed.
On the page All addresses, the free IP addresses managed by a deleted pool are no longer listed.
The addresses In use are still listed but next to them the column Pool is empty.
253
Managing Pools
Granting access to a pool as a resource also grants access to every item it contains. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
254
Chapter 18. Managing IP Addresses
The IP address is the last level of the IPAM hierarchy, where you assign your IP addresses to
specific users, devices, etc.
The page All addresses provides management options for IPv4 and IPv6.
Browsing IP Addresses
The IP addresses can belong to terminal subnet-type networks and pools. They can be configured
with one or several aliases.
ALIAS
For more details regarding statuses, refer to the section Understanding the IP Address Type and
Status.
255
Managing IP Addresses
3. On the right-end side of the menu, click on Uncompress IPv6 addresses. The page re-
freshes and all the addresses are displayed entirely.
Keep in mind that the Gateway address of terminal networks is different from the other Regular
IP addresses In use. It can be automatically created and named Gateway as you create a terminal
network and it can also be set with an IP address automatically calculated from the Gateway
offset of your choice. For more details, refer to the section Network Advanced Properties.
These columns provide information regarding the IPAM to DHCP interaction that can be set via
the advanced properties or directly when configuring statics. For more details, refer to the chapter
Managing Advanced Properties or the section Adding DHCPv4 Statics.
DHCP static The IP address was added in the IPAM and configured with the advanced property
Create a DHCP static. For more details, refer to the chapter Managing Advanced
Properties.
DHCP lease The IP address belongs to a pool configured with the advanced property Create a DHCP
range. For more details, refer to the chapter Managing Advanced Properties.
256
Managing IP Addresses
Read-only / Free The IP address is currently free but cannot be assigned because it belongs to a pool in
read-only. That pool is not configured with DHCP advanced properties.
Read-only / In use The IP address is currently used but cannot be edited because it belongs to a pool in
read-only. That pool is not configured with DHCP advanced properties.
Invalid The IP address does not match any IP address in the DHCP database but it belongs to
an IPv4 network or pool or to an IPv6 network configured with DHCP advanced properties.
The IPAM to DHCP advanced properties are probably misconfigured, for more details
refer to the section Configuring IPAM Advanced Properties.
Adding an IP Address
At address level, there are two ways of adding, or assigning, IP addresses:
• Manually: if you already know the IP address you want to assign and are sure that this IP ad-
dress is free. You can add it from the menu Add or from the list All addresses itself.
• By search: if you do not know if there is a free IP address within your terminal networks, you
can use this option to find available IP addresses.
Note that you can also import IP addresses, for more details refer to the section Importing IP
Addresses in the chapter Importing Data from a CSV File.
When you create large terminal networks, the Broadcast and Network addresses are
automatically assigned. Both addresses are by default Non assignable in large networks, but
you can make them assignable. For more details, refer to the section Assigning the Broadcast
and Network Addresses.
257
Managing IP Addresses
4. In the list Space, select a space and click on NEXT . The next page opens.
5. If you or your administrator created classes at higher levels, the <object> class page appears.
Select the class of your choice, All or None/No class and click on NEXT . The next page opens.
For more details, refer to the section Applying Classes.
6. In the list Network name, select the terminal network of your choice and click on NEXT . The
next page opens.
7. If the network contains pools, in the list Pool name, select a pool or No pool. Click on NEXT .
8. If you or your administrator created classes at IP address level, in the list IP address class,
select a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
9. On the page Add an IPv4 address or Add an IPv6 address, configure your IP address:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
From the page All addresses, whether it displays all the addresses or only the addresses of a
specific network, you can click on any free IP address to name and configure it.
258
Managing IP Addresses
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. On the page Add an IPv4 address or Add an IPv6 address, configure your IP address:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
259
Managing IP Addresses
5. If you or your administrator created classes at higher levels, the <object> class page appears.
Select the class of your choice, All or None/No class and click on NEXT . The next page opens.
For more details, refer to the section Applying Classes.
6. In the list Network name, select the terminal network of your choice and click on NEXT . The
next page opens.
7. If the network contains pools, in the list Pool name, select a pool or No pool. Click on NEXT .
The page IP address class opens.
8. If you or your administrator created classes at IP address level, in the list IP address class,
select a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
9. In the list IP address, select the IP address of your choice. The first ten available addresses
of the network are listed. Click on NEXT .
10. On the page Add an IPv4 address or Add an IPv6 address, fill in the following fields:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
Depending on the way you organized your addressing plan, you might need to assign all the
addresses of your networks, including the Network and Broadcast addresses. A registry database
entry allows to make them both assignable.
260
Managing IP Addresses
Once the Broadcast and Network addresses are assignable, you can configure them like any
other IP address. Note that on the page All addresses, their Status remains Non assignable but
the IP address itself is underlined to indicate that you can assign them.
Editing an IP Address
You can edit used IP addresses to change their class, name, MAC address or even their advanced
properties or class parameter configuration. This edition can be done from the list All addresses
or from the IP address properties page.
To edit an IP address
1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Right-click over the Name of the IP address you want to edit. In the contextual menu, click
on Edit. The wizard opens.
4. If you or your administrator created classes at IP address level, in the list IP address class,
select a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the fields MAC address and/or Shortname according to your needs.
You cannot edit the fields IP address and IP address name. IP address name displays the
changes performed in the fields Shortname and/or Domain. For more details, refer to the
relevant section of the chapter Managing Advanced Properties.
6. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
261
Managing IP Addresses
ALIAS
Before going further, you must configure the IPAM to DNS advanced properties to display
all the IPAM to DNS related fields and ensure that you replicate IPAM changes in the DNS
database. For more details, refer to the relevant section of the chapter Managing Advanced
Properties.
When you configure an alias you are associating an IP addresses in the IPAM with A, AAAA
and/or CNAME record(s) in the DNS. The most commonly configured alias creates a CNAME.
The aliases can be used associate the IP addresses of a network toward one zone or different
zones:
• Within the same zone, the IP address alias is a CNAME record that follows the DNS standard
use and points to an A/AAAA record.
• Among different zones, the alias name is crucial. The IP address shortname.domain1 creates
an A record of the zone domain1 and a CNAME record in the zone domain2 with the value
shortname.domain2. That way, your alias name links to two of your zones.
You can configure as many aliases as you need from IP addresses Free or In use.
262
Managing IP Addresses
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field Shortname, name the IP address.
7. In the drop-down list Domain, select a zone. The list of available zones depends on your
configuration at network level.
8. Make sure that advanced property DNS server is set to All.
9. Click on NEXT . The page Aliases configuration opens.
10. In the field Name, name your alias. Its name must be different from the IP address name,
especially if they share the same domain.
11. In the drop-down list Domain, select an existing domain or None. The alias full name is dis-
played in the field Alias following the format: <name>.<domain> .
12. In the drop-down list Type, select CNAME, A or AAAA. By default, CNAME is selected.
13. Click on ADD to move your alias to the Aliases list. Repeat these actions for as many aliases
as you need. In the list, each alias is listed as follows: (<record-type>) <full-alias-name>.
14. Click on OK to complete the operation. The report opens and closes. The address is listed,
its Type and Status depend on your configuration. For more details, refer to the section
Understanding the IP Address Type and Status.
To see its aliases in the list, display the column Aliases. For more details, refer to the section
Customizing the List Layout.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The page Aliases configuration opens.
7. In the field Name, name your alias. Its name must be different from the IP address name,
especially if they share the same domain.
8. In the drop-down list Domain, select an existing domain or None. The alias full name is dis-
played in the field Alias following the format: <name>.<domain> .
9. In the drop-down list Type, select CNAME, A or AAAA. By default, CNAME is selected.
10. Click on ADD to move your alias to the Aliases list. Repeat these actions for as many aliases
as you need. In the list, each alias is listed as follows: (<record-type>) <full-alias-name>.
11. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again, the panel Aliases lists all aliases.
263
Managing IP Addresses
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The page Aliases configuration opens.
7. In the field Aliases list, select the alias of your choice. All relevant fields display its details.
8. Edit the alias according to your needs.
9. Click on UPDATE . In the Aliases list, all the changes are displayed.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The page Aliases configuration opens.
7. In the field Aliases list, select the alias of your choice. All relevant fields display its details.
8. Click on DELETE . In the Aliases list, the alias is no longer listed.
264
Managing IP Addresses
balancing and round-robin. For more details, refer to the section Load Balancing with Round-
Robin.
We strongly recommend against configuring your DNS with one IP address associated
with a set of A aliases. Indeed, a proper configuration of your DNS implies that a name zone
is configured with a reverse zone which allows DNS clients to query your domain, through its
name on the one hand and its IP address on the other. In this configuration, DNS best practices
advise to create a PTR record in the reverse zone for each A record of the name zone to make
sure the domain or sub-domain is accessible through its name and IP address. If your name zone
contains several A records with the same value, your reverse zone should contain as many PTR
records. These records would all be named after the same IP address (the value of the A records).
In this case, the reverse zone would contain several PTR records with the same name pointing
to different domains. Therefore querying this IP address to get the corresponding domain or sub-
domain is impossible: the server cannot know which hostname to send when answering the DNS
clients query. To make sure that a domain can be accessed through its name and IP address,
there should be one PTR record in the reverse zone for each A record of the name zone. If you
need to provide an alias, you should add a CNAME record pointing to the A record in the master
zone. For more details, refer to the sections Adding an A Record, Adding a AAAA Record, Adding
a PTR Record and Adding a CNAME Record.
Before going further, you must configure the IPAM to DNS advanced properties to display
all the IPAM to DNS related fields and ensure that you replicate IPAM changes in the DNS
database. For more details, refer to the relevant section of the chapter Managing Advanced
Properties.
Keep in mind that if your configuration is not properly set in the IPAM, the A and/or AAAA records
are not created in the DNS and no error message is displayed in the DNS.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field Shortname, name the IP address.
7. In the drop-down list Domain, select a zone. The list of available zones depends on your
configuration at network level.
8. Make sure that advanced property DNS server is set to All.
9. Click on NEXT . The page Aliases configuration opens.
10. In the field Name, name your alias. Its name must be different from the IP address name,
especially if they share the same domain.
265
Managing IP Addresses
11. In the drop-down list Domain, select an existing domain or None. The alias full name is dis-
played in the field Alias following the format: <name>.<domain> .
12. In the drop-down list Type, select A or AAAA.
13. Click on ADD to move your alias to the Aliases list. Repeat these actions for as many records
as you need. In the list, each one is listed as follows: (A) <full-alias-name> or (AAAA) <full-
alias-name>.
14. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again, the panel Aliases lists all aliases.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The page Aliases configuration opens.
7. In the field Name, name your alias. Its name must be different from the IP address name,
especially if they share the same domain.
8. In the drop-down list Domain, select an existing domain or None. The alias full name is dis-
played in the field Alias following the format: <name>.<domain> .
9. In the drop-down list Type, select A or AAAA.
10. Click on ADD to move your alias to the Aliases list. Repeat these actions for as many records
as you need. In the list, each one is listed as follows: (A) <full-alias-name> or (AAAA) <full-
alias-name>.
11. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again, the panel Aliases lists all aliases.
To edit or remove A and AAAA record aliases, refer to the procedures To edit an IP address alias
and To remove an IP address alias.
266
Managing IP Addresses
4. In the menu, select Edit > Replace > IP address name. The wizard Replace name of IP
addresses opens.
5. In the field Exact search, select one of the following options:
6. Click on OK to complete the operation. The report opens and closes. The new IP addresses
names are visible in the list.
Moving IP Addresses
SOLIDserver provides several ways of moving, or migrating, IPv4 addresses within your database.
Migrating IP address can be useful when you have to relocate hosts.
Keep in mind that migrating an IP address edits its class parameters' inheritance and propagation
configuration: the value of the parameters is kept but each property configuration is forced to
Set/Propagate.
Keep in mind that migrating an IP address edits its class parameters' inheritance and propagation
configuration: the value of the parameters is kept but each property configuration is forced to
Set/Propagate.
267
Managing IP Addresses
7. Click on OK to complete the operation. The report opens and closes. The page is visible
again, you can filter it to check the new address assigned to your hosts.
Keep in mind that migrating an IP address edits its class parameters' inheritance and propagation
configuration: the value of the parameters is kept but each property configuration is forced to
Set/Propagate.
The wizard provides the possibility to detect an IP address in a source space and change the IP
address itself, while keeping its properties in the target space.
Keep in mind that migrating an IP address edits its class parameters' inheritance and propagation
configuration: the value of the parameters is kept but each property configuration is forced to
Set/Propagate.
268
Managing IP Addresses
5. In the field IP address to migrate, type in the IP address you want to migrate.
6. In the drop-down list Target space, select a space or Same as source. This option can be
selected only if you specify a different IP address in the field New IP address.
7. In the field New IP address, type in the IP address of your choice. It can be a different one
or the same as the one specified in the field IP address to migrate.
8. Click on OK to complete the operation. The report opens and closes. The page is visible
again, you can filter it to check the new address assigned to your hosts.
Pinging an IP Address
From the IPAM module, you can ping IP addresses to check if the host they are associated with
is responding.
The corresponding host did not respond to the ping. It could mean a number of things, the host
is not running, is an a different network, is configured not to respond to the ping utility, etc.
For more details, refer to the section Automatically Adding Devices from the IPAM in the chapter
Managing devices.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
269
Managing IP Addresses
For more details, refer to the chapter Managing Advanced Properties in the section Configuring
the Transition from IPv4 to IPv6.
If the terminal network adds a scope, the option routers is directly set. If the terminal network
matches an existing scope, the option routers is set or updated.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
The static is added in the DHCP cluster configured at network level, it shares the same IP address,
MAC address and name as the new IP address.
For more details, refer to the chapter Managing Advanced Properties in the sections Network
Advanced Properties and Configuring DHCP Advanced Properties.
An A, AAAA, CNAME or PTR record is added in the zone configured at network level. The new
record is named after the complete IP address name and zone name.
For more details, refer to the chapter Managing Advanced Properties in the sections Network
Advanced Properties and IP Address Advanced Properties.
For more details, refer to the chapter Managing Advanced Properties in the section IP Address
Advanced Properties.
270
Managing IP Addresses
For more details, refer to the chapter Managing Advanced Properties in the section IP Address
Advanced Properties.
This property must be set at server level. For more details, refer to the chapter Managing Advanced
Properties in the section Configuring DHCP Advanced Properties.
This property must be set at server, view or zone level and propagated down to the records. For
more details, refer to the chapter Managing Advanced Properties in the section Configuring DNS
Advanced Properties.
Exporting IP Addresses
From the page All addresses, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting an IP Address
At IP address level, deleting an address actually frees it. Even though it is no longer listed, you
can assign it again by search or manually. Note that, as deleting an address releases it, it is im-
possible to delete free addresses.
To delete an IP address
1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the IP address(es) you want to delete.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. Selected addresses
are no longer listed.
271
Managing IP Addresses
Restoring an IP Address
You can restore deleted IP addresses, i.e. undo an IP address deletion. From the page All deleted
IP addresses, you can restore your IP addresses.
From this page you can also export the entries listed or even create an alert or a chart.
This button allows to access the page All Deleted IP addresses of the version displayed on
the page All addresses.
272
Chapter 19. Managing IPAM Templates
The IPAM provides a Template Mode where you can save fully preconfigured IPv4 organizations
as templates that can, then, automate the deployment of the addressing structures that suit your
needs.
For instance, you could add a template for a subnet-type network containing 3 pools and some
assigned IP addresses. Back in Normal Mode, adding a subnet-type network associated with the
same template class automatically deploys the template and configures the network with the
same content as the template.
POOL
Start address: 15.0.0.0 POOL
checkouts 1.0.0.1-1.0.0.10 Read-only: no Size: /16 checkouts 15.0.0.1-15.0.0.10 Read-only: no
IP ADDRESS 1.0.0.1 checkout1 Terminal network: yes IP ADDRESS 15.0.0.1 checkout1
IP ADDRESS 1.0.0.2 checkout2 IP ADDRESS 15.0.0.2 checkout2
POOL POOL
IP phones 1.0.0.11-1.0.0.15 Read-only: no IP phones 15.0.0.11-15.0.0.15 Read-only: no
IP ADDRESS 1.0.0.11 landline IP ADDRESS 15.0.0.11 landline
POOL POOL
printers 1.0.0.16-1.0.0.20 Read-only: yes printers 15.0.0.16-15.0.0.20 Read-only: yes
NETWORK Hong Kong
BLOCK 20.0.0.0/8
Note that you can export all Template Mode data. For more details, refer to the chapter Exporting
Data.
273
Managing IPAM Templates
You can rename or edit the template class as long as it is not applied to any object. For more
details, refer to the chapter Configuring Classes.
274
Managing IPAM Templates
You can rename or edit the template class as long as it is not applied to any object. For more
details, refer to the chapter Configuring Classes.
2. Configuring Templates
Once you added template classes, you can configure organizations from the Template Mode.
275
Managing IPAM Templates
Browsing Templates
All templates are created and managed from the Template Mode. This mode is accessible from
all the IPAM pages.
When the mode is displayed, a blue banner above the top bar indicates the mode is on and only
template objects are listed.
On all pages of the IPAM, the listing template you are displaying is kept even when you display
the page in Template Mode.
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
276
Managing IPAM Templates
If you want to configure a Template space with parameters and properties and propagate them
to lower levels, you must deploy network and/or pool templates within a space in Normal mode
that is configured with the exact same parameters and properties that the Template space. In
that case, the deployed templates can inherit all the parent space configuration details.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the field Space name, name the space. That name must be unique, one space name
cannot be used twice in Template mode and Normal Mode.
6. In the field Description, you can type in a description.
Note that this parameter can only be inherited by deployed templates if you add a space in
Normal mode with the exact same value.
7. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
Keep in mind that the configuration you set can only be inherited by deployed templates if
you add a space in Normal mode with the exact same parameters.
8. Click on OK to complete the operation. The report opens and closes. The space is listed.
Once you have one template space, you can add the objects it contains, starting with networks.
277
Managing IPAM Templates
You need at least one block-type network that can contain subnet-type network(s). These subnet-
type networks can be terminal or not and manage other subnet-type networks, pools and/or IP
addresses.
You can add one or more block-type networks within a template space. Keep in mind that:
• Only the block-type networks configured with an enabled template class in Template Mode
are available for deployment as template in Normal Mode. For more details, refer to the section
Adding Template Classes in Class Studio.
• The Start address and Prefix of a block-type network template are only used to determine a
range of IP addresses to configure.
• You cannot overlap block-type networks, even in Template Mode.
• Any block-type network added in Template Mode that is not configured with a template class
can be used to set up a template organization deployed at a lower level.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The network is listed.
Once you have a block-type network, you can add the subnet-type network(s) it contains.
If you added a block-type network template, all the objects it contains are added when you deploy
the template.
If your template configuration is complete, you can go to the section Deploying Templates.
278
Managing IPAM Templates
Once you added a block-type network, template or not, you can add the subnet-type network(s)
it contains. Keep in mind that:
• Only the subnet-type networks configured with an enabled template class in Template Mode
are available for deployment as template in Normal Mode. For more details, refer to the section
Adding Template Classes in Class Studio.
• The Start address and Prefix of a subnet-type network template are only used to determine a
range of IP addresses to configure.
• Subnet-type networks can be non-terminal and contain other subnet-type networks, even in
Template Mode.
• You cannot overlap subnet-type networks, even in Template Mode.
• The IPAM/VLAN interaction advanced properties are limited. You cannot configure a subnet-
type network to Create a VLAN, you can only associate it with an existing VLAN.
• Any subnet-type network added in Template Mode that is not configured with a template class
can either belong to a network template that sets up an organization deployed at higher level,
or can be used to set up a template organization deployed at lower level.
You can add one or more subnet-type networks, manually or using the option By search.
The field can display a value inherited from the parent network. To edit the description, you
must change its Inheritance property from Inherit to Set.
10. The fields Address and Prefix display the values set on the page Network size.
279
Managing IPAM Templates
11. The box Terminal network is ticked by default to add a terminal network. You can untick the
box to add a non-terminal network, for more details refer to the section Setting Up a Network-
Based VLSM Organization.
If the box Terminal network is ticked, the network has a Gateway. Depending on your admin-
istrator advanced property display:
• The field Gateway can be displayed and editable.
• The field Gateway can be hidden but the gateway is added anyway.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.
12. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
Note that the IPAM/VLAN interaction advanced properties are limited. It is impossible to
Create a VLAN in Template Mode, you can only associate a subnet-type network with an
existing VLAN.
13. Click on OK to complete the operation. The report opens and closes. The network is listed.
Once you have a subnet-type network, you can add the other subnet-type network(s), pool(s)
and/or assigned IP addresses it can contains. For more details, refer to the section Adding an
IP Address in the IP address dedicated chapter.
If you added a subnet-type network template, all the objects it contains are added when you deploy
the template.
If your template configuration is complete, you can go to the section Deploying Templates.
280
Managing IPAM Templates
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The pool is listed.
Once you have a pool, it can contain assigned IP addresses. For more details, refer to the section
Adding an IP Address in the IP address dedicated chapter.
If you added a pool template, all the IP addresses it contains are added when you deploy the
template.
If your template configuration is complete, you can go to the section Deploying Templates.
3. Deploying Templates
To deploy templates, you must apply the template class they are associated with in Template
Mode to an object you are adding in Normal Mode. You can deploy a template as many times
as you need.
281
Managing IPAM Templates
• A template network can be deployed in a bigger network, so make sure that the network
you are adding can contain the template network or has the same size.
For instance, you can deploy a terminal network template set for 256 addresses during
the addition of a network managing 512 addresses. In that case, only 256 addresses
within the network you add are configured according to the template, the rest can be con-
figured manually.
• Deploying a network template also deploys its content, or addressing organization.
• Block-type networks can contain subnet-type networks, pools and/or assigned IP ad-
dresses.
• Subnet-type networks can contain other subnet-type networks, pools and/or assigned
IP addresses.
• Terminal subnet-type networks can contain pools and/or assigned IP addresses.
At pool level
• To successfully deploy a template pool, you must apply a pool template class to a pool set
with the exact same Size and Pool read-only configuration than the template pool.
• The Start address and Size of a pool belonging to a network template are only used to
determine the range of IP addresses managed by the pool. During the network addition,
the pool start and end addresses are calculated according to the parent network Start ad-
dress and to the configuration of the network template.
• Deploying a pool template also deploys its content, all the assigned IP addresses it contains.
In the procedure below, a block-type template is deployed. The template deployment follows the
same logic at block-type network, subnet-type network and pool level.
6. In the list Network class, select the class template of your choice. The class name format
is as follows: your-template-name [template] or your-sub-directory/your-template-name
[template].
If you add a bigger network, the template configuration is deployed within the network only
to the range of addresses configured for the template. The rest of the network can be man-
aged independently like any addition performed without templates.
282
Managing IPAM Templates
11. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
12. Click on OK to complete the operation. The report opens and closes. The network is listed,
it is automatically named after the network template. You can edit it to rename it.
13. In the column Name, click on the network name to display its content.
283
Chapter 20. Using VLSM to Manage Your
IPAM Network
The Variable Length Subnet Masking (VLSM) is a technique that allows network administrators
to break down the IP address organization on different levels of spaces, networks or pools both
in IPv4 and IPv6.
From the space level you can use the IPAM hierarchy to model the organization of IP resources
and increase its capacity. There are two ways of using VLSM within the GUI, both can be used
to delegate user rights.
Table 20.1. VLSM icons on the pages All spaces and All networks
Icon Description
The dot, located left of the space or network icon, indicates that the object belongs to another object.
It specifies the level of the space or network in the VLSM hierarchy: one dot for level 1, two dots for
level 2, three dots for level 3, and so forth depending on how deep your organization is.
This icon indicates that the subnet-type network is non-terminal i.e. using VLSM. In a space-based
VLSM organization it indicates that it is linked to a block-type network of the child space. In a network-
based VLSM organizations, it indicates that the network contains other subnet-type networks.
This icon indicates that the block-type network is part of a space-based VLSM organization and belongs
to a level 2 space, or lower. It shows that the block-type network is linked to a non-terminal subnet-
type network in the parent space, they both share the same name and size.
In both cases, organizing your IPAM network using VLSM provides a way to delegate user rights
as it allows to limit what users belonging to certain groups can display and manage.
You can set up an organization that uses both methods but there are some requirements to meet.
For more details, refer to the section Properly Using Both Methods Simultaneously.
VLSM introduces a parent to child dependency relationship between two spaces. A child space
is then attached and related to a parent space, they are affiliated .
284
Using VLSM to Manage Your IPAM
Network
SPACE
NETWORK
BLOCK
Space filiation
NETWORK
SUBNET
SUBSPACE
SUBSPACE
SUBSPACE
The resources contained in the parent space can then be allotted to one of its child spaces. When
a subnet-type network is created in a parent space, it may then be allotted to a child space: non-
terminal subnet-type networks of parent space become block-type networks in the child space.
This block-type network may then be divided into several subnet-type networks to be allotted as
block-type networks in "grandchildren" spaces, and so on.
SPACE
NETWORK /21
BLOCK
Space filiation
NETWORK /22
SUBNET
SUBSPACE
NETWORK /22
BLOCK
NETWORK /24
SUBNET
As spaces can be combined to map your organization, they can help network administrators to
delegate the IP address management per layer of space. For instance, large block-type networks
can be defined as root entries at the top level of the space hierarchy. These networks can be
divided into several non-terminal subnet-type networks to be allotted to subspaces: each non-
terminal subnet-type network becomes a block-type network in the child space. Within these
subspaces, the block-type networks are divided into subnet-type networks matching the size of
285
Using VLSM to Manage Your IPAM
Network
your choice to register a network device, manage a specific set of IP addresses within your
company...
This hierarchy makes it possible to obtain a coherent space unit where the resource administration
is governed by the dependent relationships created between these spaces. The consistency
check of resources and their uniformity are made between all affiliated spaces.
In the example above, the clients IP database is organized based on geography: each country
has a separate space affiliated to the continent it belongs to. These spaces were created prior
to creating the networks and pools in order to shape the rest of the IP addresses organization.
With this type of organization, the delegation of rights can be set per continent, per country or
within a country.
For more details regarding the manual VLSM implementation, refer to the section Setting Up a
Space-Based VLSM Organization.
286
Using VLSM to Manage Your IPAM
Network
SPACE
NETWORK /21
BLOCK
NETWORK /22
SUBNET
NETWORK /23
SUBNET
NETWORK /24
SUBNET
POOL
ADDRESS
Like the space-based implementation, it involves creating non-terminal subnet-type networks but
this time it sets up several levels of hierarchy within one space. Therefore, the semi-automated
VLSM allows you to distribute IP addresses on more than one level within a space without setting
a space affiliation.
In the example above, the internal block is divided into managing staff and all other staff members.
The distribution of staff IP addresses is once again geographical. As the division is performed at
the lower level, the delegation of rights to different administrators can be all the more precise
with limited access to the database if necessary.
There is no limit to the number of non-terminal subnet-type network levels you can set. It all de-
pends on their size and the size of the block-type network they belong to.
For more details regarding the network-based implementation, refer to the section Setting Up a
Network-Based VLSM Organization.
287
Using VLSM to Manage Your IPAM
Network
contain pools that contain IP addresses. Which is why you can only set both methods if you respect
the following:
• You cannot set up a space-based organization using a space that already contains non-terminal
subnet-type networks, meaning, a preexisting network-based organization. You can only set
up first a space-based distribution and then a network-based delegation.
• The network-based implementation can only be set at the lowest of the space-based organiz-
ation.
Keep in mind that, in a mixed organization, you can specify the inheritance and propagation
properties depending on your needs. For more details, refer to the section Editing a VLSM Block-
type Network Class Parameters Inheritance.
Once set up, you can move networks to edit the network links between a parent space and one
of its children but you cannot set up a deeper organization once the spaces contain affiliated
networks.
288
Using VLSM to Manage Your IPAM
Network
Therefore, the block-type networks of each space inherit the configuration, the subnet-type
networks managed by the block-type network inherit as well, and so forth down to the IP ad-
dresses. You can edit any level of the hierarchy to set a particular parameter or property and
propagate it to the lower level.
Figure 20.6. A space filiation where the space Clients contains the child space America
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
289
Using VLSM to Manage Your IPAM
Network
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
g. Click on OK to complete the operation. The level 1 space is listed.
You can repeat step 2 for as many spaces as you need. In the list VLSM parent space, you
can select a space no matter its level in the hierarchy. The spaces display indicates each
space level as detailed in the table VLSM icons on the pages All spaces and All networks.
You can edit some aspects of the space-base organization even after you created networks,
pools and addresses. For more details, refer to the section Editing a Space-Based VLSM Organ-
ization.
Once your space affiliation is set, you can create IPv4 or IPv6 block-type networks:
• The block-type networks must be created in the top level space of the affiliated spaces.
If you create them on a child space, the VLSM organization cannot be set, you would be creating
a block-type network and not setting up a space-based organization.
• If you configured specific parameters or behaviors at space level, the block-type networks in-
herit them.
1
If your group's permissions do not include the addition of both block-type and subnet-type networks, the page is automatically skipped.
290
Using VLSM to Manage Your IPAM
Network
5. In the list Choose a space, select the space in which you want to add the network. Click on
NEXT . The next page opens.
6. If you or your administrator added classes at network level, in the list Network class select
a class or None.
Click on NEXT . The page Add an IPv4 network or Add an IPv6 network opens.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the field Network Name, name the network.
8. In the field Description, you can type in a description.
9. In the field Address, type in the start address.
10. If you are adding an IPv4 network:
a. In the drop-down list Netmask select a netmask. The netmask value automatically edits
the Prefix.
b. In the drop-down list Prefix, select a value if you did not choose a netmask. The prefix
value automatically edits the Netmask.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between /16 and /128. For more details, refer to the section Enabling the
Creation of IPv6 Terminal Networks with Non-Standard Prefixes.
12. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The network is listed.
To respect the levels of management you set, once you create a subnet-type non-terminal network
in a top level space, if you click on its Name on the page All networks you are redirected to the
content of the block-type network it created in the child space. This allows to navigate from one
level to the other and create your terminal networks, pools and IP addresses.
Once you created a block-type network in the parent space, you can create a non-terminal subnet-
type network(s) it contains.
In the parent space, if you create non-terminal subnet-type networks in a block-type network they
become the block-type networks of the child space of your choice. The terminal networks you
create belong to the space, they are not delegated.
Keep in mind that, once you link block-type and subnet-type networks in a space affiliation, they
update each other:
• If you create objects in the non-terminal subnet-type network, they are also created in the
block-type network of the child space.
291
Using VLSM to Manage Your IPAM
Network
• If you create objects in the block-type network of the child space, they are also created in the
subnet-type network of the parent space.
Figure 20.8. A non-terminal network created in the block of the space America
Figure 20.9. In the child space US, the non-terminal network is a block-type network
In the procedures below, we create a non-terminal subnet-type network by search but you can
also create it manually.
292
Using VLSM to Manage Your IPAM
Network
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
14. Click on NEXT . The page VLSM space opens.
15. In the list VLSM space, select the child space where the non-terminal subnet-type network
becomes a block-type network.
16. Click on OK to complete the operation. The report opens and closes. The network is listed
with the icon . Depending on the organization depth, it is preceded by one or several .
For more details, refer to the table VLSM icons on the pages All spaces and All networks.
On the page All networks of the child space you chose, the non-terminal subnet-type network
is listed as a block-type network.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
14. Click on NEXT . The page VLSM space opens.
15. In the list VLSM space, select the child space where the non-terminal subnet-type network
becomes a block-type network.
16. Click on OK to complete the operation. The report opens and closes. The network is listed
with the icon . Depending on the organization depth, it is preceded by one or several .
For more details, refer to the table VLSM icons on the pages All spaces and All networks.
On the page All networks of the child space you chose, the non-terminal subnet-type network
is listed as a block-type network.
If you add another non-terminal subnet-type network in the parent space, a new block-type network
is created in the child space.
293
Using VLSM to Manage Your IPAM
Network
You cannot set up a deeper organization of spaces once they contain networks linked from one
level to the other.
This edition moves the block-type network created in the former child space, along with all
the networks, pools and addresses it contains, to the child space you specified.
• In an organization where a subnet-type network was created at several space levels - the
spaces Clients, Europe and France in the example below - you can edit the VLSM space of
the network and select the space america. That edition results in the creation of Orphan
containers in the spaces europe and france and the creation of the block-type network in
the space america. From there you can recreate the networks that suit your needs. With
such an organization, this specific edition is only possible because the top space contained
several spaces at the same level.
294
Using VLSM to Manage Your IPAM
Network
Once you set a space-based VLSM organization, you can add and edit class parameters at the
different levels of the hierarchy.
Both the parents of a VLSM block-type network, i.e. the space and the non-terminal subnet-type
network, can have different values for the same class parameter. The VLSM block-type network
inherits the parameter that has been configured before the other.
You can edit the class parameters inheritance source of a VLSM block-type network. The class
parameter value can be inherited from:
• Space: the class parameter value is inherited from the lowest space in the organization, the
space where the selected block-type network is located. You cannot choose a space located
at higher level.
• Network: the class parameter value is inherited from the non-terminal subnet-type network it
is linked with, one level up in the space hierarchy. You cannot inherit the value of any subnet-
type network located higher in the hierarchy.
295
Using VLSM to Manage Your IPAM
Network
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
8. Click on OK to complete the operation. The report opens and closes.
Deleting a VLSM block-type network can only be done from higher level: when you delete the
non-terminal subnet-type network that created it, the block-type network is deleted as well.
• You can only delete a subnet-type network if the block-type network it created at lower
level is empty.
You cannot delete a subnet-type network in a parent space if the block-type network created
in the child space contains networks
Deleting subnet-type networks automatically deletes the block-type network it created at lower
level.
After a migration, the content of the parent and child spaces might differ and some objects might
not be associated: you might have a block-type network in a child space that is not associated
with a non-terminal subnet-type network.
Depending on your configuration, you might be able to create the missing non-terminal subnet-
type network in the parent space using the option Attach network to its VLSM parent. This would
allow to continue using VLSM to delegate rights and resources or create and delete objects in
both spaces at once.
Keep in mind that you can only use this option if:
• The block-type network in the child space is not already associated with a non-terminal subnet-
type network of the parent space.
• The parent space can receive the child space block-type network as a non-terminal subnet-
type network:
1. In the parent space, a block-type network can receive the non-terminal subnet-type network.
2. There is no overlap.
296
Using VLSM to Manage Your IPAM
Network
2. Click on the name of the child space of your choice. The page All networks open.
3. Tick the block-type network(s) of your choice.
4. In the menu, select Tools > Expert > Attach network to its VLSM parent. The wizard
Attach network to its VLSM parent opens.
5. Click on OK to complete the operation. The report opens and closes. The selected block-
type network is now preceded by .
After a migration, you can have affiliated spaces which IP addresses are not properly associated:
you might have a missing non-terminal subnet-type network in a parent space even if the block-
type network does exist in the child space.
In this case, you can use the option Aggregate VLSM networks from the page All spaces to create
the missing non-terminal subnet-type networks in the parent space.
If you reorganize your space-based hierarchy and plan on adding sub-spaces, you might need
to move IPv4 terminal networks from a top level space to a lower level of the hierarchy. In that
case, the IP addresses must be moved to the sub-space(s). This operation could be performed
by moving IP addresses from one space to the other, as detailed in the section Moving IP Ad-
dresses to another Space; however, you might have a lot of IPv4 terminal networks to spread
on multiple sub-spaces, and it would take a long time to repeat the operation for each sub-space.
The option Move addresses to VLSM network allows to automate the migration of IPv4 addresses
to the lowest terminal networks across the space hierarchy. It spreads the IP addresses in all the
available terminal networks that can contain them. That is to say, a terminal network at the lowest
level of the hierarchy which start address can receive the selected addresses.
297
Using VLSM to Manage Your IPAM
Network
You can insert non-terminal subnet-type networks in between a child subnet-type network and
its parent as detailed in the section Reparenting subnet-type networks.
Indeed, creating non-terminal subnet-type networks in a parent space creates block-type net-
works in a child space, in which case, your VLSM organization is space-based.
298
Using VLSM to Manage Your IPAM
Network
POOL
ADDRESS
Figure 20.11. Example of a class parameter configuration based on the networks' organization
Contrary to the space-based organization, the network-based VLSM organization allows you to
display the IPAM hierarchy at a glance, in one block-type network. As all the networks can be
listed all together, there is no need to go through different spaces separately to list non-terminal
subnet-type networks and their content.
299
Using VLSM to Manage Your IPAM
Network
13. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
14. Click on OK to complete the operation.The report opens and closes.The non-terminal subnet-
type network is listed and preceded by .
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
15. Click on OK to complete the operation.The report opens and closes.The non-terminal subnet-
type network is listed and preceded by .
Once you created a non-terminal subnet-type network, it can contain as many non-terminal
subnet-type networks as you need: it all depends on their size. And you can create a hierarchy
as deep as you need.
Within the non-terminal subnet-type networks you can create terminal networks to manage pool
and assign addresses. For more details, refer to the section Adding Networks.
300
Using VLSM to Manage Your IPAM
Network
• The start or end address of the subnet network you are inserting must be different from the
start and end address of the subnet-type network it reparents.
• This option can only be used in independent spaces or in spaces at the lowest level of a space-
based VLSM organization. For more details, refer to the section Properly Using Both Methods
Simultaneously.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
10. In the field Network Name, name the network.
11. In the field Description, you can type in a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
12. In the field Address, type in the start address. By default, the start address of the block-type
network you selected is displayed in the field. This address should be different from the ex-
isting subnet network that will be included in the network you are creating.
13. In the drop-down list Netmask, select a netmask. The netmask value automatically edits the
Prefix.
14. In the drop-down list Prefix, select a value if you did not choose a netmask. The prefix value
automatically edits the Netmask. The network size configuration is visible in the field
15. Untick the box Terminal network.
16. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
2
If your group's permissions do not include the addition of both block-type and subnet-type networks, the page is automatically skipped.
301
Using VLSM to Manage Your IPAM
Network
17. Click on OK to complete the operation. The report opens and closes. The network is listed.
The reparented network is now listed at a lower level in the VLSM hierarchy.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
10. In the field Network Name, name the network.
11. In the field Description, you can type in a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
12. In the field Address, type in the start address. By default, the start address of the block-type
network you selected is displayed in the field. This address should be different from the ex-
isting subnet network that will be included in the network you are creating.
13. In the drop-down list Prefix, select /64, /127 or /128.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between /16 and /128. For more details, refer to the section Enabling the
Creation of IPv6 Terminal Networks with Non-Standard Prefixes.
14. Untick the box Terminal network.
15. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
16. Click on OK to complete the operation. The report opens and closes. The network is listed.
The reparented network is now listed at a lower level in the VLSM hierarchy.
3
If your group's permissions do not include the addition of both block-type and subnet-type networks, the page is automatically skipped.
302
Using VLSM to Manage Your IPAM
Network
To make a subnet-type network terminal or not, you must tick or untick the box Terminal network
in the addition/edition wizard. For more details, refer to the section Setting Up a Network-Based
VLSM Organization above.
Note that if the network you edit belongs to a space that has child spaces, you can select a
VLSM space.This action sets up a space-based delegation. In this case, a block-type network
is created in the specified child space and it contains the same Orphan Addresses container.
• Editing a non-terminal network to make it terminal
• You cannot edit a non-terminal subnet-type network to make it terminal if it contains any
network. It must be empty.
Deleting non-terminal subnet-type networks simply removes one level in the organization:
• In an organization with a non-terminal subnet-type network managing several terminal networks,
these terminal networks and their content are managed directly by the block-type network.
• In a deep network-based organization, one level is removed. All the lower level networks it
managed are moved up one level. If they inherited class parameters from the deleted container,
for each class parameter:
• The Inheritance property is forced to Inherit or Set to match the configuration of the deleted
parent network. The value and the source of the value remain the same.
• The Propagation property remains the same.
If you make the different pieces of a space organization resources to specific groups, you can
delegate the management one level at a time and whoever has access to the whole hierarchy
can keep track of all the changes.
For more details regarding users, groups and delegation within SOLIDserver, refer to the part
Rights Management.
303
Using VLSM to Manage Your IPAM
Network
In the example above, a way of using the space-based VLSM hierarchy could be to grant a group
of users:
• Access and management permissions to the content of the space usa. That is to say, make
all the block-type networks of the space usa a resource of the group and grant them the relevant
permissions of these objects. That way, the users of the group:
• Can see the space usa, as it is the container of the block-type networks they have in the
page Resources.
• Can display the content of the block-type networks they have among their resources. But
cannot display the content of the subnet-type networks and pools of the block-type networks
as they are not listed among their resources.
• Can manage the block-type networks listed among their resources, as they were granted
the relevant permissions.
Note that, if you grant the group access to the subnet-type networks and pools of the space
usa, they can actually see the whole content of the space from the block-type networks down
to the IP addresses and not only the subnet-type networks of the block-type networks. With
the relevant permissions, they can manage these objects as well. For more details, refer to
the section Assigning Resources to a Group.
• Grant access to the space america. That is to say, make the space america a resource of the
group. That way, the users of the group:
• Can display the content of the space america : all the spaces it contains, including the space
usa. And therefore, see that all changes performed in the spaces usa and america.
Keep in mind that granting access to a resource does not grant users access to its container.
Therefore, if you grant access to the group usa, users cannot see the content of america. In the
same ways, if you grant access to america, users cannot see the content of clients.
If you grant access to these spaces to two different groups of users: one can perform specific
operations and the other one to supervise these operations.
For more details regarding users, groups and delegation within SOLIDserver, refer to the part
Rights Management.
304
Using VLSM to Manage Your IPAM
Network
In the example above, a way of using the VLSM hierarchy would be to grant a group of users:
• Access and management permissions to the all the subnet-type networks of the non-terminal
subnet-type network outside paris. That is to say, grant them relevant permissions and make
the non-terminal subnet-type network outside paris a resource of the group. That way, the
users of the group:
• Can display the content of the subnet-type networks they have among their resources.
• Can edit the objects listed among their resources if they were granted the proper permissions
and rights.
You can also only grant access to these subnet-type networks to two different groups of users.
That way, you would set a group of users to manage specific operations and the other one to
supervise these operations.
Note that if you grant access to the non-terminal subnet-type network Field workers, users are
able to list the subnet-type networks it contains but not the content of the terminal network of the
non-terminal subnet-type network.
For more details regarding users, groups and delegation within SOLIDserver, refer to the part
Rights Management.
305
Chapter 21. Managing Cloud
Synchronization
If you have addressing plans stored on some cloud providers, you can synchronize them in the
module IPAM. The module Ecosystem allows to identify your addressing plans stored on AWS
and Azure clouds through the configuration of dedicated rules.
To properly synchronize cloud addressing plans, all IP related information, you must:
1. Meet the prerequisites.
2. Take into account the limitations.
3. Configure the rule that suits your needs.
• For AWS, refer to the section Configuring AWS Synchronization.
• For Azure, refer to the section Configuring Azure Synchronization.
Prerequisites
• Having all cloud provider details ready:
• For AWS, you need your AWS Account ID, Access key ID and an Access secret key. In
addition, you can specify a tag for VPCs, subnets and IP addresses, the tag is used to name
the objects synchronized in the IPAM.
• For Azure, you need your Azure tenant ID, Subscription ID, Client ID and Client secret key.
In addition, you must name Azure VNs and subnets.
• Having an independent space ready to receive the data you want to synchronize. You cannot
synchronize cloud objects if they match existing IPAM networks delegated to another space.
• If your internal network policies do not allow cloud synchronization, you can configure a proxy.
For more details, refer to the section Configuring a Proxy Server.
Limitations
• All the changes you perform in the IPAM on synchronized objects are overwritten during the
next synchronization.
• All synchronization error messages can only be seen on the page Syslog. For more details,
refer to the section Monitoring the Synchronization.
306
Managing Cloud Synchronization
When the rule is configured, that data in the IPAM evolves every time the information is synchron-
ized. All behaviors are detailed after the rule addition procedure.
• You can specify a tag for VPCs, subnets and IP addresses, before you add the rule. The tag
is used to name the objects synchronized in the IPAM.
307
Managing Cloud Synchronization
• You must have an independent space ready to receive the data you want to synchronize. You
cannot synchronize cloud objects if they match an existing IPAM networks delegated to another
space.
• A new VPC is always added in the IPAM at the lowest level.
• If no blocks can contain the subnets, the VPC is added as a block. However, it is recommended
to add a space containing blocks able to receive AWS objects before the synchronization.
308
Managing Cloud Synchronization
d. Once a VPC is configured as needed, click on ADD . The entry is moved to the VPCs
list.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
e. Repeat these steps for as many VPCs as you want.
15. Click on OK to complete the operation. The report opens and closes. The rule is listed. To
make sure the synchronization is successful, refer to the section Checking AWS Synchron-
ization.
Once the configuration is ready, keep in mind that the following behaviors can occur:
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If an object is deleted from the IPAM during the synchronization, its children are deleted too.
• If an object fails to be synchronized, its children are not synchronized.
• If an AWS IPv4 object fails to be synchronized, it does not prevent its IPv6 counterpart from
being successfully synchronized, and vice-versa.
Note that you can edit the synchronization frequency, account details or VPC list of the rule from
its properties page. Any change triggers a new synchronization and can edit the content of all
spaces configured for the rule. If you delete a space, all synchronized objects are deleted from
the configured space.
All synchronized information is available on the pages All networks and All addresses of the
configured space and on the properties page of the new objects.
On the page All networks, users of the group admin can click on the button Listing template
on the right-end side of the menu, to display a set of Class param: columns dedicated to AWS
information. For more details, refer to the section Customizing the List Layout.
309
Managing Cloud Synchronization
If you specified a tag for your AWS objects, the networks are named after this tag. Otherwise,
they are named as follows: <IP_address>/<prefix>.
4. In the breadcrumb, click on All addresses. The content of the networks is listed.
If you specified a tag for your AWS objets, the IP addresses are named after this tag. If the
tag is empty, they are named according to the parameter PrivateDnsName. If the tag and
the parameter are empty, the IP addresses have no Name.
Some objects may be missing from either pages as the data listed depend on the synchronization:
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If an object is deleted from the IPAM during the synchronization, its children are deleted too.
• If an object fails to be synchronized, its children are not synchronized.
• If an AWS IPv4 object fails to be synchronized, it does not prevent its IPv6 counterpart from
being successfully synchronized, and vice-versa.
On the properties page of synchronized objects, all AWS parameters you configured for the rule
are listed in the panel Ecosystem.
On non-terminal network properties page, the panel contains AWS owner ID (Account ID), AWS
VPC region and VPC ID.
On terminal network properties page, the panel contains AWS availability zone, AWS subnet ID
and parameters inherited from the parent network.
On IP address properties page, the panel contains AWS instance ID and parameters inherited
from the terminal network and the parent network.
When the rule is configured, that data in the IPAM evolves every time the information is synchron-
ized. All behaviors are detailed after the rule addition procedure.
310
Managing Cloud Synchronization
• You must name VNs and subnets before you add the rule. The tag is used to name the objects
synchronized in the IPAM.
• You must have an independent space ready to receive the data you want to synchronize. You
cannot synchronize cloud objects if they match an existing IPAM networks delegated to another
space.
• A new VN is always added in the IPAM at the lowest level.
• If no blocks can contain the subnets, the VN is added as a block. However, it is recommended
to add a space containing blocks able to receive Azure objects before the synchronization.
311
Managing Cloud Synchronization
Once the configuration is ready, keep in mind that the following behaviors can occur:
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If an object is deleted from the IPAM during the synchronization, its children are deleted too.
• If an object fails to be synchronized, its children are not synchronized.
• If an Azure IPv4 object fails to be synchronized, it does not prevent its IPv6 counterpart from
being successfully synchronized, and vice-versa.
Note that you can edit the synchronization frequency, account details or VN list of the rule from
its properties page. Any change triggers a new synchronization and can edit the content of all
spaces configured for the rule. If you delete a space, all synchronized objects are deleted from
the configured space.
All synchronized information is available on the pages All networks and All addresses of the
configured space and on the properties page of the new objects.
On the page All networks, users of the group admin can click on the button Listing template
on the right-end side of the menu, to display a set of Class param: columns dedicated to Azure
information. For more details, refer to the section Customizing the List Layout.
312
Managing Cloud Synchronization
• You can delete networks and their content but they may be added again during the next syn-
chronization if they still exist in Azure database.
Some objects may be missing from either pages as the data listed depend on the synchronization:
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If an object is deleted from the IPAM during the synchronization, its children are deleted too.
• If an object fails to be synchronized, its children are not synchronized.
• If an Azure IPv4 object fails to be synchronized, it does not prevent its IPv6 counterpart from
being successfully synchronized, and vice-versa.
On the properties page of synchronized objects, all Azure parameters you configured for the rule
are listed in the panel Ecosystem.
On non-terminal network properties page, the panel contains Azure virtual network location,
Azure resource group, Azure tenant ID and Azure virtual network ID.
On terminal network properties page, the panel contains Azure subnet ID and parameters inherited
from the parent network.
On IP address properties page, the panel contains Azure instance ID and parameters inherited
from the terminal network and the parent network.
Note that you can filter the page and add an alert dedicated to the synchronization.
• To monitor AWS error messages, double-click on the field under the column Log. A filter window
appears. You must select AND and make sure your search contains the keywords AWS and
Unable.
• To monitor Azure error messages, double-click on the field under the column Log. A filter
window appears. You must select AND and make sure your search contains the keywords
Azure and Unable.
313
Managing Cloud Synchronization
If you disable or delete a rule, the synchronized objects remain listed in the IPAM but are no
longer updated. Note that to delete all synchronized data from the IPAM, you should start with
IP addresses and follow the module hierarchy up to block-type networks.
To disable a rule
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. Filter the list through the column Rule# of your choice and hit Enter.
4. Tick the rule of your choice.
5. In the menu, select Edit > Disable. The wizard opens.
6. Click on OK to complete the operation. The report opens and closes. In the column Status,
the rule is marked Disabled.
To enable a rule again, follow the procedure above and select Enable. In the column Status, the
rule is marked Enabled.
To delete a rule
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. Filter the list through the Rule# of your choice and hit Enter.
4. Tick the rule of your choice.
5. In the menu, click on Delete. The wizard opens.
6. Click on OK to complete the operation. The report opens and closes. The rule is no longer
listed.
314
Part VI. DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network protocol which role is to automate the as-
signment of parameters to the clients connecting to the network, from a valid IP address to specific DHCP
options.
It allows to set up specific connection behaviors for current devices and new devices on the network. The
connection can be temporary, through dynamic allocation, or permanent, through fixed reservation. If
you want to import an existing DHCP configurations, refer to the part Imports and Exports.
The DHCP grants users access to the network following four steps:
1. Discovery: the DHCP client (host) broadcasts a DHCPDISCOVER packet on its physical subnet (usually
255.255.255.255) to discover the available DHCP servers;
2. Offer: all the available DHCP servers receiving the request respond to the host with a DHCPOFFER
packet containing their own IP address and valid connection settings, dynamic or fixed;
3. Request: the host sends a DHCPREQUEST packet to inform all the DHCP servers that offered an IP of
the acceptance. That packet includes the IP address of the DHCP server delivering access by the host,
the other servers can return the offered IP address to their pool of available addresses;
4. Acknowledge: the selected server sends all the configuration data to the host in a DHCPACK packet.
Discover
The client broadcasts a request for an IP address
Offer
The DHCP server offers an IP address
Request
The client broadcasts their IP address acceptance
DHCP server
DHCP client Acknowledge
The DHCP server confirms the IP address allocation
The DHCP hierarchy can include up to 4 levels of organization. These levels depend on the connection
behaviors you set, dynamic allocation or fixed reservation:
• Servers: the highest level of the hierarchy. It allows to set up fixed reservation and/or dynamic allocation.
It can contain scopes, groups, ranges, leases and/or statics. For more details, refer to the chapter Managing
DHCP Servers. One or several servers can be managed via a smart architecture to ensure service
availability and prevent data or configuration loss. For more details, refer to the chapters Deploying DHCP
Smart Architectures and Managing DHCP Smart Architectures.
• Shared networks: an optional level of the hierarchy. They allow different scopes to serve a common
network segment. In DHCPv6, they can contain prefix delegations. For more details, refer to the chapter
Managing DHCP Shared Networks.
• Groups: an optional level of fixed reservation that belongs to a server and contains static reservations.
It allows to apply specific DHCP options to the statics of your choice. For more details, refer to the section
Managing DHCP Groups in the chapter Managing Fixed Reservations.
• Scopes: the second level of the hierarchy. It can contain ranges for dynamic allocation or directly statics
for static allocation. For more details, refer to the chapter Managing DHCP Scopes.
• Ranges: the third level of the hierarchy for dynamic allocation. They contain the IP addresses that are
randomly allocated to hosts for a limited period of time, the leases. When the lease time expires, the address
is returned to the range and can be reallocated. Ranges can be configured with Access Control Lists
(ACLs) to restrict or authorize access to specific users. For more details, refer to the section in the Managing
DHCP Ranges in the chapter Managing Dynamic Addressing.
• Leases: the lowest level of the hierarchy for dynamic allocation. Each lease is an IP address belonging
to a range that is currently being allocated or was allocated to a host, you can track the leases history.
For more details, refer to the section Managing DHCP Leases in the chapter Managing Dynamic Addressing.
• Statics: the lowest level of the hierarchy for fixed reservation. Static reservation ensures that a host always
gets the same access details when they connect to the network. A static identifies a host using their MAC
address and always provides them with an IP address and/or a set of DHCP options. For more details,
refer to the section Managing DHCP Statics in the chapter Managing Fixed Reservations.
Note that from the module Dashboards, you can gather gadgets and charts on DHCP dashboard to monitor
the module data or set up custom shortcuts and search engines. For more details, refer to the part Dash-
boards.
Table of Contents
22. Deploying DHCP Smart Architectures ....................................................................... 319
Implementing DHCP Smart Architectures ............................................................... 320
DHCP Vendors Compatible with Smart Architectures ............................................... 323
Building a Highly Available Service With Smart Architectures ................................... 324
23. Managing DHCP Smart Architectures ....................................................................... 325
Browsing DHCP Smart Architectures ...................................................................... 325
Adding a DHCPv4 Smart Architecture .................................................................... 326
Adding a DHCPv6 Smart Architecture .................................................................... 333
Editing a DHCP Smart Architecture ........................................................................ 337
Handling the Status Locked Synchronization ........................................................... 343
Exporting DHCP Smart Architectures ..................................................................... 344
Deleting a DHCP Smart Architecture ...................................................................... 344
Defining a DHCP Smart Architecture as a Group Resource ..................................... 344
24. Managing DHCP Servers ......................................................................................... 346
Browsing DHCP Servers ....................................................................................... 346
Managing EfficientIP DHCP Servers ....................................................................... 348
Managing Agentless Microsoft DHCP Servers ........................................................ 351
Managing ISC DHCP Servers on Linux ................................................................... 356
Editing a DHCP Server .......................................................................................... 364
Repairing Leases .................................................................................................. 365
Configuring DHCP Options at Server Level ............................................................. 366
Exporting DHCP Servers ....................................................................................... 367
Deleting a DHCP Server ........................................................................................ 367
Defining a DHCP Server as a Group Resource ....................................................... 368
25. Managing DHCP Shared Networks ........................................................................... 369
Browsing Shared Networks .................................................................................... 369
Adding a DHCP Shared Network ............................................................................ 370
Editing a DHCP Shared Network ............................................................................ 370
Exporting Shared Networks ................................................................................... 371
Deleting a DHCP Shared Network .......................................................................... 371
26. Managing DHCP Scopes .......................................................................................... 372
Browsing Scopes .................................................................................................. 372
Adding a DHCP Scope .......................................................................................... 373
Editing a DHCP Scope .......................................................................................... 374
Configuring DHCP Options at Scope Level ............................................................. 375
Defining a Specific IPAM Space for a Scope ........................................................... 376
Defining a Specific Failover Channel for a Scope ..................................................... 377
Replicating Scope Data in the IPAM ....................................................................... 378
Configuring Multiple Scopes for a Network Segment ............................................... 379
Copying or Moving DHCPv4 Scopes ...................................................................... 380
DHCP Relay Agents .............................................................................................. 380
Adding DHCP Scopes from the IPAM ..................................................................... 381
Updating DHCP Scopes from the IPAM .................................................................. 381
Exporting DHCP Scopes ....................................................................................... 382
Deleting a DHCP Scope ........................................................................................ 382
Defining a DHCP Scope as a Group Resource ........................................................ 382
27. Managing Fixed Reservations ................................................................................... 383
Managing DHCP Statics ........................................................................................ 383
Managing DHCP Groups ....................................................................................... 392
28. Managing Dynamic Addressing ................................................................................ 396
Managing DHCP Ranges ....................................................................................... 396
317
DHCP
318
Chapter 22. Deploying DHCP Smart
Architectures
The DHCP can quickly become an essential piece of any network data organization. Once
properly set up, it is usually hardly noticed, silently and faithfully performing its duties, day in and
day out.
The DHCP clients' needs must be considered, including which DHCP options are supported by
the client's operating system and which options and values need to be assigned. In large-scale
DHCP implementations, the topology of the network becomes a very important factor.The network
topology dictates where DHCP servers and/or relay agents must be placed. A final consideration
is planning for fault tolerance.
To ensure that the DHCP service is available at all times and that you do not lose specific config-
urations if a DHCP server crashes, we strongly recommend that you manage physical servers
through smart architectures. To understand the possible configurations of your service availability,
refer to the section Building a Highly Available Service With Smart Architectures.
Smart architecture pre-built DHCP configurations including backup and failover features with
IPv4 addressing. Their deployment reduces the risk of misconfiguration.
There are several architectures and possible configurations to choose from both for DHCPv4
and DHCPv6. In DHCPv6, smart architectures simply provide a configuration backup.
SOLIDserver supports a set of vendors detailed in the section DHCP Vendors Compatible with
Smart Architectures.
319
Deploying DHCP Smart
Architectures
DHCPv6 architectures have some particularities that differentiate them from the DHCPv4 archi-
tectures:
• The failover protocol is not available in IPV6. Thus, the page All failover channels in v6 is
merely a list linking servers through the defined ports. For more details, refer to the chapter
Managing Failover Channels.
• IPv6 addressing is only possible from the EfficientIP servers.
• DHCPv6 servers operate on an appliance running in IPv4.
• In IPv6 there is no compatibility with the numerous vendors providing IP addressing
DHCP DHCP
Master Backup
The One-to-One smart architecture allows two DHCP servers to share a range of common ad-
dresses. Should a server stop working, the second server would take over, depending on your
failover configuration. For more details regarding failover, refer to the section DHCP Failover
Principles and Operational States of the chapter Managing Failover Channels.
320
Deploying DHCP Smart
Architectures
DHCP
Master
DHCP DHCP
Backup Backup
This architecture is particularly relevant for organizations that have many sites and need to have
a dedicated DHCP service per site. It looks like a star configuration, where N DHCP servers, no
matter their location, share a failover channel with the central DHCP server of the smart architec-
ture: it is a N+1 servers configuration.
Split-Scope Split-Scope
80% 20%
There is no failover protocol between the two servers but being a smart architecture, the Split-
Scope provides a backup of the configuration: if anything were to happen to any of the managed
servers, installing them back to SOLIDserver would apply the smart architecture on both servers
again.
321
Deploying DHCP Smart
Architectures
Single
DNS
Single
DHCP
DHCPv6
Split-Scope Split-Scope
80% 20%
DHCPv6
322
Deploying DHCP Smart
Architectures
There is no failover protocol between the two servers but being a smart architecture, the Split-
Scope provides a backup of the configuration: if anything were to happen to any of the managed
servers, installing them back to SOLIDserver would apply the smart architecture on both servers
again.
There is no master or backup servers per se in this configuration. By default, they all are inde-
pendent master servers sharing the same options configuration.
Stateless
DHCPv6
Keep in mind that the Stateless smart architecture only has an impact on the options available
to the DHCPv6 clients, therefore it is impossible to add ranges and static through this configuration.
In the same way, no leases are provided or managed.
323
Deploying DHCP Smart
Architectures
SOLIDserver supports almost all features delivered by each vendor but does not add additional
features at service level.Thus, limitations depend on each vendor. For instance, Microsoft Windows
DHCP services do not provide failover, so you cannot configure it from the appliance.
You can manage any supported vendor on one page from the GUI. SOLIDserver is an abstraction
layer that masks the specific processes of each DHCP vendor to network administrators. DHCP
services are not managed one server at a time but as a global service. It is possible to simultan-
eously configure Microsoft Windows running DHCP servers and Linux running ISC DHCP servers,
modify VoIP options on all DHCP servers or create transversal reports to get an immediate
comprehensive understanding of network services configurations.
Each and every one of these servers can be managed by SOLIDserver smart architecture to
ease the management configuration and provide a backup of the chosen configuration. For more
details, refer to the chapter Managing DHCP Smart Architectures.
For more details, refer to the chapter Adding a DHCPv6 Smart Architecture.
Two active DHCP servers cannot share an IP address pool since they have no way of knowing
with certainty which IP addresses are being distributed. Therefore, two active DHCP servers
cannot perform dynamic DHCP which is why scope splitting is necessary to separate IP address
ranges per server. This configuration, the Split-Scope, is available for both DHCPv4 and DHCPv6.
With a traditional active/passive pair of DHCP servers, if the active server fails, the network ad-
ministrator is required to manually turn on the passive DHCP server so that it can take over until
the initial active server is restored. DHCP High Availability with IP address scope splitting provides
failover but with the risk of meeting downtime as addresses are leased to more than one client
and have potential manual intervention to clean up the lease database. In order for two DHCP
servers to provide DHCP services for the same network segments, the servers must coordinate
their behavior. Each server must either know what the other is doing or be configured so that it
can operate without knowing what the other is doing. In order for each server to know what the
other is doing, the DHCP safe failover protocol can be implemented.
As the failover protocol is not available in DHCPv6, the DHCP Safe failover protocol is only
available for DHCPv4 servers.
324
Chapter 23. Managing DHCP Smart
Architectures
Once you chose the smart architecture(s) that suit your needs in the chapter Deploying DHCP
Smart Architectures, you can manage them following the sections below.
In the column Name, all the smart architectures are preceded by the icon . They are listed with
the physical servers.
Invalid settings The smart architecture does not contain any physical server, is missing one or sev-
eral physical servers or is not configured properly (not enough failover channels
configured, etc).
Locked synchronization The server configuration is not viable. For more details, refer to the section Handling
the Status Locked Synchronization.
Moreover, the column Sync (i.e. synchronization) provides additional information regarding the
exchanges between the smart architecture and the physical server(s).
325
Managing DHCP Smart
Architectures
Column Description
Locked synchronization The synchronizing failed as the server configuration is not viable: the smart architec-
ture cannot send the configuration file to the physical server(s). For more details,
refer to the section Handling the Status Locked Synchronization.
With DHCPv4, there are four different kinds of smart architectures: One-to-One, One-to-Many,
Split-Scope and Single-Server. As for DHCPv6 smart architectures, SOLIDserver proposes the
Single-Server, Split-Scope and Stateless architectures. In the procedures below, we are going
to describe the configuration of the DHCP smart architectures with the DHCP servers they
manage, but you can go through the configuration without adding any server and do it later. For
more details, refer to the part Adding a DHCP Server into a Smart Architecture.
Once the configuration is completed, the DHCP smart architecture appears on the page All
servers as a real server.
As you can see, the column Type mentions the kind of smart architecture applied, the DHCP
smart members column is marked N/A and for that reason, the server status is Invalid settings.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
326
Managing DHCP Smart
Architectures
Parameter Description
Isolated Tick this box to isolate the server within SOLIDserver. This prevents the server,
and its content, from executing any configured replication rule or advanced
property; the server still receives data if your network configuration allows it. This
option is mainly useful during migrations. When the server configuration is ready
and you untick the box, you must manually execute the rules and/or advanced
properties, at all relevant levels of the module hierarchy, via the menu Tools >
Initialize rules.
Description Type in a description if you want, it appears in the column Description of the
page All servers.
Advanced properties Select Default or All. If Default is selected, only the fields/options that your ad-
ministrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
DHCP DHCP
Master Backup
327
Managing DHCP Smart
Architectures
Parameter Description
Automatic switch to part- Type in this field the amount of time (in hours) after which a failover channel in
ner-down delay (in hours) Communications-interrupted state should automatically switch to Partner-down.
The accepted values are between 4 and 65535. By default, the option is disabled
and the field is set to 0.
Peer DHCP server The DHCP backup server is automatically entered in this field.
Split leases In this drop-down list, you can choose how to split the leases between the two
servers: Balanced, Prefer backup or Prefer master. By default, Balanced is se-
lected.
Balanced If you select this option, the leases are delivered to the clients by both servers
equally.
Prefer backup If you select this option, the leases are delivered to the clients by the backup
server only.
Prefer master If you select this option, the leases are delivered to the clients by the master
server only.
14. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (one-to-one) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
328
Managing DHCP Smart
Architectures
Parameter Description
properties, at all relevant levels of the module hierarchy, via the menu Tools >
Initialize rules.
Description Type in a description if you want, it appears in the column Description of the
page All servers.
Advanced properties Select Default or All. If Default is selected, only the fields/options that your ad-
ministrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
DHCP
Master
DHCP DHCP
Backup Backup
329
Managing DHCP Smart
Architectures
Field Description
The accepted values are between 4 and 65535. By default, the option is disabled
and the field is set to 0.
Peer DHCP server Choose the DHCP backup server with which you want to configure the failover.
By default, None is selected.
Split leases In this drop-down list, you can choose how to split the leases between the two
chosen servers: Balanced, Prefer backup or Prefer master. By default, Balanced
is selected.
Balanced If you select this option, the leases are delivered to the clients by both servers
equally.
Prefer backup If you select this option, the leases are delivered to the clients by the backup
server only.
Prefer master If you select this option, the leases are delivered to the clients by the master
server only.
14. Configure a failover channel between the master and each backup server, following the table
in the previous step and click on ADD . The failover details are moved to the list DHCP peering
assignment.
Repeat these actions for as many failover channels as needed. There should be a failover
channel between each backup server and the master.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
15. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (one-to-many) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
330
Managing DHCP Smart
Architectures
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
Split-Scope Split-Scope
80% 20%
Note that a virtual failover channel is automatically created with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.
331
Managing DHCP Smart
Architectures
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
332
Managing DHCP Smart
Architectures
Single
DNS
Note that a virtual failover channel is automatically created with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.
With DHCPv6, there are three different kinds of smart architectures: Single-Server, Split-Scope
and Stateless. In the procedures below, we are going to describe the configuration of DHCPv6
smart architectures with DHCP servers but you can go through the configuration without adding
any server and do it later. For more details, refer to the part Adding a DHCP Server into a Smart
Architecture.
333
Managing DHCP Smart
Architectures
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
Single
DHCP
DHCPv6
Note that a virtual failover channel is automatically created with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.
334
Managing DHCP Smart
Architectures
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
335
Managing DHCP Smart
Architectures
Split-Scope Split-Scope
80% 20%
DHCPv6
Note that a virtual failover channel is automatically created with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
336
Managing DHCP Smart
Architectures
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
Stateless
DHCPv6
Note that a virtual failover channel is automatically created with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.
337
Managing DHCP Smart
Architectures
When you add one or more DHCP servers into a smart architecture, the smart data is
automatically replicated from the architecture to the DHCP servers it manages. So if the
smart architecture is empty (first use), the DHCP server added is totally overwritten.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the list DHCP server type, make sure DHCP smart architecture is selected. Click on NEXT .
The Manage a DHCP server page opens.
6. If need be, modify the smart architecture basic parameters according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
338
Managing DHCP Smart
Architectures
9. In the list Available DHCP servers, select a server to add in the smart architecture and click
on . The server has been moved to the list Selected DHCP servers. Repeat this action for
as many servers as needed. You can remove any of them from the selected servers list by
clicking on .
10. For a Single-Server smart architecture, go to the last step of this procedure. Otherwise, click
on NEXT . The next page opens.
11. In the drop-down list Master DHCP server, edit the master server if need be.
12. For a Split-Scope architecture, in the field Distribution ratio (in percent), type in the ratio of
IP ranges to be managed by the selected Master DHCP server, the rate is managed by the
backup server.
13. If need be, edit the existing failover ports and split leases parameters between the master
and backup servers.
14. Click on OK to complete the operation. The report opens and closes. To display or hide the
physical servers managed through the smart architecture click on on the right-end side
of the menu. The DHCP Smart members column of the smart architecture displays the name
of the new master server between brackets next to the name of the other backup servers.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Click on NEXT . The page Manage a DHCP server opens.
6. Click on NEXT . The next page opens.
7. Click on NEXT . The next page opens.
8. The servers managed by the smart architecture are listed in the list Selected DHCP servers.
You can remove any of them by clicking on . The server(s) is moved to the list Available
DHCP servers.
9. For a Single-Server smart architecture, go to the last step of this procedure. Otherwise, click
on NEXT . The next page opens.
10. If the smart architecture is still managing servers: in the list Master DHCP server, change
the master server if need be. Click on NEXT . The next page opens.
11. If the smart architecture is still managing servers: modify the failover ports on each server
and/or the split leases parameters if need be.
339
Managing DHCP Smart
Architectures
12. Click on OK to complete the operation. The report opens and closes. The servers that have
been removed are listed as DHCP servers of whatever kind in the list Type. If your smart
architecture is still managing physical servers, you can display or hide them using the button
on the right-end side of the menu.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Click on NEXT . The page Manage a DHCP server opens.
6. Click on NEXT . The next page opens.
7. Click on NEXT . The next page opens.
8. The servers managed by the smart architecture are listed in the list Selected DHCP servers.
You can remove any of them and add a new one by clicking on or . The server(s) is
moved accordingly between the lists Selected DHCP servers and Available DHCP servers.
9. For a Single-Server smart architecture, go to the last step of this procedure. Otherwise, click
on NEXT . The next page opens.
10. In the drop-down list Master DHCP server, select the master server.
11. For a Split-Scope architecture, in the field Distribution ratio (in percent), type in the ratio of
IP ranges to be managed by the selected Master DHCP server, the rate is managed by the
backup server.
12. If need be, edit the existing failover ports and split leases parameters between the master
and backup servers.
13. Click on OK to complete the operation. The report opens and closes. To display or hide the
physical servers managed through the smart architecture click on on the right-end side
of the menu. The column DHCP Smart members of the smart architecture displays the name
of the new master server between brackets next to the name of the other backup servers.
340
Managing DHCP Smart
Architectures
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the list DHCP server type, make sure DHCP smart architecture is selected. Click on NEXT .
The Manage a DHCP server page opens.
6. If need be, modify the smart architecture basic parameters according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
341
Managing DHCP Smart
Architectures
c. If need be, edit the existing failover ports and split leases parameters between the
master and backup servers. For more details, refer to the relevant procedure of the
section Adding a DHCPv4 Smart Architecture or Adding a DHCPv6 Smart Architecture.
13. Click on OK to complete the operation. The report opens and closes. The page All servers
is visible again. The column Type displays the modification you performed on the smart ar-
chitecture.
Keep in mind that once you converted a DHCP server into a smart, it is no longer listed on the
page All servers. You have to add it again to be able to manage it, on its own or from a smart
architecture.
During the conversion, you can add DHCP servers into the smart architecture. Considering that
you might want to manage the server you converted from the smart architecture, we recommend
converting the server and then editing the smart to add the servers as detailed in the section
Adding a DHCP Server into a Smart Architecture.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the list DHCP server type, select DHCP smart architecture.
6. Click on NEXT . The next page opens. it displays the server details.
7. Click on NEXT . The next page opens.
8. In the field DHCP smart architecture, select the DHCP or DHCPv6 smart architecture of
your choice.
For a conversion to Single-Server smart architecture, go to the last step of this procedure.
9. Click on NEXT until The last page opens.
a. For a conversion to One-to-One smart architecture, you can configure the failover
channel with a specific Failover port, Failover peer port, Automatic switch to partner-
down delay and Split lease distribution.
b. For a conversion to One-to-Many smart architecture, you can configure the failover
channels listed in the field DHCP peering assignments. Select them one by one to load
their details in the fields and click on UPDATE to save your changes.
If you converted a Microsoft server, you cannot have more than 31 failover channels
listed. Any extra channel is ignored.
342
Managing DHCP Smart
Architectures
c. For a conversion to Split-Scope smart architecture, you can select a Master DHCP
server and set the Distribution ratio (in percent) of the Master.
For more details regarding the smart architecture configuration, refer to the section Adding
a DHCPv4 Smart Architecture.
10. Click on OK to complete the operation. The report opens and closes. In the column Type,
the server is now listed as a smart architecture.
Once the server is in Locked synchronization, the corrupted configuration file is automatically
stored locally on the appliance and available for download in the Local files listing. It is named
<server_name>-dhcpd.conf. We advice that you take a look at this file because after the first
found error, the check stops and returns the Locked synchronization status. So if there are sev-
eral errors, the status is returned over and over again until the file is conclusive and can be sent
to the physical server.
The check for failure in the configuration file can be done though CLI (we recommend it) or from
the GUI.
3. Use the following command to get a precise list of all the errors:
# /usr/local/nessy2/bin/dhcpd –t –4 -cf /data1/exports/<server_name>-dhcpd.conf
4. Adjust identified statements, once the check runs again, the Locked Synchronization status
disappears if you now have a valid configuration.
3. Use the following command to get a precise list of all the errors:
# /usr/local/nessy2/bin/dhcpd -t -6 -q -cf /data1/exports/<server_name>-dhcpd6.conf
343
Managing DHCP Smart
Architectures
4. Adjust identified statements, once the check runs again, the Locked Synchronization status
disappears if you now have a valid configuration.
To look for DHCP errors on the page Syslog of the local appliance
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Syslog. The page Syslog opens.
3. In the SOLIDserver drop-down list, verify that the local appliance is selected. Only the host-
name appears with no IP address.
4. In the Services filed, select dhcpd. The logs appear.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
344
Managing DHCP Smart
Architectures
Granting access to a smart architecture as a resource also grants access to every physical
server it contains. For more details, refer to the section Assigning Resources to a Group in the
chapter Managing Groups.
345
Chapter 24. Managing DHCP Servers
Within the DHCP module, the server is the highest level of the hierarchy where you set the basis
of any DHCP configuration. You can either manage servers independently or a within a smart
architecture that provides a backup of your configuration and a dedicated failover between a
master server and its backup(s) servers. For more details regarding the available smart architec-
tures for DHCPv4 or DHCPv6, refer to the chapters Deploying DHCP Smart Architectures and
Managing DHCP Smart Architectures.
In IPv4, you can create EfficientIP DHCP, EfficientIP DHCP Package, Microsoft DHCP and
Nominum DCS DHCP servers on the page All servers. In IPv6, you can only create EfficientIP
DHCP servers.
Whether you manage IPv4 or IPv6 addressing, the IP address of the DHCP servers you manage
must be in IPv4 and belong to one of the networks that your configured part of the networks you
configured, to make sure it can provide clients with IP addresses. If you manage large networks,
DHCP servers can rely on DHCP relays (also called helpers), for more details refer to the section
DHCP Relay Agents.
ACL
SHARED
SERVER OPTION OPTION OPTION
NETWORK
GROUP
STATIC OPTION
So, in short, the very first step of the DHCP implementation is the creation of a server with a
unique IP address within which you must create at least one scope that listens on a particular
part of the network and discover clients' request and answer them at the best of its capacity. Af-
terward, you decide to set up dynamic and/or fixed addressing for the DHCP clients.
346
Managing DHCP Servers
Unknown The server does not have a status as it has not synchronized yet.
Timeout The server does not answer anymore due to a scheduled configuration of the server.
Invalid credentials The SSL credentials are invalid or the server is already managed by another appliance
and you need to specify your credentials again. For more details, refer to the section
Editing a DHCP Server.
If the appliance database is encrypted, it may be that the Active key is missing. For
more details, refer to the section Troubleshooting the Database Encryption of the
chapter Securing.
Syntax error The server configuration could not be parsed properly.
License The license used in SOLIDserver is not compliant with the added server: the license
is invalid.
Invalid settings There was a setting error during the server declaration. For instance, some settings
were added to a server that does not support them or a smart architecture is not
managing any physical server.
Insufficient privileges The account used to add the Agentless DHCP server does not have sufficient priv-
ileges to manage it.
Locked synchronization The server configuration is not viable. For more details, refer to the section Handling
the Status Locked Synchronization.
347
Managing DHCP Servers
Note that the column Sync column changes in accordance with the column Status. While the
server synchronization is not OK yet, the column Sync might be Busy; it can also be in
Locked synchronization.
The column Multi-status provides you with emergency, warning, critical, error or informational
messages regarding the server compatibility with Hybrid. For more details, refer to the section
Understanding the Column Multi-Status.
For instance, your DHCP server has 2 network interfaces configured: 192.168.10.3 and
192.168.10.5.To listen to both interfaces, you have to configure a scope with the network address
192.168.10.0 and the netmask 255.255.255.0. For more details regarding scope management,
refer to the chapter Managing DHCP Scopes.
EfficientIP DHCP server implements the safe DHCP failover protocol. For more details, refer to
the chapter Managing Failover Channels.
1
If you do not set a listening scope, you must configure a relay to communicate with DHCP clients.
348
Managing DHCP Servers
• You should not set a VIP as management address of your DHCP server.
• When you add a server, a random password is generated to secure the communication between
the appliance and the server. The default SSH credentials of the account admin are no longer
used to manage the server but to generate this random password.
For servers added before the upgrade to version 7.0, switching to this new management system
is not automatic. You need to edit the servers. For more details, refer to the section Editing a
DHCP Server.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the following fields to set up the basic server configuration:
5. If you have changed the default SSH password of the appliance embedding the DHCP
server, tick the box Configure enrollment parameters. The field "Admin" account password
appears, it contains the default admin account password.
2
The SNMP protocol parameters are used to monitor and retrieve the server statistics.
349
Managing DHCP Servers
8. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
9. Click on OK to complete the operation. The report opens and closes. The server is listed.
To edit the SNMP monitoring parameters on an existing server, refer to the section Editing the
SNMP Monitoring Parameters of an EfficientIP DHCP Server.
350
Managing DHCP Servers
Field Description
Use bulk If you use SNMP version 2 or 3, you can choose to use a bulk transfer of data.
This compact SNMP request method accelerates transfers by sending several
requests at once. By default, it is set to Yes.
Use TCP Choose to use the TCP protocol instead of the UDP when the network link is not
reliable. By default UDP is used, the drop-down list is set to No.
SNMP transfer timeout Set the number of minutes above which the SNMP transfer is aborted when you
(minutes) add or refresh a device. You can set it between 0 and 999. By default, it is set
to 0.
If you created SNMP profiles, you can choose one of your profiles. They are listed only if
they use the same version of the SNMP protocol as the one you selected on the previous
page.
Note that the SNMP profiles you can choose from must be configured on the appliance you
are currently working with. For more details, refer to the section Managing SNMP Profiles.
7. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
Once you manage a Microsoft server, you can also manage its scopes, ranges, statics, leases.
Depending on the version of Windows and if you add it to a smart architecture, you can manage
its failover relationships.
The management of Microsoft DHCP servers is based on Microsoft Remote Procedure Calls
(MS RPC) and allows to retrieve and display data is real-time and avoid installing any WinDHCP
agent. Microsoft DHCP servers with agent are not supported.
Prerequisites
• A Microsoft Windows Server 2008, 2008 R2, 2012 R2, 2016 or 2019. The server must:
• Have the TCP ports 135 and 445 open. They are used by the port mapper interface, the
service that indicates to the clients which port provides access to each service.
• Have Firewall policies that allow traffic between SOLIDserver and the Microsoft servers it
manages. For more details, refer to the section Microsoft Windows Agentless DHCP Servers
in the appendix Matrices of Network Flows.
351
Managing DHCP Servers
• In Windows Server, RPC uses by default the dynamic port range 49152-65535. Note that
you can reduce the number of available ports, using netsh, as long as the range of ports
3
contains at least 255 ports .
• The credentials of a member of the group DHCP Administrators. Users with insufficient privileges
cannot manage the server.
• The service DHCP must be properly started. For more details, refer to the chapter Configuring
the Services.
Limitations
The management of Microsoft DHCP servers within SOLIDserver has some limitations. For more
details regarding the Microsoft limitations, refer to their documentation.
Server Limitations
• To add or manage Microsoft servers from SOLIDserver, a user must have administrator
rights over the Microsoft server in your Windows environment.
• To display Microsoft servers in SOLIDserver, a user must have reading rights over the
Microsoft server in your Windows environment.
• You cannot manage Microsoft servers that are Master in one configuration and backup in
another in your Windows environment. Once added to the GUI, they take on one role or
the other.
• Changes performed directly on the Microsoft server are not automatically transferred to
SOLIDserver. You must select the server on the page All servers and synchronize it via
the menu Edit.
• The synchronization of a Microsoft server within SOLIDserver is impossible if the server
is managed via a smart architecture, the smart configuration overwrites the new data.
• Microsoft policies are not supported, any policy configured on a Microsoft server is ignored.
• The statistics of Microsoft servers are not retrieved, the page Analytics does not include
them.
DHCP Options Limitations
• Encapsulated DHCP options are not supported by Microsoft DHCP servers.
Lease Limitations
• The start date of a lease is unknown. SOLIDserver displays an arbitrary start date that
corresponds to the moment when the lease is detected.
• DHCP configurations involving a very large number of leases trigger refresh problems. By
default, the registry database entry module.dhcp.refresh_server_time refreshes leases
every 10 seconds, when there are a lot of leases it can overload the service and create a
loop. To avoid this problem, you need to increase the value of the registry entry.
ACL Limitations
• You cannot configure ACLs on Microsoft servers.
SOLIDserver offers the same services as Microsoft but displays them differently than the Windows
Administrative Tools of your Microsoft DHCP server. You can create as many ranges as you
need from SOLIDserver GUI but only one in actually created on the Microsoft server.
3
For information, refer to http://support.microsoft.com/kb/929851 .
352
Managing DHCP Servers
Therefore, when SOLIDserver overwrites the configuration of the Microsoft DHCP server you
manage:
• The unique Microsoft range start and end addresses match the assignable start and end ad-
dresses of the scope it belongs to.
• A number of exclusion ranges are created on the Microsoft server to match the ranges you
created from SOLIDserver.
Configuration pushed
SCOPE 192.168.10.0/24
RANGE
192.168.10.25 - 192.168.10.100
RANGE
192.168.10.5 - 192.168.10.10
SCOPE 192.168.10.0/24
EXCLUSION RANGE
192.168.10.11 - 192.168.10.24
EXCLUSION RANGE
192.168.10.1 - 192.168.10.4
As illustrated above, the scope management is exactly the same on SOLIDserver and Microsoft,
on both sides you have a 192.168.10.0/24 scope. However, the range management differs:
• Within SOLIDserver, if you create the two following ranges:
• First range: 192.168.10.5 - 192.168.10.10
• Second range: 192.168.10.25 - 192.168.10.100
• The configuration pushed on the Microsoft DHCP configuration looks as follows:
• One unique range: 192.168.10.1 - 192.168.10.254. A range managing all the assignable
addresses of the scope.
• Three exclusion ranges: 192.168.10.1 - 192.168.10.4, 192.168.10.11 - 192.168.10.24 and
192.168.10.101 - 192.168.10.254.
If your Microsoft DHCP server is integrated to an AD with several forests, you can use the Expert
mode during the server addition to specify the AD domain you want to authenticate.
If you manage an Agentless Microsoft DHCP server 2012 R2 or higher from a smart architecture,
you can manage its failover relationships. For more details, refer in the section Managing the
Failover Channels of an Agentless Microsoft DHCP Server.
353
Managing DHCP Servers
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the following fields to set up the basic server configuration:
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
10. Click on OK to complete the operation. The report opens and closes. The server is listed,
the column Version indicates the Microsoft server version.
354
Managing DHCP Servers
To manage Microsoft failover channels, you must manage Microsoft servers from a smart
architecture. As managing servers from a smart erases their content, you must either prepare
the smart architecture before managing server with it or convert the server into a smart architecture
to keep its configuration.
Once you manage a Microsoft server with a smart architecture, you can even associate its scopes
with a specific failover. For more details, refer to the section Defining a Specific Failover Channel
for a Scope.
Prerequisites
• Meeting Microsoft prerequisites.
• Microsoft DHCP servers 2012 R2 or higher.
• All the Microsoft servers you manage in a smart architecture must use the same NTP pool.
Limitations
• Taking into account Microsoft limitations.
• Within SOLIDserver a failover is between two servers.
• SOLIDserver cannot create failover channels for Microsoft servers if they do not manage
valid ranges. Without a valid range, no failover can be created from SOLIDserver and
pushed to the server.
• Only the failover mode Load balance is supported:
• Three ratios are supported 100-0 (Prefer Master), 0-100 (Prefer Backup) and 50-50
(Balanced). Any other ratio is overwritten by the closest ratio we support.
• If you manage failovers in mode Hot standby, their mode is switched to Load balance.
• If you manage Microsoft servers from a smart architecture:
• It must only manage Microsoft servers.
• It must be One-to-One or One-to-Many smart architecture.You cannot manage Microsoft
failovers from a Single-Server smart architecture.
• In One-to-Many smart architectures, you can only have one Master server in the smart
architecture. It takes on the role of primary server.
• In One-to-Many smart architectures, you cannot manage more than 31 failover channels,
i.e. 32 Microsoft servers.
• The unique port numbers that you must specify in the GUI are actually ignored. Microsoft
automatically sets the proper port for the communication.
• If you manage Microsoft servers outside a smart architecture:
• You can manage their content but not their failover channels. You can only display them
on the page All failover channels.
• You cannot configure advanced properties between the IPAM and the DHCP as they
rely on failover channels. For more details, refer to the chapter Managing Advanced
Properties.
To manage your Microsoft failover channels from a smart architecture we recommend to:
1. Add all the Microsoft DHCP servers that you want to manage from SOLIDserver.
For more details, refer to the section Adding an Agentless Microsoft DHCP Server.
2. Convert one Microsoft server into a One-to-One or One-to-Many smart architecture. We
recommend converting the Master server as it contains all the configuration data. During the
conversion, you can configure the failover channels:
• On One-to-One smart architectures, you cannot have more than one failover channel.
• On One-to-Many smart architectures, you cannot have more than 31 failover channels.
355
Managing DHCP Servers
For more details, refer to the section Converting a DHCP Server into a Smart Architecture.
3. Add again the server you converted into a smart, if you want to manage it and not only
use its configuration.
For more details, refer to the section Adding an Agentless Microsoft DHCP Server.
4. Edit the smart architecture to make it manage all the Microsoft servers and specify the
Master.
For more details, refer to the section Adding a DHCP Server into a Smart Architecture.
The addition of Linux Packages v4 that respected the SNMP protocol and worked with
SSL is not supported. If you migrated your database with such servers, refer to the guide
4
SOLIDserver-Administrator-Guide-5.0.4.pdf available on our website .
To successfully install the DNS packages on Linux, formerly known as EfficientIP BIND Linux
Packages v5, you must follow the prerequisites and procedures in the section that matches your
environment:
• Installing an EfficientIP DHCP Package on Debian 8 or Higher.
• Installing an EfficientIP DHCP package on RedHat 6 and Higher.
Once your package is installed you can add an EfficientIP DNS Package in the GUI as detailed
in the section Adding an ISC DHCP Server.
If at any point you need to upgrade your package, refer to the section Upgrading EfficientIP DHCP
Packages.
Prerequisites
• The DHCP package file, ipmdhcpxx-y.y.y-debianxx-amd64.deb, whose name provides you
with a number of information separated by hyphens: the type of package (ipmdhcpxx: a DHCP
package with a DHCP in version xx where xx is x dot x), the version of SOLIDserver (y.y.y);
the version of Debian (debianxx where xx is x dot x) and finally the Debian architecture (amd64).
4
At http://www.efficientip.com/services/support/, in the section Products & Documentation and in the folder /docs/5.0.4. Log in using
your credentials. If you do not have credentials yet, request them at www.efficientip.com/support-access.
5
You could also connect via telnet but, for security purposes, we recommend that you favor ssh.
356
Managing DHCP Servers
• You must make sure that SOLIDserver and Debian are set to the same time and date.
• You must make sure that Apache server is up-to-date.
• You must make sure that the service dbus is installed.
• You must make sure that HTTPS (port 443), the DHCP service (port 67) and the failover ports
(647-667 and 847-867) are not blocked by a network filtering process (firewall).
If your Apache configuration already uses the port 443, you have to create an additional IP-
based VirtualHost dedicated to the DNS/DHCP management.
Once you have taken into account the prerequisites, you can install an EfficientIP DHCP Package
on Debian.
If you have not installed the DNS packages yet, you need to:
1. Follow the procedure To install the EfficientIP DHCP Package on Debian.
2. Follow the procedure To complete the DHCP package installation on Debian if the DNS
package is not installed.
If you already installed the DNS packages, you only need to follow the procedure To install
the EfficientIP DHCP Package on Debian below.
The installation procedure below includes the commands that make the web services configurable.
3. Install the dependency packages, ONLY if you have not installed the EfficientIP DNS package,
using the following commands:
a. For Debian 8:
# apt-get install php5
# apt-get install sudo
# apt-get install snmpd
# apt-get install sqlite
# apt-get install php5-sqlite
5. Make the web services configurable: in the directory /etc/sudoers.d , create the file ipmdhcp
containing the line below.
www-data ALL = NOPASSWD: /usr/local/nessy2/script/install_dhcpd_conf.sh, \
/usr/local/nessy2/script/install_dhcpd6_conf.sh
357
Managing DHCP Servers
Note that you can change the password admin of the web service using the command below:
# htpasswd /usr/local/nessy2/www/php/cmd/dhcp/.htpasswd admin
If you have not installed the DNS package or are not planning on installing it, you must
now follow the procedure below.
To complete the DHCP package installation on Debian if the DNS package is not
installed
1. If relevant, open an SSH session.
2. Allow SNMP access to the DNS statistics: append the file /etc/snmp/snmpd.conf with the
following line.
view systemview included .1.3.6.1.4.1.2440
6. Make sure that a symbolic link to the default VirtualHost SSL configuration file is located in
the folder sites-enabled/ . If not, use the following command:
# a2ensite default-ssl
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>
SSLEngine on
SSLCertificateFile /etc/apache2/server.crt
358
Managing DHCP Servers
SSLCertificateKeyFile /etc/apache2/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
# Please note that the following, from "SetEnvIf" to "force-response-1.0", represents and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
8. Disable the default site in Debian Apache configuration using the following command:
# a2dissite 000-default
10. Make sure that the ipmdhcp package is running using the following command:
# service ipmdhcp status
Once the configuration is complete, you can add an EfficientIP Package DHCP server to manage
your ISC server from SOLIDserver GUI. For more details, refer to the procedure in the section
Adding an ISC DHCP Server.
Prerequisites
• The DHCP package file, ipmdhcpxx-y.y.y-redhatx.x86_64.rpm, whose name provides you with
a number of information separated by hyphens or a point: the type of package (ipmdhcpxx: a
DHCP package with a DHCP in version xx where xx is x dot x), the version of SOLIDserver
(y.y.y); the version of RedHat (redhatx) and finally the RedHat architecture (x86_64).
If your Apache configuration already uses the port 443, you have to create an additional IP-
based VirtualHost dedicated to the DNS/DHCP management.
6
You could also connect via telnet but, for security purposes, we recommend that you favor ssh.
359
Managing DHCP Servers
Once you have taken into account the prerequisites, you can install the EfficientIP DHCP Package
on RedHat or CentOS.
If you have not installed the DNS packages yet, you need to:
1. Follow the procedure To install the EfficientIP DHCP Package on RedHat.
2. Follow the procedure To complete the DHCP package installation on RedHat if the DNS
package is not installed.
If you already installed the DNS packages, you only need to follow the procedure To install
the EfficientIP DHCP Package on RedHat below.
The installation procedure below includes the commands that make the web services configurable.
• On CentOS:
# service dhcpd stop
# chkconfig dhcpd off
3. Install the dependency packages, ONLY if you have not installed the EfficientIP DNS package,
using the following commands:
# yum install mod_ssl php php-pdo sudo net-snmp sqlite
5. Make the web services configurable: in the directory /etc/sudoers.d , create the file ipmdhcp
containing the line below.
apache ALL = NOPASSWD: /usr/local/nessy2/script/install_dhcpd_conf.sh, \
/usr/local/nessy2/script/install_dhcpd6_conf.sh
Note that you can change the password admin of the web service using the command below:
# htpasswd -c /usr/local/nessy2/www/php/cmd/dhcp/.htpasswd admin
If you have not installed the DNS package or are not planning on installing it, you must
now follow the procedure below.
To complete the DHCP package installation on RedHat if the DNS package is not
installed
1. If relevant, open an SSH session.
2. Disable the firewall using the following commands.
360
Managing DHCP Servers
a. For RedHat 6:
# service iptables stop
# chkconfig iptables off
4. Reboot the system to take into account the selinux policy changes :
# reboot
6. Allow SNMP access to the DHCP statistics. In the file /etc/snmp/snmpd.conf, in the section
entitled Access Control, enter the lines:
master agentx
view systemview included .1.3.6.1.4.1.2440
#You may need to specify another view, AllView or a custom one,
#if you edited the default SNMP configuration.
9. Configure the web services. In the file /etc/httpd/conf.d/ssl.conf, replace the FULL section
<VirtualHost *:443> with the configuration below.
a. For RedHat 6:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
AllowOverride All
</Directory>
SSLEngine on
361
Managing DHCP Servers
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
# Please note that the following, from "SetEnvIf" to "force-response-1.0", represents and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
</VirtualHost>
b. For RedHat 7:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>
SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
# Please note that the following, from "SetEnvIf" to "force-response-1.0", represents and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
</VirtualHost>
c. For RedHat 8:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>
SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
# Please note that the following, from "SetEnvIf" to "force-response-1.0", represents and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
</VirtualHost>
362
Managing DHCP Servers
11. Make sure that the ipmdhcp package is running using the following command line:
# service ipmdhcp status
Once the configuration is complete, you can add an EfficientIP Package DHCP server to manage
your ISC server from SOLIDserver GUI. For more details, refer to the procedure in the section
Adding an ISC DHCP Server.
The EfficientIP DHCP package is only available for DHCPv4 servers managed with SSL.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the following fields to set up the basic server configuration:
5. If you changed the SSH login and password, tick the box Configure management parameters.
If not, go to step 6.
363
Managing DHCP Servers
Once you ticked the box, the fields Login and Password appear. By default they both contain
admin, edit them to make sure that the SSL credentials match your SSH credentials.
7
6. If you want to edit the server SNMP parameters , tick the box Configure SNMP monitoring
parameters. If not, go to step 7.
7. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
8. Click on OK to complete the operation. The report opens and closes. The server is listed.
Once the EfficientIP Package server is added, you can manage your ISC server in Linux from
the GUI.
7
The SNMP protocol parameters are used to monitor and retrieve the server statistics.
364
Managing DHCP Servers
• For servers managed via a smart architecture, some parameters can only be edited when you
edit the smart. For instance, on EfficientIP servers managed via a smart, the box Isolated and
the advanced properties parameters are only available when you edit the smart.
• The SNMP protocol is no longer supported as managing protocol for a server, so editing it
automatically changes the management protocol to use SSL instead of SNMP. This op-
eration is non-reversible.
• DHCP servers in version 7.0 are managed through a dedicated service account using a randomly
generated password. Note that:
• A server can be managed by only one appliance. To switch the appliance managing the
server, you need to edit your server and type in your credentials again.
• For servers added in previous versions, after an upgrade to version 7.0, to switch to this new
management system, you need to edit the servers.
If you want to add, edit or delete DHCP options, refer to the next section Configuring DHCP Options
at Server Level.
Repairing Leases
An option allows to check for lease inconsistencies between physical servers managed by a
common DHCP smart architecture.
The option Repair leases generates a file to compare the leases of the selected server. If any
error or inconsistency is found, it generates a file leasedb-patch-<smart-name>.tar.gz that you
must concatenate to the lease file of the relevant server.
365
Managing DHCP Servers
• For a One-to-Many architecture, you must select the master server and at least one backup
server.
• For a Split-Scope architecture, you must select both physical servers.
• You cannot repair the leases of a physical server managed from a Single-Server smart archi-
tecture or managed outside a smart architecture.
If inconsistencies are returned, you can DOWNLOAD and save the file directly from the wizard.
The file leasedb-patch-<smart-name>.tar.gz is available in the module Administration, on
the page Local files listing. You must concatenate this file to the lease file of the servers.
For more details regarding the DHCP options configuration, refer to the chapter Configuring
DHCP Options and/or to the appendix DHCP Options.
366
Managing DHCP Servers
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Keep in mind that you cannot delete a physical server if it is managed by a smart architecture.
367
Managing DHCP Servers
Granting access to a server as a resource also grants access to every item it contains. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
368
Chapter 25. Managing DHCP Shared
Networks
Shared networks allow to make several scopes serve an entire IPv4ACL
or IPv6 network segment
as a single entity.
SCOPE RANGE
From the page All shared networks, you can add, edit or delete them.
LEASE
original (s
SERVER OPTION OPTION OPTION
STATIC OPTION
The shared networks are an optional level of a DHCP dynamic addressing organization. They
can contain scopes and, only in DHCPv6, prefix delegations.
ACL
SHARED
SERVER OPTION OPTION OPTION
NETWORK
GROUP
STATIC OPTION
369
Managing DHCP Shared Networks
All the columns, except Multi-status, are displayed by default, they can be ordered and filtered.
For more details regarding the column Multi-status, refer to the section Understanding the Column
Multi-Status.
370
Managing DHCP Shared Networks
Back on the page All shared networks, the shared network is marked Delayed create
before being marked OK.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
371
Chapter 26. Managing DHCP Scopes
SOLIDserver scopes are used to determine the topology of the network, apply DHCP options for
a routable domain, describe network clients, and indicate the addresses to be allocated to certain
clients. In order to use the DHCP service, each terminal network to be served must have a DHCP
scope that matches its IP address and its netmask (size). When a DHCP ACL server serves clients
with local physical networks, the scope is easily assimilated to its broadcast domain. A scope
belongs to a DHCP serverSCOPE RANGE DHCP ranges.
and can contain several LEASE
The scopes are the second level of the DHCP hierarchy, they are required
STATIC in a dynamic address-
OPTION
ing. They are created directly within a DHCP server and can belong to shared networks.
ACL
SHARED
SERVER NETWORK OPTION OPTION OPTION
GROUP
STATIC OPTION
372
Managing DHCP Scopes
Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.
Delayed create The creation or update is delayed until the scope is created on the physical server(s) of
the smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed addition Only for Microsoft DHCPv4 servers. The addition is delayed until the scope is associated
(to failover) with the failover channel. Once associated, the scope is disabled by default.
Delayed enable Only for Microsoft DHCPv4 servers. The scope remains disabled until the servers of the
failover channel both receive the information. The scope is then enabled and marked
OK.
Delayed delete The deletion is delayed until the scope is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.
Note that you can also import scopes, for more details refer to the section Importing Scopes in
the chapter Importing Data from a CSV File.
You can add as many scopes as you need on the page All scopes. If you filter the page to add
scopes in a specific server or shared network, some pages and fields are not displayed in the
wizard.
373
Managing DHCP Scopes
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. Click on NEXT . The next page opens.
8. Fill in the following fields to configure the scope parameters:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
9. Click on OK to complete the operation. The report opens and closes. The scope is listed.
Keep in mind that you cannot edit the field Shared network if the scope is the only one belonging
to a shared network containing a prefix delegation.
374
Managing DHCP Scopes
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. You can edit the Name, Shared network and DHCP scope space name.
7. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
8. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
Note that the DHCP option boot-unknown-clients can be set at scope level.
For more details regarding the DHCP options configuration, refer to the chapter Configuring
DHCP Options and/or to the appendix DHCP Options.
375
Managing DHCP Scopes
376
Managing DHCP Scopes
Defining a specific space at scope level allows to apply policy rules from the IPAM module to
several addresses and avoid any overlapping of ranges and spreads of reserved addresses.
You can associate scopes with a space one scope at a time or several scopes at once.
Once a scope is associated with a space, you can execute the DHCP to IPAM replication and
associate scopes with existing networks or create the corresponding network. As you can create
several terminal networks managing the same IP addresses in separate spaces, you can associate
these networks with scopes belonging to distinct DHCP servers.
You can associate scopes with a failover channel one scope at a time or several scopes at once.
377
Managing DHCP Scopes
6. Click on OK to complete the operation. The report opens and closes. The panel displays the
new space name.
Before replicating your DHCP data into the IPAM, keep in mind that:
• The option IPAM replication behaves as follows:
• If you specify a space that has no matching network, a network is created, it is named like
the scope.
• If you do not specify any space, with the value None, SOLIDserver automatically creates a
network matching the scope in the first space that can receive it.
• The option IPAM replication can only specify a target space for scopes that are not configured
with any space yet.
Either no space was specified when you added it or you set the space of a scope and selected
None, as detailed in the procedure To set the space of one or several scopes.
• The option IPAM replication does not change the associated space, it sets a replication asso-
ciation. If you want to change the target of a scope already associated with a space, you must
edit as detailed in the section Defining a Specific IPAM Space for a Scope.
Note that you can also replicate DHCP range and static data to the IPAM. For more details, refer
to the sections Replicating Range Data in the IPAM and Replicating Static Data in the IPAM.
378
Managing DHCP Scopes
For instance, if you configured multinetting on your network and one DHCP server answers client
requests on a single physical network that has multiple IP networks in use. With a shared network
containing several scopes, the server identifies that a client request was sent from one of the
scopes and that it has many available IP addresses to choose from and assign to the client.
If dynamic DHCP ranges appear within scopes using the same shared network, all ranges of
addresses are offered independently. Once the first range is full, the ranges that are declared
within the same shared network are used one after the other until all addresses are used.
You can set a shared network on one or several IPv4 scopes. In IPv6, you can only set it from
the scopes properties page.
If you did not set a shared network during the scope addition, the start IP address and the
prefix of the scope you are editing are displayed.
8. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
379
Managing DHCP Scopes
Migrating a scope also migrates the DHCP ranges and statics with IP address it contains. As for
the statics without IP migration, refer to the section Copying a DHCPv4 Static Without IP.
Keep in mind that if your physical server is managed via a smart, only the scope created on the
smart can be duplicated or moved.
Relay agents are configured with a list of one or more DHCP servers, two servers must be con-
figured for the DHCP failover. When a relay agent receives a message from a DHCP client on a
particular network segment, it records the IP address of the interface on which it received the
request in the field GiAddr of the message, and then it forwards the message to the DHCP
server. From there, the server directly responds to the client.
The DHCP relay is a mechanism that allows the transfer of DHCP/BOOTP messages between
clients and servers of different networks. The routers used to interconnect these networks possess
380
Managing DHCP Scopes
for the most part the functionality of TCP/IP relay agents. To conform to RFC 1542 and deal with
the relay agent, each router must be able to recogne BOOTP and DHCP messages and relay
them in an appropriate manner. A router equipped with the capacities of a BOOTP relay agent
generally relays DHCP packets, as well as all BOOTP packets transmitted on the network.
SOLIDserver supports DHCP relay transparently, if a scope has the same network address as
one of the interfaces of the DHCP server, then it is a local scope. This means that it belongs to
the same broadcast domain as the DHCP server. Otherwise, it is a relay scope.
The new scope is added in the selected DHCP cluster and automatically set with the network
Gateway address as value of the option routers. In addition, all the IP addresses you add within
these networks can automatically add statics.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
If the terminal network adds a scope, the option routers is directly set. If the terminal network
matches an existing scope, the option routers is set or updated.
381
Managing DHCP Scopes
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Granting access to a scope as a resource also grants access to every item it contains. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
382
Chapter 27. Managing Fixed
Reservations
DHCP fixed reservation relies on statics and groups, you can manage either following the proced-
ures in the sections Managing DHCP Statics and Managing DHCP Groups.
Static reservations can match DHCP, PXE or BOOTP clients based on their MAC address or
DHCP-client-identifier . These reservations can belong to a DHCP server directly, a group, a
scope or a range. All the DHCP options set on these containers apply to the reservations, so if
you edit the DHCP options, the devices configured with the options are automatically updated
when they request the lease renewal.
Every DHCP static reservation must have a unique name which is usually used to identify it but,
in particular contexts, can be used to enforce the client's hostname.
When it comes to statics, there is a main difference between DHCP managing IPv4 and IPv6
addresses. DHCPv6 introduces a new piece of information, the DHCP Unique Identifier (DUID).
It should not exceed 128 bits in total and allows to identify a client rather than an equipment. It
contains the MAC address, therefore this address is not a unique independent set of numbers
anymore, it corresponds to the last 48 to 64 bits of the DUID depending on its type.
DUID-LLT
DUID type Hardware Time Stamp MAC Address
DUID-EN
DUID type Enterprise Vendor Vendor Identifier
DUID-LL
DUID type Hardware MAC Address
bits
DHCP servers in IPv4 use the MAC address specified during the static reservation to identify the
clients' IP address and allocate them a lease as well as soon as they are visible on the network.
Once the lease is allocated, if the IPAM and DNS replication are configured, the data is sent to
the IPAM and the DNS.
383
ACL
GROUP
The DHCP statics are the end point of a DHCP fixed reservation strategy. They can belong to a
DHCP group or directly to a DHCP server.
ACL
SHARED
SERVER OPTION OPTION OPTION
NETWORK
GROUP
STATIC OPTION
On the statics properties page you can display and set DHCP options from the dedicated panel.
None of the default options are listed in the panel, except for the type of DHCP server. For more
details, refer to the chapter Configuring DHCP Options.
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
As EfficientIP DHCP servers manage IPv4 static reservations like leases, two new columns were
added to the page All statics: Last seen that indicates the last time the client was connected and
Expiration that indicates when the lease expires.
Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.
384
Managing Fixed Reservations
The column Status provides information regarding the statics you manage.
Delayed create The creation or update is delayed until the static is created on the physical server(s) of
the smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the static is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.
During any static reservation you must specify a MAC address, or DUID in DHCPv6, and MAC
address type, this type is visible in the column Full MAC address. For more details, refer to the
appendix MAC Address Types References.
385
Managing Fixed Reservations
• Smart architectures containing only EfficientIP DHCP servers also manage statics with IP ad-
dress like leases.
• Microsoft DHCP servers, Nominum DCS servers or EfficientIP DHCP server in versions prior
to 6.0.0 cannot manage statics with IP address like leases.
• If you migrated from 5.0.4:
• The statics configured with the option host-name are renamed. The value of the option is
used as the name for the static.
• The statics not configured with the option host-name are edited. The name of statics is used
as value of the option host-name.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
9. Configure the static using the table below:
10. Click on OK to complete the operation. The report opens and closes. The static is listed.
If you added a static in a range on an EfficientIP DHCP server, or a smart architecture managing
EfficientIP DHCP server(s), set with DHCP to DNS and DHCP to IPAM advanced properties,
once the client is connected to the network the static is listed on the page All leases. That lease
386
Managing Fixed Reservations
information updates the DNS with a new record. For more details, refer to the chapter Managing
Advanced Properties.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
9. Configure the static using the table below:
10. Click on OK to complete the operation. The report opens and closes. The static is listed.
387
Managing Fixed Reservations
If you added a static in a range on an EfficientIP DHCP server, or a smart architecture managing
EfficientIP DHCP server(s), set with DHCP to DNS and DHCP to IPAM advanced properties,
once the client is connected to the network the static is listed on the page All leases. That lease
information updates the DNS with a new record. For more details, refer to the chapter Managing
Advanced Properties.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Edit the Name, MAC address, MAC address type and/or Group name according to your
needs.
7. Click on OK to complete the operation. The report open and closes. The changes are visible
in the panel.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Edit the Name, IP address, Client DUID, MAC address, MAC address type and/or Group
name according to your needs.
7. Click on OK to complete the operation. The report open and closes. The changes are visible
in the panel.
388
Managing Fixed Reservations
Depending on your IPAM configuration, this IP address can belong to a pool, even if the
pool is read-only.
• If the static belongs to a scope for which no replication has been set, its data is replicated
as an IP address in the first terminal network or pool that can receive it. The pool can be
read-only.
• If you replicate a static with IP that matches an existing IP address:
• The IP address is renamed, it takes the name of the static.
• The MAC address of the IP address is edited, it takes the MAC address of the static.
• If you replicate a static with IP that has no corresponding IP address, an IP address is created.
It has the same name and MAC address as the static with IP.
• All the statics replicated edit the IP addresses Type to DHCP static and Status to Reserved.
• The option IPAM replication is independent at static level, replicating scopes or ranges does
not automatically replicates to the statics they contain. You must select statics and execute
the option to update the IPAM IP addresses with range data.
For more details regarding scope and range replication, refer to the sections Defining a Specific
IPAM Space for a DHCPv4 Scope and Replicating Range Data in the IPAM.
389
Managing Fixed Reservations
For more details regarding the DHCP options configuration, refer to the chapter Configuring
DHCP Options and/or to the appendix DHCP Options.
From the properties page of your statics, you can set DHCP options.
From the page All statics, you can set, replace or delete DHCP options on all the statics you select
at once.
390
Managing Fixed Reservations
Statics with IP address are copied or moved when you migrate the scope they belong to.
The static is added in the DHCP cluster you configured at network level, it shares the same IP
address, MAC address and name as the new IP address.
For more details, refer to the chapter Managing Advanced Properties in the sections Network
Advanced Properties and Configuring DHCP Advanced Properties.
391
Managing Fixed Reservations
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
They can manage statics with or without IP, therefore they allow configuring parameters not
strictly related to a per-network basis. For instance, they can be used to provide a consistent set
of parameters to clients that connect on more than one IP network.
392
SERVER OPTION OPTION OPTION
GROUP
Managing Fixed Reservations
STATIC OPTION
ACL
SHARED
SERVER OPTION OPTION OPTION
NETWORK
GROUP
STATIC OPTION
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
The column Status provides information regarding the groups you manage.
Delayed create The creation is delayed until the group is created on the physical server(s) of the smart
architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the group is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.
393
Managing Fixed Reservations
You can edit existing statics to manage them via the group of your choice, for more details refer
to the section Editing a DHCP Static.
Before adding a group, keep in mind that you cannot edit it. You need to delete it and replace it
with another one.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the field DHCP group name, type in the name of the group.
8. Click on OK to complete the operation. The report opens and closes. The group is listed.
For more details regarding DHCP options, refer to the chapter Configuring DHCP Options and/or
to the appendix DHCP Options.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
394
Managing Fixed Reservations
Keep in mind that you cannot delete a group if it contains statics. You must first remove the
statics from the group and then follow the procedure below.
395
Chapter 28. Managing Dynamic
Addressing
DHCP dynamic addressing relies on ranges and leases, you can manage either following the
procedures in the sections Managing DHCP Ranges and Managing DHCP Leases.
You can also restrict access using ACLs, configure the PXE or prevent IP duplication, as detailed
in the sections Managing DHCP ACLs, Configuring the PXE and Preventing IP Address Duplic-
ation.
EfficientIP DHCP servers manage the statics with IP address like leases. Therefore the statics
added also create a lease whenever the MAC address declared is active
ACL
on the network, these
leases can belong to your ranges and are listed on the page All leases. If you configured the
IPAM and DNS replication,SCOPE
they also create DNS entries. For more details,
RANGE LEASE refer to the section
Adding DHCPv4 Statics.
SERVER OPTION OPTION OPTION
The DHCP ranges are the third level of a DHCP dynamic addressing STATIC
organization. They
OPTIONbelong
ACL
SHARED
SERVER OPTION OPTION OPTION
NETWORK
GROUP
STATIC OPTION
396
Managing Dynamic Addressing
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.
Delayed create The creation or update is delayed until the range is created on the physical server(s) of
the smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the range is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.
Note that you can also import ranges, for more details refer to the section Importing Ranges in
the chapter Importing Data from a CSV File.
Keep in mind that if you or your administrator configured IPAM to DHCP advances properties,
new ranges may be added for every pool created in the IPAM. For more details, refer to the rel-
evant section of the chapter Managing Advanced Properties.
You can add as many DHCPv4 ranges as you need. Note that by default:
• The DHCP range addition wizard provides a page dedicated to configuring Access Control
Lists (ACL) for EfficientIP DHCP servers. Keep in mind that the order of the elements of the
range's ACL list is important as each restriction or permission is reviewed following the
order you set in the list.
• You cannot add a range containing more than 1 million addresses. To edit this limit, refer to
the procedure To edit the registry key that defines the ranges maximum size.
397
Managing Dynamic Addressing
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
9. Configure the DHCP range parameters following the fields below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
a
Note that you cannot add a DHCP range containing more than a million IP addresses.
10. If you are adding a range on an EfficientIP DHCP server, click on NEXT . The ACLs configur-
ation page opens, depending on the classes configured by your administrator.
You can set the ACL configuration of your choice, using Specific and/or General ACLs.
a. In the field Specific ACL, configure ACLs using the table below.
b. In the field General ACL, configure ACLs using the table below.
398
Managing Dynamic Addressing
c. In the list DHCP range ACL, all the configured ACLs are listed. To reorder the entries,
select them one by one and click on the arrows to move them up or down .
If you want to add ranges containing more than a million addresses, you must edit the dedicated
registry database key.
To edit the registry key that defines the ranges maximum size
You can add as many DHCPv6 ranges as you need. Note that the ACL configuration in not
available on IPv6 ranges.
399
Managing Dynamic Addressing
8. If you or your administrator created classes at range level, in the list DHCP range class, select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
9. Configure the DHCPv6 range following the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
10. Click on OK to complete the operation. The report opens and closes. The range is listed.
You can edit the ACLs of a DHCPv4 range from its properties page. Depending on your rights,
you may also be able edit its advanced properties.
You cannot edit a DHCPv6 range. The properties page displays all the available information.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
1
5. Click on NEXT . The page ACL configuration opens .
1
For more details regarding the ACLs, refer to the section Managing DHCP ACLs.
400
Managing Dynamic Addressing
7. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel.
Resizing a Range
With DHCPv4, you can resize ranges. Basically, you can edit the range start and/or end address
so that it includes more or less addresses. This shift in addresses is only possible if the addresses
included or excluded are not already used or part of another range.
401
Managing Dynamic Addressing
• If the range belongs to a scope for which the IPAM replication has been set, its data is rep-
licated as a pool that belongs to the same terminal network.
• If the range belongs to a scope for which no replication has been set, its data is replicated
as a pool in the first terminal network that can receive it.
• You can replicate the range data in the IPAM if:
• No pool exists yet: a read-only pool is created and named DHCP.
• An existing matching the range size already exists. If the pool was not in read-only it is
marked read-only, the pool is renamed DHCP.
• You cannot replicate a range data in the IPAM if an existing pool already manages some of
the IP addresses of the range you selected.
• The option IPAM replication is independent at range level, replicating scopes does not auto-
matically replicates to the ranges they contain. You must select ranges and execute the option
to update the IPAM pools with range data.
For more details regarding scope replication, refer to the section Defining a Specific IPAM
Space for a DHCPv4 Scope.
For more details regarding the DHCP options configuration, refer to the chapter Configuring
DHCP Options and/or to the appendix DHCP Options.
From the properties page of a range, you can set DHCP options.
402
Managing Dynamic Addressing
5. In the panel DHCP Options, click on EDIT . The wizard Configure DHCP options opens.
6. In the drop-down list Options category, select the option type of your choice. The wizard
refreshes.
7. Edit the option(s) of your choice.
8. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
From the page All ranges, you can set, replace or delete DHCP options on all the ranges you
select at once.
403
Managing Dynamic Addressing
5. In the menu, select Edit > Option > Delete. The wizard Delete DHCP range options
opens.
6. In the drop-down list Option name, select an option.
7. In the field Option value filter, type in the option value.
8. Click on OK to complete the operation. The report opens and closes. On the range properties
page, the panel DHCP options no longer displays the DHCP option.
For more details, refer to the chapter Managing Advanced Properties in the section Pool Advanced
Properties.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Before deleting an existing range, remember to create a new one using a different range of ad-
dresses.
404
Managing Dynamic Addressing
Keep in mind that if the appliance time is incorrect, you cannot retrieve any leases. For more
details, refer to the section Configuring NTP Servers.
With SOLIDserver in DHCPv4, the maximum lease time is 24 hours (86400 seconds). By default,
the lease time is of 12 hours (43200 seconds). You can obviously change these parameters
either one a particular lease individually or at the range, scope or server level. As for DHCPv6,
you can configure the leases only at the server or scope level.
EfficientIP DHCP servers manage the statics with IP address like leases. Therefore in IPv4:
• On the DHCP page All leases, all the clients are listed whether they requested access to the
server on parts of the network - defined through your scopes and ranges - or whether they
were identified through their MAC address. For more details, refer to the section Adding DHCPv4
Statics.
• On the IPAM page All addresses, if the IP address leased is also managed in the IPAM, the
columns Type and Status of the IP address reflect its use in the DHCP. For more details, refer
to the section Understanding the IP Address Type and Status. ACL
STATIC OPTION
The leases are the last level of the DHCP dynamic addressing hierarchy.
ACL
SHARED
SERVER OPTION OPTION OPTION
NETWORK
GROUP
STATIC OPTION
405
Managing Dynamic Addressing
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
The columns on the page allow to display all the lease information in IPv4 or IPv6. Keep in mind
that in IPv6 you can display colored labels above parts of the IP addresses listed. It allows to
differentiate at a glance your containers. For more details, refer to the chapter Managing IPv6
Labels.
The column Status provides information regarding the leases you manage.
Delayed create The creation or update is delayed until the lease is created on the physical server(s) of
the smart architecture. The creation is automatically done after maximum of 1 minute.
Delayed delete The deletion is delayed until the lease is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.
406
Managing Dynamic Addressing
EfficientIP DHCP server allows administrators to specify a default lease duration, a minimum
lease duration, and a maximum lease duration as defined below:
• default-lease-time specifies the duration of the lease that the DHCP server assigns if the client
requesting the lease does not ask for a specific expiration time.
• minimum-lease-time duration is used to force the DHCP client to take a longer lease than
the lease duration that it requests.
• maximum lease-time duration is used to define the longest lease that the DHCP server can
allocate. If a DHCP client asks for a longer lease than the maximum lease duration, then the
server limits the lease to the maximum lease duration.
Note that the maximum lease times does not apply to dynamic BOOTP leases. These
leases are not specified by the client and can exceed the maximum lease time configured.
You can set up the lease duration at server, scope, range, group and static level in IPv4 and
at server and scope level in IPv6.You can also configure a DHCP class to set the lease duration.
DHCP lease duration is a topic of discussion among network administrators. Some use a lease
time of 6 months, some use lease time of 5 minutes. The right lease duration depends on each
network's context. Default lease duration on EfficientIP DHCP server is 12 hours.You can change
this default according to your requirements and set leases time at different levels, based on dif-
ferent factors. You can set a default lease time at the server, scope, range, group, DHCP class,
or static level of the EfficientIP DHCP organization.
407
Managing Dynamic Addressing
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Filter the list if need be.
4. At the end of the line of the object of your choice, click on . The properties page opens.
5. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
6. In the field Default lease time, you can set a default lease time in seconds. The lease time
is respected unless the client specifies another one when requesting a lease.
7. In the field Max lease time, you can set the maximum lease time in seconds.
8. In the field Min lease time, you can set the minimum lease time in seconds.
9. Click on OK to complete the operation. The report opens and closes. The edited information
is now listed in the panel.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Releasing Leases
In case of ranges overloading, the lease release feature can be helpful in order to punctually free
a critical case. This operation asks the DHCP server to simulate a DHCP release.
Releasing leases should not be done on a daily basis to resolve a lack of free space in a
range, in this case it is best to extend the range capacity as soon as possible.
Besides, keep in mind that a lease deletion can create IP addresses overlapping. Before
proceeding with the lease deletion, make sure that the impacted DHCP client is not liable to
connect to the network where the addresses were deleted.
It is not possible to convert an IPv6 lease into a static but you can create IPv6 statics.
408
Managing Dynamic Addressing
When you convert a lease to static, a static reservation is created with the same name as the
lease. This reservation can have an IP address or not:
• Converting into a static without IP address: the MAC address of the lease now connects
to the first available IP address on the network - no matter the server, scope or range managing
it. The purpose of the conversion is to configure DHCP options for the static reservation that
applies to the MAC address whenever it connects to the network.
• Converting into a static with IP address: the MAC address of the lease always connects to
the same IP address. The purpose of this conversion is to configure the same specific DHCP
options for a specific MAC address, or client, whenever they connect to the part of the network
that manages their IP address.
The converted IP addresses are no longer listed on the page All leases. They are now on
the page All statics, accessible via the breadcrumb.
Blacklisting Leases
Once delivered, you can blacklist a lease at any time. This converts the lease into a static without
IP. From that point on, the client MAC address cannot access to the DHCP servers or the failover
channel and therefore can no longer be delivered a lease.
Once a lease is blacklisted, the corresponding static without IP is immediately created. The client
MAC address is saved in the DHCP server configuration as blacklist-<MAC_address> to ensure
that any lease request is denied. This static is automatically configured with a set of ACL restric-
tions that prevent the connection to the server and its failover. In the meantime, the lease remains
valid until it expires, the next client request for renewal is denied. Once the lease duration is up,
the client MAC address is disconnected and unable to connect again.
2
EfficientIP DHCP servers manage the statics with IP address like leases . The static reservations
create leases, identified via their MAC address, that you can also blacklist: a static without IP
address automatically replaces the static with IP address you blacklisted.
To blacklist a lease
1. In the sidebar, go to DHCP > Leases. The page All leases opens.
2. Tick the lease(s) you want to blacklist.
2
For more details, refer to the section Adding DHCPv4 Statics.
409
Managing Dynamic Addressing
3. In the menu, select Edit > Blacklist lease. The report opens and closes. The lease is still
visible on the page All leases and disappears once it has expired. On the page All statics,
every blacklisted MAC address as the following Name: blacklist.
The new IP address shares the same address, MAC address and name as the new lease.
This property must be set at server level. For more details, refer to the chapter Managing Advanced
Properties in the section Configuring DHCP Advanced Properties.
Note that all DHCP to DNS properties rely on the IPAM and can only be configured if you set
DHCP to IPAM and IPAM to DNS advanced properties.
To configure DHCP to IPAM advanced properties, refer to the chapter Managing Advanced
Properties in the section Configuring DHCP Advanced Properties.
Tracking Leases
SOLIDserver keeps track of the leases delivered by all the DHCP servers you manage. You can
purge the lease history via two rules that allow to remove expired leases from the database after
a certain number of days. For more details, refer to the sections and .
To track leases
1. In the sidebar, go to DHCP > Leases. The page All leases opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. On the right-end side of the menu, click on DHCP lease history. The page refreshes.
Table 28.9. The columns available on the pages Lease tracking and Lease tracking (v6)
Field Description
IP address The IP address allocated.
MAC address The MAC address of the client that used the lease.
Client DUID Only available on the page V6. The DHCP Unique Identifier (DUID) sent by the client that
requested the DHCPv6 lease. For more details regarding the existing DUID structures,
refer to the section Managing DHCP Statics.
410
Managing Dynamic Addressing
Field Description
Start The lease allocation start time and date.
End The lease expiration time and date.
Server The name of the server that delivered the lease.
Client identifier Only available on the page V4. The value of the option client-identifier sent by the client
that requested the DHCPv4 lease.
Remote ID Only available on the page V4. The remote identifier provided by the relay agent that re-
ceived the DHCPv4 lease request and sent it to the server.
Circuit ID Only available on the page V4.The circuit identifier provided by the relay agent that received
the DHCPv4 lease request and sent it to the server.
Period Only available on the page V4. The total lifespan of the DHCPv4 lease.
Name The name of the lease as specified on the server, unless you chose to retrieve the option
domain-name sent by the DHCP clients instead. For more details, refer to the section
Using ACLs to Automatically Retrieve the DHCPv4 Lease Option domain-name.
OS name Only available on the page V4.The OS name and version of the client to which the DHCPv4
lease was allocated. The information is based on SOLIDserver fingerprint database.
Status The status of the lease.
The IPv4 lease logs are automatically erased 60 days after the leases have expired, as set in
rule 012. You can change this rule configuration following the procedure below.
To edit the rule 012 that controls the automatic purge of IPv4 lease logs
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule # search field, type in 012. The rule Purge DHCP leases history is listed.
4. In the column Instance, click on auto_purge_histo_dhcplease. The rule properties page
opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. Click on NEXT . The page Rule filters appears.
7. If you want to schedule the purge, configure the fields according to the table below:
411
Managing Dynamic Addressing
The IPv6 lease logs are automatically erased 60 days after the leases have expired, as set in
rule 384. You can change this rule configuration following the procedure below.
To edit the rule 384 that controls the automatic purge of IPv6 lease logs
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule # search field, type in 384. The rule Purge DHCPv6 leases history is listed.
4. In the column Instance, click on auto_purge_histo_dhcplease6. The rule properties page
opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. Click on NEXT . The page Rule filters appears.
7. If you want to schedule the purge, configure the fields according to the table below:
412
Managing Dynamic Addressing
By combining the GiAddr and the Circuit ID, a network wide unique string can be created. This
string can be used for table lookup in the DHCP server. We called this string a pseudo MAC ad-
dress, since most DHCP servers do a MAC to IP mapping in their databases.
In its default configuration, the DHCP Relay Agent Information Option passes along port and
agent information to SOLIDserver DHCP server. It is useful in statistical analysis for instance, as
it indicates where an assigned IP address physically connects to the network. It may also be
used to make DHCP decisions based on where the request is coming from or even which user
is making the request. For more details regarding its implementation, refer to the chapter Config-
uring DHCP Options.
This information is only available on EfficientIP DHCP servers and is not available on the other
vendors' DHCP servers. For EfficientIP servers, you can display the Circuit ID (DHCP lease circuit
ID) and Remote ID (DHCP lease remote ID) columns on the page All leases. For more details,
refer to the section Customizing the List Layout.
With DHCPv6, the client ID, circuit ID and remote ID are not supported. It is impossible therefore
to retrieve these pieces of information separately, much less display them in a listing template
on the leases page. This information might be delivered by the agent in DHCPv6 but the appliance
does not retrieve it at the server level.
The equivalent of the option 82 relay agent would be the DHCPv6 option 9 (relay message option)
and the option 47 (relay data option).
413
Managing Dynamic Addressing
Within DHCP organizations, you can use Access Control Lists (ACL) to tailor your dynamic
addressing configuration, set at server or range level. ACLs allow to identify clients and decide
which addresses to allocate them based on more than their location.
DHCP clients become members of an ACL when their request matches the ACL content, may
that be a rule or an ACL entry.
The ACL is a succession of checks that ultimately make sure that all the parameters you want
or refuse from your DHCP clients toward the DHCP server or smart architecture of your choice
are respected.
Note that one ACL can be used several times to set the access permissions to an object. For
instance, you can control the access to leases or restrict IP address allocation to unknown DHCP
clients. Using ACLs, one network can dynamically allocate known clients with IP addresses from
a particular segment and allocate addresses from another segment to unknown clients.
You can add, edit, copy or delete ACLs as well as create ACL entries within existing ACLs.
ACL
SHARED
SERVER OPTION OPTION OPTION
NETWORK
GROUP
STATIC OPTION
You can mange ACLs and their content on two dedicated pages. The page All ACLs is accessible
from any page in the DHCP, in the breadcrumb it is part of the additional pages right of All servers.
The page ACL Entries is only accessible from the page All ACLs.
On both pages, all the columns are displayed by default, you can filter and sort them but you
cannot change their order.
414
Managing Dynamic Addressing
On the properties page, the panels Main properties and DHCP options are available.
On the properties page, the panels Main properties and DHCP options are available.
On the page All ACLs and ACL Entries, the column Status provides information regarding the
ACLs and ACL entries you manage.
Delayed create The creation or update is delayed until the ACL or ACL entry is created on the physical
server(s) of the smart architecture. The creation is automatically done after a maximum
of 1 minute.
Delayed delete The deletion is delayed until the ACL or ACL entry is deleted from the physical server(s)
of the smart architecture. The deletion is automatically done after a maximum of 1 minute.
415
Managing Dynamic Addressing
You can use predefined ACLs available upon creation if you want to apply specific behaviors, or
simply reuse the syntax and configure a custom-made ACL. Among them, only the MAC address
checks a list of data rather than parameters.
To add an ACL
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
5. In the menu, click on Add. The wizard opens.
6. In the list DHCP server, select one of your DHCP servers.
7. Click on NEXT . The next page opens.
8. In field ACL name, name the ACL.
9. In the drop-down list Predefined ACL, you can select one of the available ACLs. The ACL
syntax is displayed in the field Match expression and can be edited. By default, None is
selected.
10. In the field Match expression, type in or edit the syntax if need be.
11. Click on OK to complete the operation. The report opens and closes. The ACL is listed.
Once added, you can configure the ACL with ACL entries, or even edit, copy or delete it.
416
Managing Dynamic Addressing
8. In the section General ACL, in the drop-down list select known clients.
a. In the drop-down list Restriction, select allow. The field ACL displays allow known clients.
b. Click on . The list DHCP range ACL displays allow known clients.
9. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the panel ACL.
To copy an ACL
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
5. Filter the list if need be.
6. Tick the ACL(s) you want to copy.
417
Managing Dynamic Addressing
7. In the menu, select Edit > Migrate. The wizard Copying ACLs (v4) opens.
8. In the drop-down list Target server, select the server or smart architecture of your choice.
9. Click on OK to complete the operation. The report opens and closes. The copied ACLs are
listed, you may need to unset filters to display them.
If you copy an ACL to a smart architecture that manages physical servers, it is copied to the
smart and then pushed to the physical servers. The ACL remains in Delayed create until it is
successfully pushed.
Once your configuration is set, on the page All leases, the value of the option domain-name is
displayed in the column Name (DHCP lease name).
When your configuration is complete, any request matching the ACL you created sets the domain-
name you configured to the lease and automatically overwrites any inherited value.
Note that if your DHCP objects are set with advanced properties to update the IPAM and DNS
databases, the domain name you configure is sent to the IPAM and potentially the DNS as well.
For more details, refer to the chapter Managing Advanced Properties.
418
Managing Dynamic Addressing
d. On the right-end side of the menu, make sure the button V4 is black, otherwise click on
it. The page refreshes and the button turns black.
e. In the menu, click on Add. The wizard opens.
f. In the list DHCP server, select one of your DHCP servers.
g. Click on NEXT . The next opens.
h. In field ACL name, type in the name of the ACL.
i. In the drop-down list Predefined ACL, select None.
j. In the field Match expression, type in the match of your choice.
k. Click on OK to complete the operation. The report opens and closes. The ACL is listed.
3. Configure the ACL with the option domain-name
a. At the end of the line of the ACL you just created, click on. The properties page opens.
b. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
c. In the field Domain name (15), specify the name of the domain of your choice.
d. Click on OK to complete the operation. The report opens and closes. The DHCP option
is listed.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
To delete an ACL
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
5. Filter the list if need be.
6. Tick the ACL(s) you want to delete.
7. In the menu, click on Delete. The wizard Delete opens.
8. Click on OK to complete the operation. The report opens and closes. The ACL is no longer
listed.
If you delete an ACL from a smart architecture that manages physical servers, it is removed from
the smart and then removed from the physical server. It remains in Delayed delete until it is
successfully removed.
419
Managing Dynamic Addressing
If you selected Hexadecimal, type in your condition following the MAC format of two hexa-
decimal characters separated by a semi-colon.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
DHCP is used to locate the appropriate boot server or servers, with TFTP used to download the
initial bootstrap file. After it downloads the file, the host reboots and sends another IP address
request. When such a PXE client starts up, it first requests an IP address in order to download
the file it needs to boot.
The client, wishing to remotely boot an operating system image, broadcasts a DHCPDISCOVER
packet as per the DHCP protocol. This packet is transmitted to acquire an IP address. The client
420
Managing Dynamic Addressing
also sends PXE protocol specific DHCP option 60 (Vendor Class Identifier) along with this
packet. The DHCP server responds to the above DHCPDISCOVER packet by sending a DH-
CPOFFER packet that contains the IP Address allocated to the client. In a PXE remote boot, the
DHCP server also sends:
• A special tag (option 60, with the value set to the string "PXEClient") to identify that it is capable
of configuring a PXE client.
• The next server to specify the server host address from which the initial boot file is to be
loaded.
• The filename to specify the name of the initial boot file to be loaded by a DHCP client.
The client downloads the executable file using either standard TFTP (port69) or MTFTP (port
assigned in Boot Server Ack packet). The file downloaded and the placement of the downloaded
code in memory is dependent on the client's CPU architecture. After it downloads the boot file,
the client reboots and sends a new DHCPDISCOVER.
You can set a different lease time for PXE boot requests to manage your dynamic ranges better.
The DHCP server can allocate an IP address with a shorter lease time to hosts that send PXE
boot requests in order to release IP addresses faster.
These options can be configured at multiple levels: server, scope, static reservation, DHCP group
or dynamic range.
The PXE parameters configuration only applies to DHCPv4. For now, it is impossible to set
them with IPv6 addressing.
421
Managing Dynamic Addressing
6. In the field filename, type in the name of the initial boot file to be loaded.
7. Click on OK to complete the operation. The report opens and closes. The modifications are
listed in the panel DHCP options.
To avoid this issue, SOLIDserver manages leases by setting a different lease time for PXE boot
request. SOLIDserver allows you to allocate an IP address with a shorter lease time to hosts that
send PXE boot requests, so IP addresses are not leased longer than necessary. By default the
lease duration for PXE client is set to 5 minutes (300 seconds). It can be changed by following
the next procedure.
When the DHCP server is considering dynamically allocating an IP address to a client, it first
sends an ICMP echo request (a ping) to the address being assigned. It waits for a second, and
if no ICMP echo response has been heard, it assigns the address. If a response is heard, the
lease is abandoned, and the server selects another free IP address and sends it a ping. The
DHCP server continues this process until it finds an IP address that does not respond to the ping.
The DHCP server then sends a DHCPOFFER message with the unused IP address to the DHCP
client.
422
Managing Dynamic Addressing
2. At the end of the line of the DHCPv4 server or smart architecture of your choice, click on .
The properties pages opens.
3. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
4. In the drop-down list Option category, select Server parameters.
5. In the drop-down list Ping check, select Yes.
6. In the field Ping timeout, you can set up a timeout if necessary.
If the DHCP server determines that it should send an ICMP echo request (a ping) because
the ping-check statement is true, ping-timeout allows you to configure how many seconds
the DHCP server should wait for an ICMP Echo response to be heard, if no ICMP Echo re-
sponse has been received before the timeout expires, it assigns the address. If a response
is heard, the lease is abandoned, and the server does not respond to the client. If no value
is set, the ping-timeout is of 1 second by default.
7. Click on OK to complete the operation. The report opens and closes. The modifications are
listed in the panel DHCP options.
With DHCPv6, the procedure is similar. Only a few wizard-related steps change.
If the DHCP server determines that it should send an ICMP echo request (a ping) because
the ping-check statement is true, ping-timeout allows you to configure how many seconds
the DHCP server should wait for an ICMP Echo response to be heard, if no ICMP Echo re-
sponse has been received before the timeout expires, it assigns the address. If a response
is heard, the lease is abandoned, and the server does not respond to the client. If no value
is set, the ping-timeout is of 1 second by default.
6. Click on OK to complete the operation. The report opens and closes. The modifications are
listed in the panel DHCP options.
423
Chapter 29. Managing Failover Channels
SOLIDserver allows you to display all the failover channels for the DHCP smart architectures it
manages. The page All failover channels provides you with detailed information on all the failover
channels of the smart architectures you manage.
Note that if you manage servers from smart architectures you can associate a failover channel
with one or several scopes at once from the page All scopes. For more details, refer to the section
Defining a Specific Failover Channel for a Scope.
Keep in mind that the failover mechanism is not available when it comes to IPv6 addressing.
By default, the failover is based on load balancing, it is Balanced, on One-to-One and One-to-
Many smart architectures.
In the GUI, the page All failover channels provides the column State that includes detailed inform-
ation regarding each state. For more details regarding this column, refer to the table The different
failover states
424
Managing Failover Channels
In Normal state, only one server responses to the messages sent by DHCP clients. The failover
configuration you chose when setting up the failover defines which server responses to clients.
Failover Channel
DHCP 1 DHCP 2
local range local range
16
19
2
1
When configuring a One-to-One or One-to-Many smart architecture, the drop-down list Split
leases allows to choose if the primary server or the secondary server should respond to the
DHCP clients requests or choose to balance the responses between the servers. In other words,
when configuring your smart architecture, you can set the failover to respect a master/backup
configuration or a load balancing configuration.
Which is why in Normal state, a server might seem to ignore a client request.
• Master/Backup Configuration
If you choose this configuration, you can decide which server of the failover answers to all the
requests: either the primary (Prefer master) or the secondary (Prefer backup). For more details,
refer to the sections DHCPv4 One-to-Many Smart Architecture and DHCPv4 One-to-One Smart
Architecture.
• Load Balancing Configuration
If you choose this configuration, you can balance the responses equally and make both servers
respond to the DHCP clients' requests. The standard load balancing algorithm specifies which
server answers DHCP requests: this deterministic hash algorithm operates on the clients' in-
formation, their MAC address, to equally assign a set of clients to one server and the rest to
the other server. The hash is performed on every broadcast message sent out by DHCP clients,
it produces a number between 0 and 255 that the servers are able to interpret and divide
equally. In addition, when configured in load balancing, EfficientIP DHCP servers are able to
detect if a client has not received a response yet from its failover peer. Thanks to the field secs
of the DHCP client message, the server identifies which clients are making a request for the
first time (the field value is zero) or if it is a retry (the field value is nonzero). In the case of a
retry, the first available server responds no matter the DHCP client hash number.
425
Managing Failover Channels
The secondary server might be operating and simply unable to communicate with the other
server or might not be operating. Each server responds to the full range of DHCP client messages
that it receives, but in such a way that graceful reintegration is always possible when its partner
comes back and contacts it again.
Communications-Interrupted
DHCP 1 DHCP 2
local range
local range
2020 23
16 19
16
55 3
1 2
1
Site A Site B
For a variety of reasons, is it possible that one member of a DHCP failover pair might stop oper-
ating. This could be the result of a planned or unplanned outage. In order to provide the best
possible service when one member of a failover pair is down, the other can be placed in the
Partner-down state.
When operating in Partner-down state, a server assumes that its partner is not currently operating
but does make allowances for the other server's set of DHCP clients as long as the MCLT has
not passed. That way, any lease that was allocated by the other server while they were in com-
munication-interrupted state has expired and the remaining server can safely allocate leases to
all the DHCP clients of the failover. Once the MCLT expires, the server responds to all DHCP
client requests, it can reclaim any available IP address that belongs to its peer.
Partner-Down
DHCP 1 DHCP 2
local range local range
16
19
2
1
426
Managing Failover Channels
Once the peer server comes back up, it automatically connects to its failover channel to change
back to the Normal operational state. Once again, it has to wait until the MCLT passes to reclaim
its DHCP clients.
You can manually switch a server to Partner-down. It allows to better control the DHCP service,
for instance before moving a server: the administrator can manually switch the secondary server
of a failover channel to Partner-down. For more details regarding this option, refer to the section
Switching a DHCP Server to Partner-down.
In a One-to-One DHCP smart architecture, the administrator can also set an Automatic switch
to partner-down delay (in hours) after which a server in Communications-interrupted state should
automatically switch to Partner-down. For more details, refer to the section DHCPv4 One-to-One
Smart Architecture of the chapter Managing DHCP Smart Architectures.
Failover channels establish the synchronization mechanism between the physical servers for
most DHCPv4 smart architecture. All DHCPv6 failover channels are virtual ones.
In contrast with One-to-One and One-to-Many smart architectures that include as many failover
channels as physical secondary servers, the failover channel of a Single-Server or a Split-Scope
architecture is virtual. It links the managed server(s) to the smart architecture that act as a con-
figuration backup for the dhcpd.conf file. For more details, refer to the section DHCP Failover
Principles and Operational States.
The concept of failover channels is not very widespread in IPv6. Still, awaiting for its implement-
ation, SOLIDserver already offers a listing page for the virtual failover channels that provides a
427
Managing Failover Channels
backup of the smart architectures configuration. For more details, refer to the DHCPv6 architec-
tures of the section Implementing DHCP Smart Architectures.
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
All the columns are displayed by default, you can filter, sort or hide them.
The DHCPv4 page All failover channels displays 10 columns described in the table below.
The Split-Scope and Single-Server smart architecture provide few information on this page
as their failover is virtual and therefore cannot be edited. For both architectures, None is displayed
in every column except Name, Smart DHCP and Status.
Table 29.1. The columns on the page All failover channels in IPv4
Column Description
Name The name of each failover channel that you set when creating the smart architecture.
Server The name of the server or smart architecture.
Type The failover channel type: either Primary or Secondary.
Local address The IP address of the primary server, or Master, in the smart architecture.
Local port The port number dedicated to the failover on the smart architecture primary server.
Remote address The IP address of the secondary server of the smart architecture.
Remote port The port number dedicated to the failover on the smart architecture secondary server.
Split The leases' split configuration between the servers: Balanced, Prefer backup or Prefer
master.
State The failover operational state, either Normal, Startup, Recovering, Partner-Down, Commu-
nications-interrupted, Down, Unknown state or N/A. For more details, refer to the table
The different failover states below.
Multi-status Messages regarding the failover channel: emergency, warning, critical, error or informa-
tional, if relevant. For more details, refer to the section Understanding the Column Multi-
Status.
Status The failover channel status, either OK, Delayed create or Delayed delete.
Recovering The server is recovering from a partner-down state. The failover channel is
operational.
! Partner-down The other server of the failover is Down. The failover channel is operational.
Unknown state The failover configuration for the smart architecture is incorrect. The failover
channel is not operational.
428
Managing Failover Channels
The DHCPv6 page All failover channels displays 9 columns. Considering that the failover channel
in IPv6 is basically virtual as it is, the State column remains empty.
The Split-Scope and Single-Server smart architecture provide few information on this
page. For both architectures, you can find N/A displayed in the port related columns.
Table 29.3. The columns on the page All failover channels in IPv6
Column Description
Name The name of each failover channel that you set when creating the smart architecture.
Type The failover channel type: either Primary or Secondary.
Local address The IP address of the primary server, or Master, in the smart architecture.
Local port The port number on the smart architecture primary server dedicated to the failover.
Remote address The IP address of the secondary server in the smart architecture.
Remote port The port number of the smart architecture secondary server dedicated to the failover.
State The connection state between the two servers. As nowadays there is no failover per se
in IPv6, this column is empty.
DHCP name The smart architecture name.
Multi-status Messages regarding the failover channel: emergency, warning, critical, error or informa-
tional, if relevant. For more details, refer to the section Understanding the Column Multi-
Status.
Status The failover channel status, either OK, Delayed create or Delayed delete.
Delayed create The creation or update is delayed until the failover channel is created on the physical
server(s) of the DHCPv4 smart architecture. The creation is automatically done after a
maximum of 1 minute.
Delayed delete The deletion is delayed until the failover channel is deleted from the physical server(s) of
the smart architecture. The deletion is automatically done after a maximum of 1 minute.
429
Managing Failover Channels
You can automate the switch for servers managed via One-to-One smart architectures, the ad-
ministrator can also set an Automatic switch to partner-down delay (in hours) after which a
server in Communications-interrupted state should automatically switch to Partner-down. For
more details, refer to the section DHCPv4 One-to-One Smart Architecture of the chapter Managing
DHCP Smart Architectures.
To manually switch a server to partner-down, you can simply break the failover channel following
the procedure below, SOLIDserver automatically switches the right server to Partner-down. For
more details, refer to the section DHCP Failover Operational States.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
430
Chapter 30. Configuring DHCP Options
The DHCP dynamically distributes addresses, but also offers the possibility of providing config-
uration information and other specific controls to the server clients. These pieces of information
are called DHCP options.
Most standard DHCP options are currently detailed in the RFC 2132 recommendation, "DHCP
Options and BOOTP Vendor Extensions". Even if most DHCP servers offer several options, the
vast majority of DHCP clients are generally conceived to request and take charge of just a sub-
part of the ensemble of standard RFC options.
ACL
SHARED
SERVER OPTION OPTION OPTION
NETWORK
GROUP
STATIC OPTION
In the above configuration plan, the DHCP server options and maximum lease time have been
defined to the DHCP server globally; these two options are propagated to the scope and the
range.
431
Configuring DHCP Options
You might also observe that the default router has been configured both in the DHCP scope and
range. Only, in this case, the default router defined by the range is taken into account.
When it comes to DHCPv6, the options configuration of EfficientIP DHCP servers is roughly the
same, you can configure options at server and scope level that should propagate to the lower
levels.You can also set options at group level or directly on a specific static reservation. However,
it is not possible to set DHCP options to a range or a lease.
The options setting apply to a DHCP client according to a defined precedence. Options are
arranged into a hierarchy in order to respect the following ranking:
• An option set at ACL level overrides all other options.
• An option set at static level overrides options at the following levels: group, range, scope and
server.
• An option set at group level overrides options at scope and server level.
• An option set at range level overrides options at scope and server level.
• An option set at scope level overrides options at server level.
• An option set at server level is overridden by all other options.
Options can be indifferently applied to the DHCP objects. However the application of options on
this hierarchy depends on the technical constraints of the devices of your network: the
devices/clients connected to the network can have an impact on the configuration efficiency.
Basically, the options should be configured by starting from the top of the DHCP tree hierarchy
(server) in order not to configure the same options over and over again on each object. Usually
options specified at server level are global or applied for a default setup. Everything that was set
at server level propagates onto the lower objects, therefore you can configure a common set of
options and then add other options to the other objects to match clients needs. If you do not
configure the same options repeatedly to several objects, your DHCP configuration is simpler to
manage.
The vendors' DHCP servers that SOLIDserver can manage do not share the same internal archi-
tecture and cannot be managed in the same way. For instance, contrary to EfficientIP DHCP
server, Microsoft DHCP server does not support the configuration of options at range level. Be-
sides, only the options identified by a number are supported by the Microsoft DHCP service.
432
Configuring DHCP Options
7. Click on OK to complete the operation. The report opens and closes. The modifications are
visible in the panel.
Note that you can aggregate range and static options on scopes. For more details, refer to the
Aggregating DHCP Options from Ranges or Statics.
If the space name you chose does not exist, it is created. If you do not you specify anything,
the default space dhcp is used.
10. In the field Option code, enter an option code. This code is a number between 1 and 255.
Keep in mind that if you are creating a code within the dhcp space, you must define a code
greater than 128. The option codes included between 1 and 128 are usually reserved: using
a code included in that range of numbers would overwrite existing options.
433
Configuring DHCP Options
11. In the drop-down list Parameter counter, select the number of parameters you want to set
for that option. You can select up to 6 parameters with the corresponding number of fields
appearing.
12. In the drop-down list Parameter <number>, you have to choose one of the parameters below:
Keep in mind that the encapsulated options' type is binary but equivalent to the text format.
Its value is set in hexadecimal and looks as follows: \x01\xA2\x45\x12.
If you selected more than one Parameter counter, you need to repeat this step for each one
them.
13. In the drop-down list Type is array, select one of the values below.
14. The field Type sums up the selected parameters. Each letter that appears in this field corres-
ponds to a parameter. For instance, if you specify an array of IP addresses the type should
be IA, if you specify an array of repeated addresses plus a boolean the type should be IfA.
15. Click on OK to complete the operation. The report opens and closes. The option is listed.
With DHCPv6, you also have the possibility to add custom options. However, there are fewer
parameters available.
434
Configuring DHCP Options
If the space name you chose does not exist, it is created. If you do not you specify anything,
the default space dhcp6 is used.
10. In the field Option code, enter an option code. This is a number from 1 to 255.
If you are creating a code within the dhcp space, you must define a code greater than 128.
The option codes included between 1 and 128 are usually reserved: using a code included
in that range of numbers would overwrite existing options.
11. In the drop-down list Parameter counter, select the number of parameters you want to set
for that option. You can select up to 6 parameters with the corresponding number of fields
appearing. In each drop-down list, you have to choose one of the parameters below:
12. For each parameter, one or several boxes are available. Tick the boxes of your choice:
13. The Type field sums up the selected parameters. Each letter that appears in this field corres-
ponds to a parameter. For instance, if you specify an array of IP addresses the type should
be IA, if you specify an array of repeated addresses plus a boolean the type should be IfA.
14. Click on OK to complete the operation. The report opens and closes. The option is listed.
435
Configuring DHCP Options
With DHCPv6, the RFC 3315 defines the Vendor-specific Information Option. SOLIDserver
provides it through the option dhcp6.vendor-opts (option 17) in the list All option definitions.
By combining the GIADDR and the circuit ID, a network wide unique string can be created. This
string can be used for table lookup in the DHCP server. We called this string a pseudo MAC ad-
dress, since most DHCP servers do a MAC to IP mapping in their databases.
In its default configuration, the DHCP Relay Agent Information option passes along port and
agent information to SOLIDserver DHCP server. It is useful in statistical analysis, as well as, in-
dicating where an assigned IP address physically connects to the network. It may also be used
to make DHCP decisions based on where the request is coming from or even which user is
making the request.
The following actions should be performed by the SOLIDserver DHCP when receiving a DHCP-
DISCOVER or DHCPREQUEST message with Option 82 set:
1. Relay Agent Information option is inserted by the DHCP relay agent when forwarding client-
originated DHCP packets to a DHCP server.
436
Configuring DHCP Options
2. Relay Agent Information option is inserted by the DHCP relay agent when forwarding client-
originated DHCP packets to a DHCP server.
3. Servers recognizing the Relay Agent Information option may use the information to select the
IP address or other parameter assignment policies through the SOLIDserver ACL.
4. Switch or Router (as the DHCP relay agent) intercepting the DHCP requests, appends the
circuit ID with remote ID into the option 82 fields and forwards the request message to
SOLIDserver DHCP server.
The following procedure explains how to create an ACL rule allowing to restrict the IPv4 address
range to select or to send specific DHCP options according to the option 82 sent to the SOLID-
server DHCP server.
To create an ACL based on the option 82: Circuit ID within the leases user interface
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the column Name, click on the server or smart architecture of your choice to display the
scopes it contains.
4. In the breadcrumb on the right of All servers, click on to display additional pages.
5. Click on All ACLs. The page refreshes.
6. In the menu, click on Add. The wizard DHCP ACL parameters opens.
7. In the field ACL name, name your ACL.
8. In the drop-down list Predefined ACL, select None.
9. In the field ACL rule, type in the command below.
match if (substring(option agent.remote-id,0,6) = "dslam1");
It sets up an ACL that filters the DHCP option 82 as long as the first letters of the client's
remote-id match dslam1. You can set the keyword of your choice instead.
10. Click on OK to complete the operation. The report opens and closes. The ACL is listed.
Once the ACL is created, you can apply it to a DHCPv4 range to allow or restrict the access to
all clients that match this ACL rule. ACL can also be used to send specific DHCP options to the
clients that match this ACL rule. Edit the properties of the ACL to setup its DHCP option policies.
The equivalent of the option 82 relay agent would be the DHCPv6 option 9 (relay message option)
and the option 47 (relay data option).
437
Configuring DHCP Options
By default, when you add a DHCP smart architecture or an EfficientIP DHCP server, the option
43 is created. This default option cannot be edited.
Within SOLIDserver, the vendor-specific information is stored in an ACL. Any client matching the
vendor information is attributed a set of options that you can configure through option definitions.
To properly setup option 43 on a DHCPv4 server in the GUI you need to:
1. Retrieve the vendor-class identifier from the DHCP handshake.
2. Create a new ACL that contains the vendor-class identifier.
3. Create as many DHCP option definitions as needed using the ACL as option space.
4. Configure the server ACL DHCP options to:
a. Set the Vendor option space that triggers the option 43 behavior on all the clients matching
the vendor-class identifier.
b. Set the value of your choice on all the option definitions you created.
Once the configuration is complete, the clients matching the vendor-class identifier are automat-
ically attributed the option definitions specified.
438
Configuring DHCP Options
To create a DHCP option definition that uses the ACL value as option space
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All option definitions. The page refreshes.
4. In the menu, click on Add. The wizard DHCP Option Definition opens.
5. In the list DHCP server, select the DHCPv4 server for which you configured the ACL.
6. Click on NEXT . The page DHCP option definition opens.
7. Configure the option. The accepted code, parameter counter, and type should be mentioned
in your device documentation.
a. In the field Option name, name your option.
b. In the field Option space, type in the ACL name.
c. In the field Option code, type in a code following your device documentation.
d. In the drop-down list Parameter counter, select a value following your device document-
ation.
e. In the drop-down list Parameter 1, select a value following your device documentation.
f. In the drop-down list Type is array, select one of the values below.
8. Click on OK to complete the operation. The report opens and closes. The option is listed as
follows: <option-space-name>.<option-name>.
Repeat this procedure for as many option definitions as needed: each definition creates a field
in the DHCP options configuration wizard which value you can set in the procedure below.
439
Configuring DHCP Options
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
440
Chapter 31. Configuring DHCPv6 Prefix
Delegation
DHCPv6 prefix delegation allows to delimit a number of IPv6 addresses, a delegation range, that
you distribute using a specific prefix and deliver independently.The Customer Premises Equipment
(CPE) can then use it to allocate addresses to their clients.
a 2001:db8:0:1::42
:456
abc: 64
abc::456a 2001:db8:0:1:: /64
1:: /
8:0: 2001:db8:0:1::1
dhcp.mycorp.com 00 1:db
2 2001:db8:0:1::a
abc::456b
This replaces the need for Network Address Translation (NAT) in an IPv6 network and is widely
required when implementing IPv6 network. DHCPv6 prefix delegation is currently detailed in the
RFC 3633 available on IETF website at https://tools.ietf.org/html/rfc3633.
Prerequisites
• Defining the delegation range. You must set the start address and end addresses to define
the number of IP addresses available for prefix delegation.
• Specifying a shared network that corresponds to one or more scopes. Any scope included in
a shared network can use any of the prefix delegations configured.
• Specifying a prefix that
Thesets
router the sizeanof
requests the IP address segments delegated between the start
IP address
and end IP addresses. The router requests a prefix to delegate
Specificities
• DHCPv6 prefix delegations are compatible with DHCP relay mechanisms.
• You cannot delete DHCPv6 prefix delegations if they are associated with scope(s).
• Once a DHCPv6 prefix delegation is associated with a scope, you cannot edit the scope if it
belongs to a shared network.
Limitations
• As described in RFC 8156, DHCP prefix delegations are not compatible with DHCPv6 failover
mechanisms since they are not yet implemented in DHCPd 4.3 nor 4.4. For more details, refer
to the RFC available on IETF website at https://tools.ietf.org/html/rfc8156.
441
Configuring DHCPv6 Prefix
Delegation
• You cannot configure IPv6 prefix delegations on Split-scope smart architectures. Note that, on
SOLIDserver, it is not possible to display the leases allocated within the delegation.
• You cannot edit DHCPv6 prefix delegations.
• You cannot specify a start address and end address that match existing DHCP ranges on the
page All ranges of the server.
Note that, on SOLIDserver, it is not possible to display the leases allocated within the delegation.
442
Configuring DHCPv6 Prefix
Delegation
5. In the menu, click on Add. The wizard Add a prefix delegation opens.
6. In the drop-down list DHCP server, select the DHCP server or smart architecture of your
choice.
7. Click on NEXT . The next page opens.
8. In the field Start address, type in the first IPv6 address of the prefix delegation range.
9. In the field End address, type in the last IPv6 address of the prefix delegation range.
10. In the field Prefix, type in the prefix to delegate. It defines the size of network segments to
delegate.
The number of segments depends on the number of IP addresses in the delegation range.
The total number of IP addresses contained in all the segments is inferior or equal to the
number of IP addresses contained in the range you specified in the fields above.
11. In the field Shared network, type in the name of a shared network. The field auto-completes.
Note that for every scope without selecting an existing shared network, one is automatically
created anyway. So you may already have shared network available, they are named after
the scope start_address/prefix.
This field is not displayed if you selected a shared network in the breadcrumb.
12. Click on OK to launch the wizard. The report opens and closes. The prefix delegation is listed.
On the properties page of the scope, the prefix delegation is listed in the panel Related
prefix delegations.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
443
Chapter 32. Monitoring and Reporting
DHCP Data
SOLIDserver provides tools dedicated to monitoring DHCP servers and generating reports. Note
that these tools only apply to DHCP objects managing IPv4 addressing:
• The alerts that you can set on the DHCP pages allow to customize your monitoring. For more
details, refer to the chapter Managing Alerts.
• A set of statistics are available in dedicated panels of the properties page of DHCP servers,
as detailed in the section Monitoring DHCP Servers from their Properties Page.
• A set of data sampling analytics are available on the page Analytics, as detailed in the section
Monitoring DHCP Servers from the Page Analytics.
• A set of rules allow to monitor your servers, as detailed in the section Monitoring DHCP
Servers Using Rules.
• A number of reports on IPv4 servers and scopes are available, as detailed in the section
Generating DHCP Reports.
Displays all the latest changes performed on the server by the user logged in.
Note that the server analytics panel and lease statistics panel display data retrieved using SNMP,
therefore, the graphs are empty if the SNMP is not configured properly. To edit the SNMP para-
meters of an EfficientIP DHCP server, refer to the section Editing the SNMP Monitoring Parameters
of an EfficientIP DHCP Server.
Keep in mind that you can zoom in and out of the charts or decide the period and data to display.
For more details, refer to the section Charts.
444
Monitoring and Reporting DHCP
Data
Once the panel is open, you can use the buttons under the chart to: move back or forward
the start time displayed; zoom in and out ; refresh the data .The drop-down list allows
to restrict or expand the period of time displayed: Last 3 hours (selected by default), Current
hour, Day, Week, Month, Year.
Once the panel is open, you can use the buttons under the chart to: move back or forward
the start time displayed; zoom in and out ; refresh the data .The drop-down list allows
to restrict or expand the period of time displayed: Last 3 hours (selected by default), Current
hour, Day, Week, Month, Year.
By default, on a smart architecture properties page, statistics panels are displayed for maximum
ten physical servers. For more details, refer to the section Setting the number of DHCP server
statistics panels to display.
Each occurrence specifies the Date and time it occurred, the Service used, the User perform-
ing the operation and the server basic information: DHCP name, DHCP type and Architecture
if relevant.
By default, it lists the changes carried out by the user logged in, but if they belong to a group
with access to the changes from all users, the panel displays all the operations ever per-
formed. For more details, refer to the section Allowing Users to Display All the Operations
Performed.
445
Monitoring and Reporting DHCP
Data
• The number of panels you set applies to the properties page of DHCP and DNS smart archi-
tectures.
To set the number of server statistics panels to display on the properties page of
a smart
The analytics functionality is enabled by default and samples the DHCP messages over specific
periods of time. By default, it offers 5-minute samples. To set a shorter or larger periodicity, refer
to the section Configuring the Analytics Retrieval.
Limitations
• The analytics are only available for EfficientIP DHCP servers.
• Only the first 50 entries matching the selected data are listed. Therefore, if during the selected
period of time, 100 pieces of information are identical, the GUI only displays the first 50.
• You might slow your appliance down if you edit the purge mechanism to include more lines or
keep data longer than the default 30 days.
Each sample compares data retrieved over a specific periodicity, a limited period of time, that is
set by default to a sample time of 5 minutes. You can edit the sampling period following the pro-
cedure in the section Configuring the Periodicity.
446
Monitoring and Reporting DHCP
Data
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on Analytics. The page refreshes.
4. To only display the analytics of a specific physical server, in the column Server, click on the
name of your choice. The server name is displayed in the breadcrumb and only its data is
returned.
Each column provides and compares message information over the specified sample time.
For instance, the number of DISCOVER messages for a specific IP address during a 5-
minute period.
Total ratio The percentage of Number of hits compared with the Total messages for the selected
period. This column is displayed for all analytics.
For instance, the percentage that represents the DISCOVER messages of a specific IP
address compared with all the DISCOVER messages in the logs during a 5-minute period.
447
Monitoring and Reporting DHCP
Data
You can edit the sample time following the procedure in the section Configuring the Periodicity.
448
Monitoring and Reporting DHCP
Data
Statistic Description
Top 50 DECLINE (MAC) The top 50 clients who sent the most DHCPDECLINE messages during
the configured Period. These clients are identified using their MAC ad-
dress.
Top 50 DECLINE (IP) The top 50 clients who sent the most DHCPDECLINE messages during
the configured Period. These clients are identified using their IP address.
Top 50 INFORM (IP) The top 50 clients who sent the most DHCPINFORM messages during
the configured Period. These clients are identified using their IP address.
Top 50 ABANDONED LEASES (IP) The top 50 clients whose lease was abandoned during the configured
Period. These clients are identified using their IP address.
Top 50 RELAY The top 50 most used DHCP relay agents during the configured Period.
These relay agents are identified using their IP address.
Top 50 "Peer holds all free leases" The top 50 DHCP relay agents on which the failover channel refused
leases during the configured Period. These relay agents are identified
using their IP address.
Top 50 "Unknown network segment" The top 50 clients who received unknown network segment messages
during the configured Period. These clients are identified using their IP
address.
Top 50 "Unknown subnet" The top 50 clients who received message unknown subnet messages
during the configured Period. These clients are identified using their IP
address.
Message types All the messages sent and received by the DHCP server during the con-
figured Period. All messages are identified using their type.
On the page Analytics, the box Automatic refresh allows to automatically refresh the page display
every 60 seconds. You can edit this frequency via a registry database key.
By default, the data sampling compares the DHCP messages over a periodicity of 5 minutes. On
the page Analytics, the sample time is specified in the column Period.
449
Monitoring and Reporting DHCP
Data
You can configure a shorter or larger periodicity on each physical server individually.
Note that no matter the periodicity, the data is available on the page at a frequency specified
through the rule 381. To edit that rule, refer to the section Configuring the DHCP Analytics Re-
trieval Frequency.
The frequency to which the analytics are displayed on the page Analytics is set by the rule 381,
Retrieval of the DHCP analytics data. By default, every 5 minutes it displays the data comparison
results for messages sampled during 1, 5, 10 or 15 minutes, depending on the configured peri-
odicity.
No matter the periodicity you set on the physical server, the data is available in the GUI depending
on the rule configuration.
To edit the rule 381 that sets the DHCP analytics data retrieval
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 381 and hit Enter. The rule is the only one listed.
4. At the end of the line, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. This field is required.
7. In the field Comment, you can insert, edit or delete the rule comment. This field is optional.
8. Click on NEXT . The page Rule filters opens.
9. Edit the drop-down lists according to your needs.
450
Monitoring and Reporting DHCP
Data
10. Click on OK to complete the operation. The page refreshes, the properties page is visible
again.
You can configure the purge mechanism of the analytics retrieval. By default, it is based on:
• The data age. The rule 383, Configuration of the DHCP analytics purge, deletes data older
than 30 days. You can set it to delete data earlier or later.
• A line count. A registry key deletes data if the analytics database exceeds 100,000 lines, each
analytic can reach that many lines. You can set a lower or higher threshold.
As both thresholds work together, once the number of days or the number of lines is met, the
unwanted data is deleted.
No matter the way you want to purge your database, keep in mind that if you set very high
thresholds, you may slow down your appliance because the database contains too much
information.
451
Monitoring and Reporting DHCP
Data
2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the menu, click on Add. The wizard Registry database Add an item opens.
4. In the field Name, type in dhcp.stats.limit.
5. In the field Value, specify the number of lines of your choice, above that value the data is
purged. By default, it is set to 100000.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the key is listed.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
In the following procedures, we are going to configure a monitoring process to add the rules 105
and 082 that respectively check DHCP scope/range usage and send an alert if a DHCP scope
is full.
Before using the monitoring rules, make sure the server is responding.
To add the rule 105 that checks scopes and ranges usage
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select DHCP.
5. In the drop-down list Event, select Execution of a scheduled rule.
6. In the list Rule, select (105) Check DHCP scope/range usage.
452
Monitoring and Reporting DHCP
Data
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can type in a comment if you want.
9. Click on NEXT . The page Rule filters opens.
10. Set the schedule parameters:
Once the rule 105 is added, add the rule 082. Make sure the SNMP service is configured properly.
For more details, refer to the section Managing the SNMP Service.
To add the rule 082 that sends an alert when a scope is full
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select DHCP.
5. In the drop-down list Event, select Event.
6. In the list Rule, select (082) Send an alert if a DHCP scope is full.
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can type in a comment if need be.
9. Click on NEXT . The page Rule filters opens.
10. Click on NEXT . The page Rule parameters opens.
11. To be notified via SNMP trap:
a. In the field IP address of the SNMP trap, type in the IP address of the appliance that
should receive the SNMP trap.
b. In the field SNMP trap community, type in the community string for this trap. By default
it is ness.
12. To be notified via email, in the field Send a mail to, type in the email address that should
receive the notification.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.
Thanks to these two rules, if scopes from your DHCP servers exceed the percentage of usage
specified in the rule 105, you are automatically notified via email and/or SNMP trap.
Besides, you can display DHCP scope/range usage, in the panel State log of the scope properties
page.
453
Monitoring and Reporting DHCP
Data
For more details regarding the reports and their generation, refer to the section Managing Reports.
454
Part VII. DNS
The Domain Name System (DNS) is a hierarchical distributed naming system which main function is to
convert an IP address into an intelligible domain name (name resolution) or a domain name into an IP address
(reverse resolution). The DNS namespace can be seen as a reversed tree of domains managed by zones.
At the root of the structure, the highest zone is represented by a silent dot ( . ) followed, in order, by the Top-
Level Domains (TLDs) and the Second-Level Domains (SLDs). The TLDs are divided into generic TLDs
(gTLD) like .com, .org, .net and country code TLDs (ccTLD) like .us, .fr or .uk . The whole access path to a
domain reads from right to left: SLD.TLD .
At the top of the reverse tree, there are 13 root servers listed alphabetically from A to M and spread out
worldwide. They all gather the same information regarding the TLDs and, to avoid being saturated by
queries, they delegate names and IP addresses to accredited registrars.
In theory, a client that wants to access a web page would have to follow the whole hierarchy from the root
down to the sub-domain. For that reason, DNS servers offer a combination of authoritative, recursive or
cache functionalities.
Note that from the module Dashboards, you can gather gadgets and charts on DNS dashboard to monitor
the module data or set up custom shortcuts and search engines. For more details, refer to the part Dash-
boards.
Table of Contents
33. Deploying DNS Smart Architectures .......................................................................... 460
Master/Slave Smart Architecture ............................................................................ 460
Multi-Master Smart Architecture ............................................................................. 461
Stealth Smart Architecture ..................................................................................... 462
Single-Server Smart Architecture ........................................................................... 462
Farm Smart Architecture ........................................................................................ 463
34. Managing DNS Smart Architectures .......................................................................... 464
Browsing DNS Smart Architectures ........................................................................ 464
Adding a DNS Smart Architecture .......................................................................... 465
Editing a DNS Smart Architecture .......................................................................... 476
Handling the Status Locked Synchronization ........................................................... 481
Exporting DNS Smart Architectures ....................................................................... 482
Deleting a DNS Smart Architecture ........................................................................ 482
Defining a DNS Smart Architecture as a Group Resource ........................................ 483
35. Managing DNS Servers ............................................................................................ 484
Browsing DNS Servers .......................................................................................... 485
Managing EfficientIP DNS Servers ......................................................................... 486
Managing Agentless Microsoft DNS Servers ........................................................... 490
Managing BIND DNS Servers on Linux ................................................................... 493
Managing Generic DNS Servers ............................................................................ 502
Managing Nominum ANS Servers .......................................................................... 503
Managing Amazon Route 53 Servers ..................................................................... 505
Synchronizing DNS Servers ................................................................................... 513
Editing DNS Servers ............................................................................................. 513
Securing the Management of DNS Servers Using a TSIG Key ................................. 514
Exporting DNS Servers ......................................................................................... 515
Deleting DNS Servers ........................................................................................... 515
Defining a DNS Server as a Group Resource .......................................................... 516
36. Configuring DNS Servers ......................................................................................... 517
Configuring DNS Forwarding at Server Level .......................................................... 517
Configuring DNS Recursion at Server Level ............................................................ 519
Configuring DNS Notify Messages at Server Level .................................................. 522
Restricting DNS Queries at Server Level ................................................................ 523
Limiting Zone Transfers at Server Level .................................................................. 526
Configuring a Blackhole ......................................................................................... 527
Configuring Client Resolver Cache Options at Server Level ..................................... 528
Configuring EDNS Options at Server Level ............................................................. 529
Improving the Server Performance ......................................................................... 530
Configuring a Sortlist at Server Level ...................................................................... 530
Limiting the Number of Responses of a Server ........................................................ 531
Configuring DNS64 ............................................................................................... 533
Configuring DNS Sources at Server Level ............................................................... 537
dynamic update on a server ................................................................................... 540
Configuring Access Control Lists for a Server ......................................................... 542
Configuring DNS Keys ........................................................................................... 543
Including Non-Supported DNS Settings .................................................................. 545
Configuring Anycast DNS ...................................................................................... 545
Integrating Cisco Umbrella ..................................................................................... 558
Forwarding the Client IP Address ........................................................................... 560
37. Managing DNS Views .............................................................................................. 563
Browsing DNS Views ............................................................................................. 563
457
DNS
458
DNS
459
Chapter 33. Deploying DNS Smart
Architectures
The current approach of DNS service management is mainly limited at the single server manage-
ment level, restricting service configuration and management with a server per server approach
even if it is performed from a centralized platform. This approach is insufficient to ensure service
reliability, security and easiness of management. It could weaken your DNS architecture because:
• Increases the risk of misconfigurations.
• No Best Practices enforcement to ensure the high security of the network services architecture.
• No automation of architecture deployment and management.
• Difficult and risky architecture changes.
Indeed, even if the configuration has been simplified with the GUI, it is still complex, expensive
and requires experts to deploy and configure all servers in coherent architectures of DNS-DHCP
services. The smart architecture is a new approach to DNS services management to drastically
simplify deployment and administration of your network service.Thanks to the smart architecture,
SOLIDserver offers the capability of managing your DNS services not only at server level but at
the architecture level.
The smart architecture offers a library of DNS architectures that are ready to apply on a set of
servers. All the DNS smart architectures designed for more than one server can contain
several Master servers. This sets up an even more secure environment: if one Master server
crashes or stops responding, the other one takes over and ensures service availability.
Smart architecture supports EfficientIP SOLIDserver servers and legacy DNS servers such as:
• Microsoft Windows Server DNS.
• ISC BIND9.
• Nominum ANS.
Smart architecture allows managing other DNS servers supporting DDNS (RFC2136) with the
single ability of updating the domains and not the server configuration or the zone configuration.
In that way, the server configuration and the zone configuration must be done locally on the
server. This configuration is useful when you are only allowed to update zones on a DNS partner.
460
Deploying DNS Smart Architectures
master DNS obtains the zone data locally as opposed to a slave DNS, which obtains its zone
data via a zone transfer operation from the master DNS.
DNS
Master
DNS DNS
Slave Slave
DNS
Master
DNS DNS
Master Master
With the smart architecture, updating a DNS server can be done from the management console,
from a DHCP allocation or from Microsoft DNS clients that update themselves their names by
using the Dynamic DNS (DDNS) mechanism:
• When a Multi-Master smart architecture is updated from the management console, the config-
uration is automatically pushed toward all the DNS servers belonging to the smart architecture.
• When a DNS server receives a dynamic update from a DNS client, the Multi-Master smart ar-
chitecture replicates the update to all the DNS servers it manages. This replication is automatic
and does not require any manual operations.
• When a DHCP server offers a new IP address, the SOLIDserver IPAM appliance updates the
Multi-Master smart architecture and, consequently, all the DNS servers it manages.
A primary DNS server is eliminated as a single point of failure. Traditional DNS replication is
single-master; it relies on a primary DNS server to update all the secondary servers. Unlike tra-
ditional DNS replication, Directory Server Replication is Multi-Master. Changes made to a zone
461
Deploying DNS Smart Architectures
can be replicated to one or more Directory Servers. Which is why we recommend that you refer
to your vendor information regarding the Directory Server used and its replication capabilities.
DNS Hidden
Master
The visible secondary DNS server contains only slave zones, which exposes it less to DNS attacks
as the real authoritative primary server is hidden. Zone transfers can be allowed from the second-
ary servers as required but they do not transfer or accept transfers from the stealth server.
One of the main advantages of this architecture is that the primary server can be offline for
maintenance without causing any interruption to DNS service within the expiration duration (30
days) set for the validity of its zone data.
462
Deploying DNS Smart Architectures
Single
DNS
This architecture is therefore a backup in itself. Moreover, managing a physical server through
a Single server architecture eases up any migration or change of architecture. If after a few
weeks, for instance, you want to set up a Master/Slave architecture, you can edit the smart archi-
tecture, change it to Master/Slave, add another physical server and define which one acts as a
master and which one as a slave.
DNS
Master
DNS
Slaves
The Farm architecture is especially useful for huge configurations where the use of load balancers
is necessary.
463
Chapter 34. Managing DNS Smart
Architectures
Once you chose the smart architecture(s) that suit your needs in the chapter Deploying DNS
Smart Architectures, you can manage them following the sections below.
In the column Name, all the smart architectures are preceded by the icon . They are listed with
the physical servers.
A set of panels on this page display all the query statistics of the server. For more details, refer
to the section Monitoring DNS Servers from their Properties Page.
Invalid settings The smart architecture does not contain any physical server or is missing one or
several.
Locked synchronization The server configuration is not viable. This status can be displayed on EfficientIP
DNS and EfficientIP DNS Package servers after importing a BIND archive file not
properly formed or containing non-supported BIND options. For more details, refer
to the section Handling the Status Locked Synchronization.
In addition, the column Sync provides additional information regarding the exchanges, synchron-
ization, between the smart architecture and the physical server(s).
464
Managing DNS Smart Architectures
Locked synchronization The synchronizing failed as the server configuration is not viable: the smart architec-
ture cannot send the configuration file to the physical server(s). For more details,
refer to the section Handling the Status Locked Synchronization.
There are five different kinds of smart architectures: Master/Slave, Multi Master, Stealth, Farm
and Single-Server. Keep in mind that every DNS smart architecture sets up an active/active
configuration. The smart architectures Farm, Master/Slave, Multi-Master and Stealth can
manage several Master servers. This sets up an even more secure environment: if one Master
server crashes or stops responding, the other one takes over and ensures service availability.
Once the configuration is completed, the DNS smart architecture is listed as a real server on the
page All servers, the column Type indicates the kind of smart architecture.
In the procedures below, we are going to describe the configuration of the DNS smart architectures
with the DNS servers they manage, but you can go through the configuration without adding any
server and do it later. For more details, refer to the part Adding a DNS Server into a Smart Archi-
tecture.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
465
Managing DNS Smart Architectures
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
DNS
Master
DNS DNS
Slave Slave
If you do not want to publish one or several name servers/load balancers or enable HSM for
this architecture, go to step 9.
9. If you want to publish one or several name servers/load balancers or enable HSM for this
architecture, tick the box Expert mode. The page reloads.
466
Managing DNS Smart Architectures
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
d. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
e. Click on NEXT . The page last page opens.
f. Tick the box Enable HSM to start signing Master zones managed by the smart architec-
ture using an HSM. For more details, refer to the chapter HSM.
10. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (master/slave) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server's zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.
467
Managing DNS Smart Architectures
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
DNS
Master
DNS DNS
Master Master
If you do not want to configure any name server or load balancer for this architecture, go to
step 9.
468
Managing DNS Smart Architectures
9. If you want to publish one or several name servers or load balancers for this architecture,
tick the Expert mode box. The page reloads.
a. Click on NEXT . The page Advanced settings appears.
b. In the field NS record, type in the name server of your choice. It can also be the hostname
of an external load balancer.
c. Click on ADD . The name is moved to the Published name servers list. Note that the first
server in this list is used as MNAME value of the SOA for all the Master zones managed
by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
d. The field Compatible with a Hybrid DNS Engine is marked Yes.
e. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
f. Click on NEXT . The page last page opens.
g. Tick the box Enable HSM to start signing Master zones managed by the smart architec-
ture using an HSM. For more details, refer to the chapter HSM.
10. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (multi-master) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server's zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.
469
Managing DNS Smart Architectures
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
DNS Hidden
Master
470
Managing DNS Smart Architectures
master DNS server (slave server used as decoy). To remove the server from the field,
click on .
c. In the drop-down list Available DNS servers, select a slave server and click on + SLAVE .
The server is moved to the Slave DNS servers list. Repeat this action for as many slave
servers as needed. To remove a server from the list, select it and click on .
If you do not want to configure any name server or load balancer for this architecture, go to
step 10.
9. If you want to publish one or several name servers or load balancers for this architecture,
tick the Expert mode box. The page reloads.
a. Click on NEXT . The page Advanced settings appears.
b. In the field NS record, type in the name server of your choice. It can also be the hostname
of an external load balancer.
c. Click on ADD . The name is moved to the Published name servers list. Note that the first
server in this list is used as MNAME value of the SOA for all the Master zones managed
by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
d. The field Compatible with a Hybrid DNS Engine is marked Yes.
e. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
f. Click on NEXT . The page last page opens.
g. Tick the box Enable HSM to start signing Master zones managed by the smart architec-
ture using an HSM. For more details, refer to the chapter HSM.
10. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (stealth) in the column Type. To display or hide
the physical servers managed through the smart architecture click on on the right-end
side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server's zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.
471
Managing DNS Smart Architectures
2. In the menu, select Add > Server > DNS smart architecture. The wizard Add a DNS
server opens.
3. If you or your administrator created classes at server level, in the list DNS server class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
Single
DNS
472
Managing DNS Smart Architectures
b. Click on + MASTER . The server is moved to the Master DNS server(s) list. To remove a
server from the list, click on .
If you do not want to configure any name server or load balancer for this architecture, go to
step 9.
9. If you want to publish one or several name servers or load balancers for this architecture,
tick the Expert mode box. The page reloads.
a. Click on NEXT . The page Advanced settings appears.
b. In the field NS record, type in the name server of your choice. It can also be the hostname
of an external load balancer.
c. Click on ADD . The name is moved to the Published name servers list. Note that the first
server in this list is used as MNAME value of the SOA for all the Master zones managed
by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
d. The field Compatible with a Hybrid DNS Engine is marked Yes.
e. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
f. Click on NEXT . The page last page opens.
g. Tick the box Enable HSM to start signing Master zones managed by the smart architec-
ture using an HSM. For more details, refer to the chapter HSM.
10. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (single-server) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server's zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.
473
Managing DNS Smart Architectures
3. If you or your administrator created classes at server level, in the list DNS server class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
DNS
Master
DNS
Slaves
474
Managing DNS Smart Architectures
master servers if you want, in which case if one crashes the other takes over. To remove
a server from the list, select it and click on .
b. In the drop-down list Available DNS servers, select a slave server and click on + SLAVE .
The server is moved to the Slave DNS servers list. Repeat this action for as many slave
servers as needed. To remove a server from the list, select it and click on .
9. Click on NEXT . The page Advanced settings opens.
10. Finish the Farm configuration.
a. In the field NS record, type in the hostname of your external load balancer if need be.
It can also be a name server.
b. Click on ADD . The name is moved to the Published name servers list. Note that the first
server in this list is used as MNAME value of the SOA for all the Master zones managed
by this smart architecture.
Repeat these actions for as many load balancers or NS records as needed, every record
listed is saved in all zones and displayed on the page All RRs of each of the physical
servers managed by the smart architecture.
From now on, the DNS clients send their request to one or more load balancers that
redirect the requests to the least used server. Note that to run properly, your load balan-
cer must be configured to list all the DNS servers managed by the smart architecture
and should be manually updated if you change the list of physical servers managed by
the architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
11. If you want to display the Hybrid dedicated fields, tick the box Export mode.
a. The field Compatible with a Hybrid DNS Engine is marked Yes.
b. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
c. Click on NEXT . The page last page opens.
d. Tick the box Enable HSM to start signing Master zones managed by the smart architec-
ture using an HSM. For more details, refer to the chapter HSM.
12. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (farm) in the column Type. To display or hide
the physical servers managed through the smart architecture click on on the right-end
side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server's zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.
475
Managing DNS Smart Architectures
When you add one or more DNS servers into a smart architecture, the smart data is auto-
matically replicated from the architecture to the DNS servers it manages. So if the smart
architecture is empty (first use), the configuration file of the physical DNS server it manages is
completely overwritten.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the panel Main properties, click on EDIT . The wizard Edit a DNS server opens.
5. In the list DNS server type, make sure DNS smart architecture is selected.
6. Click on NEXT . The next page opens.
7. If need be, edit the smart architecture basic parameters according to the table below.
476
Managing DNS Smart Architectures
Field Description
Advanced properties Select Default or All. If Default is selected, only the fields/options that your ad-
ministrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
8. In the list DNS smart architecture, edit the type of DNS smart architecture if need be.
9. Click on NEXT . The page DNS servers role configuration opens.
10. In the drop-down list Available DNS servers, select the DNS server of your choice.
11. Define the role of the server, depending on the smart architecture click on + MASTER , + SLAVE
or + HIDDEN-MASTER , + PSEUDO-MASTER . The selected server is moved to the corresponding list.
You can remove a server from the list using . Repeat these actions for as many servers
as needed.
12. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens, it is detailed at the end of the relevant
addition procedure in the section Adding a DNS Smart Architecture.
13. Click on OK to complete the operation. The report opens and closes. To display or hide the
physical servers managed through the smart architecture click on on the right-end side
of the menu.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Click on NEXT . The next page opens.
6. Click on NEXT . The page DNS servers role configuration opens.
7. Remove the server that must change role from the managed server(s). In the list of your
choice, select the server and click on . The server is moved back to the drop-down list
Available DNS servers.
8. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens, it is detailed at the end of the relevant
addition procedure in the section Adding a DNS Smart Architecture.
477
Managing DNS Smart Architectures
9. Click on OK to complete the operation. The report opens and closes. If your smart architecture
is still managing physical servers, you can display or hide them using the button on the
right-end side of the menu.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Click on NEXT . The next page opens.
6. Click on NEXT . The page DNS servers role configuration opens.
7. Edit the server roles according to your needs:
a. Remove the server that must change role from the managed server(s). In the list of your
choice, select the server and click on . The server is moved back to the drop-down
list Available DNS servers.
b. Define the role of the server, depending on the smart architecture click on + MASTER ,
+ SLAVE or + HIDDEN-MASTER , + PSEUDO-MASTER . The selected server is moved to the corres-
ponding list. Repeat these actions for the other servers.
c. Repeat these actions for as many servers as needed.
8. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens, it is detailed at the end of the relevant
addition procedure in the section Adding a DNS Smart Architecture.
9. Click on OK to complete the operation. The report opens and closes. To display or hide the
physical servers managed through the smart architecture click on on the right-end side
of the menu. The column Role displays the server(s) new role.
478
Managing DNS Smart Architectures
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS server opens.
4. If you or your administrator created classes at server level, in the list DNS server class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the list DNS server type, make sure DNS smart architecture is selected.
6. Click on NEXT . The next page opens.
7. If need be, edit the smart architecture basic parameters according to the table below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
8. In the list DNS smart architecture, edit the type of your DNS smart architecture.
9. Click on NEXT . The page DNS servers role configuration opens.
10. Edit the server roles according to your needs:
a. Remove the server that must change role from the managed server(s). In the list of your
choice, select the server and click on . The server is moved back to the drop-down
list Available DNS servers.
b. Define the role of the server, depending on the smart architecture click on + MASTER ,
+ SLAVE or + HIDDEN-MASTER , + PSEUDO-MASTER . The selected server is moved to the corres-
ponding list. Repeat these actions for the other servers.
c. Repeat these actions for as many servers as needed.
479
Managing DNS Smart Architectures
a. In the field NS record, type in the hostname of your external load balancer if need be.
It can also be a name server.
b. Click on ADD . The name is moved to the Published name servers list. Note that the first
server in this list is used as MNAME value of the SOA for all the Master zones managed
by this smart architecture.
Repeat these actions for as many load balancers or NS records as needed, every record
listed is saved in all zones and displayed on the page All RRs of each of the physical
servers managed by the smart architecture.
From now on, the DNS clients send their request to one or more load balancers that
redirect the requests to the least used server. Note that to run properly, your load balan-
cer must be configured to list all the DNS servers managed by the smart architecture
and should be manually updated if you change the list of physical servers managed by
the architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
12. Click on OK to complete the operation. The report opens and closes. The page All servers
is visible again. The column Type displays your changes.
Keep in mind that once you converted a DNS server into a smart, it is no longer listed on the
page All servers. You have to add it again to be able to manage it, on its own or from a smart
architecture.
During the conversion, you can add DNS servers into the smart architecture. Considering that
you might want to manage the server you converted from the smart architecture, we recommend
converting the server and then editing the smart to add the servers as detailed in the section
Adding a DNS Server into a Smart Architecture.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the list DNS server type, select DNS smart architecture.
480
Managing DNS Smart Architectures
6. Click on NEXT to skip the server details. The next page opens.
7. In the field DNS smart architecture, select the architecture of your choice.
8. Click on NEXT until The last page opens.
a. For a conversion to Master/Slave, Stealth and Multi-Master smart architectures, you
can configure the Cloud settings and Expert mode.
b. For a conversion to Single-Server smart architecture, you can configure the Expert
mode.
c. For a conversion to Farm smart architecture, you can configure the Cloud settings.
For more details regarding the smart architecture configuration, refer to the section Adding
a DNS Smart Architecture.
9. Click on OK to complete the operation. The report opens and closes. In the column Type,
the server is now listed as a smart architecture.
Once the server is in Locked synchronization, the corrupted configuration file is automatically
stored locally on the appliance and available for download in the Local Files Listing. It is named
<server_name>-named.conf. We advice that you take a look at this file because after the first
found error, the check stops and returns the Locked synchronization status. So if there are sev-
481
Managing DNS Smart Architectures
eral errors, the status is returned over and over again until the file is conclusive and can be sent
to the physical server.
You can check for failure in the configuration file from the GUI or via CLI.
3. Use the following command to get a precise list of all the errors:
# /usr/local/nessy2/bin/named-checkconf /data1/exports/<server_name>-named.conf
4. Adjust identified statements, once the check runs again, the Locked Synchronization status
disappears if you now have a valid configuration.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
482
Managing DNS Smart Architectures
Granting access to a smart architecture as a resource also makes every physical server it contains
available. For more details, refer to the section Assigning Resources to a Group in the chapter
Managing Groups.
483
Chapter 35. Managing DNS Servers
The server is the highest level of the DNS hierarchy. It allows to resolve host queries and access
specific areas of a network, as server can be:
• Authoritative: A server that has authority over a number of domain names and can delegate
them.
• Recursive: A server that might contain information, if not it directs the querying host toward
the relevant DNS server to solve the query.
• Cache: A server that retrieves information (query results) and keeps it saved in order not to
have to query the same information over and over again.
You can create and manage 6 different types of servers: Efficient IP DNS, Efficient IP DNS
Package Microsoft DNS (including via AD), Nominum ANS, Generic DNS and Amazon Route
53. You can manage them independently or via a smart architecture. For more details, refer to
the chapters Deploying DNS Smart Architectures and Managing DNS Smart Architectures.
In theory, when a host wishes to access a particular domain, a website for instance, a query is
sent to a DNS server that processes the resolution as follows:
1. The DNS client host sends a sequence of queries through a resolver to a recursive DNS
server;
2. The recursive server contacts the authoritative servers of the root domain. One of them returns
the IP address (an NS record) of the server that has authority over the concerned TLD;
3. The recursive server uses the IP address to connect to the TLD authoritative server and obtain
the IP address of the server that has authority over the zone;
4. The recursive server uses the IP address to connect to the zone authoritative server and obtain
the queried results;
5. The recursive server sends the results back to the DNS client.
.
Root Iterative
Server
.com
1 TLD Iterative
3 Server
5
.efficientip.com
Domain Iterative
Server
Obviously, such a mechanism would saturate the root zone, which is why a server can combine
recursive, cache and or authoritative functionalities.
484
Managing DNS Servers
DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE
A set of panels on this page display all query statistics of the server, including RPZ queries if you
configure it with RPZ zones. For more details, refer to the section Monitoring DNS Servers from
their Properties Page. If you enabled the service DNS Guardian, this page also contains a set of
charts dedicated to DNS Guardian data. For more details, refer to the part Guardian.
485
Managing DNS Servers
Timeout The server does not answer anymore due to a scheduled configuration of the server.
License The license used in SOLIDserver is not compliant with the added server: the license
is invalid.
Invalid credentials The SSL credentials are invalid or the server is already managed by another appliance
and you need to specify your credentials again. For more details, refer to the section
Editing DNS Servers.
If the appliance database is encrypted, it may be that the Active key is missing. For
more details, refer to the section Troubleshooting the Database Encryption of the
chapter Securing.
Syntax error The server configuration could not be parsed properly.
Invalid settings There was a setting error during the server declaration. For instance, some settings
were added to a server that does not support them or a smart architecture is not
managing any physical server.
Invalid time The server editions performed from the GUI are not pushed to the server because
SOLIDserver time and date are incorrect. To correct the time and date refer to the
chapter Configuring the Time and Date. In addition, if you are managing Amazon
Route 53 servers, you must ensure the appliance time zone is UTC, for more details
refer to the section Configuring the User Display Settings.
Insufficient privileges The provided account does not have sufficient privileges to remotely manage the
MS server.
Unmanaged The server is not available due to a disabling operation.
Invalid resolver SOLIDserver cannot resolve the AWS DNS service. The Amazon services are un-
reachable and the Amazon Route 53 server cannot be managed. Make sure that
the DNS resolvers declared on the page Network configuration are valid.
Unknown The server is not synchronized yet.
Locked synchronization The server configuration is not viable. This status can be displayed on EfficientIP
DNS and EfficientIP DNS Package servers after importing a BIND archive file not
properly formed or containing non-supported BIND options. For more details, refer
to the section Handling the Status Locked Synchronization.
Note that the column Sync changes in accordance with the column Status. While the server
synchronization is not OK yet, the column Sync might be Busy; it can also be in Locked
synchronization.
The column Multi-status provides you with emergency, warning, critical, error or informational
messages regarding the server compatibility with Hybrid. For more details, refer to the section
Understanding the Column Multi-Status.
486
Managing DNS Servers
• Delete EfficientIP DNS servers. For more details, refer to the section Deleting DNS Servers.
• Configure EfficientIP DNS servers. For more details, refer to the chapter Configuring DNS
Servers.
Before managing a new server, make sure that the DNS service is correctly started. For
more details, refer to the chapter Configuring the Services.
Besides, DNS clients must be able to resolve this name when they query the server, so in each
zone you must either create an A record or glue records to ensure that they can.
• Only reachable servers can be added, each server must be up and running when you add
it.
• The SNMP protocol is no longer supported as managing protocol for a server. Therefore:
• You can no longer add a DNS server managed via SNMP.
• EfficientIP DNS servers prior to version 4.0.x are no longer supported.
• Your existing servers in version 4.0.x or prior, migrated to 7.0, are still managed via SNMP
and listed in the GUI. However, the management of these servers is not detailed in this guide.
For more details, refer to the guide SOLIDserver-Administrator-Guide-5.0.4.pdf .
• SSL is used to manage a server while SNMP is used to monitor it. Therefore:
• If you manage a DNS server in version 4.0.x legacy, editing it automatically changes the
management protocol to use SSL instead of SNMP. This operation is non-reversible.
• You can configure the SNMP monitoring parameters of the server. For more details, refer
to the section Editing the SNMP Monitoring Parameters of an EfficientIP DHCP Server.
• When you add a server, a random password is generated to secure the communication between
the appliance and the server. The default SSH credentials of the account admin are no longer
used to manage the server but to generate this random password.
For servers added before the upgrade to version 7.0, switching to this new management system
is not automatic. You need to edit the servers. For more details, refer to the section Editing
DNS Servers.
• By default, EfficientIP DNS servers embed a hint zone that gathers the IP of all 13 root servers.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the following fields to set up the basic server configuration:
487
Managing DNS Servers
5. If you have changed the default SSH password of the appliance embedding the DNS server,
tick the box Configure enrollment parameters.The field "Admin" account password appears,
it contains the default admin account password.
8. Tick the box Enable HSM to start signing Master zones managed by the server using an
HSM. For more details, refer to the chapter HSM.
9. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
1
The SNMP protocol parameters are used to monitor and retrieve the server statistics.
488
Managing DNS Servers
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
10. Click on OK to complete the operation. The report opens and closes. The server is listed.
The server might appear Busy in the column Status. It changes to OK after a while.
During the first DNS server addition, the allow-transfer option is by default configured
with the ACL admin. Within SOLIDserver admin corresponds to any, so you might need to
change the ACL and restrict the option use as it is inherited by the server zones. For more
details, refer to the chapter Limiting Zone Transfers at Server Level.
Once added, you can edit your server to secure its data exchanges with SOLIDserver. For more
details, refer to the section Securing the Management of DNS Servers Using a TSIG Key.
The SNMP protocol is no longer supported as managing protocol for a server. If you want
to edit the SNMP parameters of a legacy server managed via SNMP, refer to the guide SOLID-
2
server-Administrator-Guide-5.0.4.pdf available on our website .
489
Managing DNS Servers
6. In the drop-down list SNMP profile, choose a profile using the same version of the SNMP
protocol as the one you selected in the field SNMP version.
If you created SNMP profiles, you can choose one of your profiles. They are listed only if
they use the same version of the SNMP protocol as the one you selected on the previous
page.
Note that the SNMP profiles you can choose from must be configured on the appliance you
are currently working with. For more details, refer to the section Managing SNMP Profiles.
7. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
You can reproduce the Microsoft Multi-Master behavior with the smart architecture Multi-
Master. This architecture supports Microsoft DNS server, SOLIDserver DNS, BIND server and
Nominum's ANS server as well. For more details, refer to the section Multi-Master Smart Archi-
tecture.
Once you manage a server, you can also manage its parameters, zones and records.
The management of Microsoft DNS servers is based on Microsoft Remote Procedure Calls (MS
RPC) and allows to retrieve and display data is real-time and avoid installing any WinDHCP
agent. Microsoft DNS servers with agent are not supported.
Prerequisites
• A Microsoft Window Server 2008, 2008 R2, 2012 R2, 2016 or 2019. The server must:
• Have the TCP ports 135 and 445 open. They are used by the port mapper interface, the
services that indicates to the clients which port provides access to each service.
• Have Firewall policies that allow traffic between SOLIDserver and the Microsoft servers it
manages.
• In Windows Server, RPC uses by default the dynamic port range 49152-65535. Note that
you can reduce the number of available ports, as long as you respect the minimum number
3
of ports required in the range, which is 255, via the netsh tool .
• The credentials of a member of the groups DnsAdmins and Domain Admins. Users with insuf-
ficient privileges cannot manage the server.
• The service DNS is properly started. For more details, refer to the chapter Configuring the
Services.
• The zones of the MS Agentless DNS server must allow the server management IP address in
their statement allow-transfer.
Limitations
The management of Microsoft DNS servers within SOLIDserver has some limitations. For more
details regarding the Microsoft limitations, refer to their documentation.
3
For information, refer to http://support.microsoft.com/kb/929851 .
490
Managing DNS Servers
Server Limitations
• You must refresh manually the DNS server parameters, the list of zones and their paramet-
ers. However, the content of the zones is still refreshed automatically every 3600 seconds
(by default).
• The AD configuration of the AD integrated DNS servers often includes security settings
that prevent the creation or modification of the DNS zones.
• If the parameter Forward is set to != none at server level but a list of forwarders is provided
anyway, the forwarders are pushed onto the Microsoft DNS server.
ACL Limitations
• Microsoft processes as follows the ACL allow-update:
Zone Limitations
• The zones e164.arpa and ip6.int (deprecated reverse mapping name space) are not sup-
ported by Microsoft.
• You cannot create forward zones with the forwarding parameter set to None on Microsoft
servers.
• If nothing is specified during the Notify configuration then by default, the notify is set to NS
only.
• You cannot edit the AD replication behavior set on the zones of an AD integrated Microsoft
server. Once set, you cannot edit or remove the replication behavior selected, you must
delete the zone and recreate it with the configuration that suits your needs.
Resource Record Limitations
• Microsoft servers only support the records A, AAAA, CNAME, MX, NS, PTR, SOA, SRV
and TXT.
491
Managing DNS Servers
If your Microsoft DNS server is integrated to an AD with several forests, you can use the Expert
mode during the server addition to specify AD domain you want to authenticate.
In addition, you can manage AD integrated zones. For more details, refer to the section Managing
DNS Zones.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Configure the server basic parameters:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
492
Managing DNS Servers
The addition of Linux Packages v4 that respected the SNMP protocol and worked with
SSL is no longer supported. If you migrated your database with such servers, refer to the guide
4
SOLIDserver-Administrator-Guide-5.0.4.pdf available on our website .
To successfully install the DNS packages on Linux, formerly known as EfficientIP BIND Linux
Packages v5, you must follow the prerequisites and procedures in the section that matches your
environment:
• Installing an EfficientIP DNS Package on Debian 8 or Higher.
• Installing an EfficientIP DNS Package on RedHat 6 or Higher.
Once your package is installed you can add an EfficientIP DNS Package in the GUI as detailed
in the section Adding a BIND DNS Server.
If at any point you need to upgrade your package, refer to the section Upgrading EfficientIP DNS
Packages.
Prerequisites
• The DNS package file, ipmdns-y.y.y-debianxx-amd64.deb, whose name provides you with a
number of information separated by hyphens: the type of package (ipmdns, so a DNS package),
the version of SOLIDserver (y.y.y); the version of Debian (debianxx where xx is x dot x) and
finally the Debian architecture (amd64).
If your Apache configuration already uses the port 443, you have to create an additional IP-
based VirtualHost dedicated to the DNS/DHCP management.
4
At http://www.efficientip.com/services/support/, in the section Products & Documentation and in the folder /docs/5.0.4. Log in using
your credentials. If you do not have credentials yet, request them at www.efficientip.com/support-access.
5
You could also connect via telnet but, for security purposes, we recommend that you favor ssh.
493
Managing DNS Servers
Once you have taken into account the prerequisites, you can install an EfficientIP DNS Package
on Debian.
If you have not installed the DHCP packages yet, you need to:
1. Follow the procedure To install an EfficientIP DNS Package on Debian.
2. Follow the procedure To complete the DNS package installation on Debian if the DHCP
package is not installed.
If you already installed the DHCP packages, you only need to follow the procedure To install
an EfficientIP DNS Package on Debian below.
The procedure below includes the commands that make the web services configurable.
3. Install the dependency packages, ONLY if you have not installed the EfficientIP DHCP
package, using the following commands:
# apt-get install php
# apt-get install sudo
# apt-get install snmpd
5. Make the web services configurable: in the directory /etc/sudoers.d, create the file ipmdns
containing the line below.
www-data ALL = NOPASSWD: /usr/local/nessy2/script/install_named_conf.sh, \
/usr/local/nessy2/script/push_default_zone_params.sh, \
/usr/local/nessy2/script/push_dnssec_keys_zones.sh, \
/usr/local/nessy2/script/move_dnszone_file.sh, \
/usr/local/nessy2/script/restore_named_conf.sh, \
/usr/local/nessy2/script/delete_zone_file.sh, \
/usr/local/nessy2/script/restore_zone_file.sh, \
/usr/local/nessy2/script/install_keytab.sh, \
/usr/local/nessy2/bin/rndc
Note that you can change the password admin of the web service using the following com-
mand:
# htpasswd -c /usr/local/nessy2/www/php/cmd/dns/.htpasswd admin
If you have not installed the DHCP package or are not planning on installing it, you must
now follow the procedure below.
494
Managing DNS Servers
To complete the DNS package installation on Debian if the DHCP package is not
installed
1. If relevant, open an SSH session.
2. Allow SNMP access to the DNS statistics by appending the file /etc/snmp/snmpd.conf with
the following line:
view systemview included .1.3.6.1.4.1.2440
6. Make sure that a symbolic link to the default VirtualHost SSL configuration file is located in
the folder sites-enabled/ . If not, use the following command:
# a2ensite default-ssl
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>
SSLEngine on
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
# Please note that the following, from "SetEnvIf" to "force-response-1.0", represents and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
8. Disable the default site in Debian Apache configuration using the following command:
495
Managing DNS Servers
# a2dissite 000-default
10. Make sure that the ipmdns package is running using the following command:
# service ipmdns status
Once the configuration is complete, you can add an EfficientIP Package DNS server to manage
your BIND server from SOLIDserver GUI. For more details, refer to the procedure in the section
Adding a BIND DNS Server.
Prerequisites
• The DNS package file, ipmdns-y.y.y-redhatx.x86_64.rpm, whose name provides you with a
number of information separated by hyphens or a point: the type of package (ipmdns, so a
DNS package), the version of SOLIDserver (y.y.y); the version of RedHat (redhatx) and finally
the RedHat architecture (x86_64).
If your Apache configuration already uses the port 443, you have to create an additional IP-
based VirtualHost dedicated to the DNS/DHCP management.
Once you have taken into account the prerequisites, you can install an EfficientIP DNS Package
on RedHat or CentOS.
If you have not installed the DHCP packages yet, you need to:
1. Follow the procedure To install an EfficientIP DNS Package on RedHat.
2. Follow the procedure To complete the DNS package installation on RedHat if the DHCP
package is not installed.
6
You could also connect via telnet but, for security purposes, we recommend that you favor ssh.
496
Managing DNS Servers
If you already installed the DHCP packages, you only need to follow the procedure To install
an EfficientIP DNS Package on RedHat below.
The installation procedure below also includes the commands that make the web services con-
figurable.
3. Install the dependency packages, ONLY if you have not installed the EfficientIP DHCP
package, using the following commands:
# yum install mod_ssl php php-pdo sudo net-snmp
6. Make the web services configurable: in the directory /etc/sudoers.d, create the file ipmdns
containing the line below.
apache ALL = NOPASSWD: /usr/local/nessy2/script/install_named_conf.sh, \
/usr/local/nessy2/script/push_default_zone_params.sh, \
/usr/local/nessy2/script/push_dnssec_keys_zones.sh, \
/usr/local/nessy2/script/move_dnszone_file.sh, \
/usr/local/nessy2/script/restore_named_conf.sh, \
/usr/local/nessy2/script/delete_zone_file.sh, \
/usr/local/nessy2/script/restore_zone_file.sh, \
/usr/local/nessy2/script/install_keytab.sh, \
/usr/local/nessy2/bin/rndc
Note that you can change the password admin of the web service using the command below:
# htpasswd -c /usr/local/nessy2/www/php/cmd/dns/.htpasswd admin
If you have not installed the DHCP package or are not planning on installing it, you must
now follow the procedure below.
To complete the DNS package installation on RedHat if the DHCP package is not
installed
1. If relevant, open an SSH session.
2. Disable the firewall using the following commands.
a. For RedHat 6:
497
Managing DNS Servers
Note that changing the selinux policy requires you to restart the system.
4. Reboot the system to take into account the selinux policy changes :
# reboot
6. Allow SNMP access to the DNS statistics. In the file /etc/snmp/snmpd.conf , in the section
entitled Access Control, enter the lines:
master agentx
view systemview included .1.3.6.1.4.1.2440
#You may need to specify another view, AllView or a custom one,
#if you edited the default SNMP configuration.
9. Configure the web services. In the file /etc/httpd/conf.d/ssl.conf, replace the FULL section
<VirtualHost *:443> with the configuration below.
a. For RedHat 6:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
AllowOverride All
</Directory>
SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
498
Managing DNS Servers
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
# Please note that the following data, from "SetEnvIf" to "force-response-1.0", represents
# and must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
</VirtualHost>
b. For RedHat 7:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>
SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
# Please note that the following data, from "SetEnvIf" to "force-response-1.0", represents
# and must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
</VirtualHost>
c. For RedHat 8:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>
SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
# Please note that the following data, from "SetEnvIf" to "force-response-1.0", represents
# and must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
</VirtualHost>
499
Managing DNS Servers
11. Make sure that the ipmdns package is running using the following command:
# service ipmdns status
Once the configuration is complete, you can add an EfficientIP Package DNS server to manage
your BIND server from SOLIDserver GUI. For more details, refer to the procedure in the section
Adding a BIND DNS Server.
Note that only reachable servers can be added, the server must be up and running when you
add it.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the following fields to set up the basic server configuration:
500
Managing DNS Servers
5. If you modified the SSH login and password, tick the box Configure management parameters.
If not, go to step 6.
Once you ticked the box, the fields Login and Password appear. By default they both contain
admin, edit them to make sure that the SSL credentials match your SSH credentials.
7
6. If you want to edit the server SNMP parameters , tick the box Configure SNMP monitoring
parameters. If not, go to step 7.
7. Tick the box Enable HSM to start signing Master zones managed by the server using an
HSM. For more details, refer to the chapter HSM.
8. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
9. Click on OK to complete the operation. The report opens and closes. The list is visible again.
The server appears in the list with status Busy. It changes to OK after a while.
During the first DNS server addition, the allow-transfer option is by default configured
with the ACL admin. Within SOLIDserver admin corresponds to any, so you might need to
change the ACL and restrict the option use as it is inherited by the server zones. For more
details, refer to the chapter Limiting Zone Transfers at Server Level.
Once the EfficientIP Package server is added, you can manage your BIND server in Linux from
the GUI.
501
Managing DNS Servers
Before managing a new server make sure that the DNS service is correctly started. For
more details, refer to the chapter Configuring the Services.
4. Click on OK to complete the operation. The server is listed in the page All servers.
Once added, you can edit your server to secure its data exchanges with SOLIDserver. For more
details, refer to the section Securing the Management of DNS Servers Using a TSIG Key.
502
Managing DNS Servers
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Click on NEXT . The next page opens.
6. In the list DNS zone type, select Master.
7. In the list DNS zone resolution, select Name.
8. Click on NEXT , the next page opens.
9. Fill in the fields according to the table below:
You can set the value by default for the parameters above, except for the Primary server
and Serial number. For more details, refer to the procedure To configure the default SOA
parameters of Master zones below.
12. Click on OK to complete the operation. The report opens and closes. The report opens and
closes. The zone is listed and marked Delayed create before being marked OK.
To fully configure and manage a Nominum DNS server, you first need to prepare the ANS security
key, or password, related to said server and follow the procedures below in order to:
• Add a Nominum server to the list All servers.
503
Managing DNS Servers
• Add the DNS zones that should be managed through the server.
Before managing a new server make sure that the DNS service is correctly started. For
more details, refer to the chapter Configuring the Services.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the fields below:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
5. Click on OK to complete the operation. The server is listed on the page All servers.
Once added, you can edit your server to secure its data exchanges with SOLIDserver. For more
details, refer to the section Securing the Management of DNS Servers Using a TSIG Key.
504
Managing DNS Servers
3. In the menu, click on Add. The wizard Add a DNS zone opens.
4. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the list DNS zone type, select Master.
6. In the list DNS zone resolution, select Name.
7. Click on NEXT . The next page opens.
8. Fill in the fields according to the table below:
You can set the value by default for the parameters above, except for the Primary server
and Serial number. For more details, refer to the procedure To configure the default SOA
parameters of Master zones below.
11. Click on OK to complete the operation. The report opens and closes. The zone is listed and
is marked Delayed create before being marked OK.
505
Managing DNS Servers
From the DNS All servers page, you can add your Route 53 server using your AWS account
credentials. Once listed in the GUI, you can add, edit and/or delete the server zones and resource
records.
Before managing a new server make sure that the DNS service is correctly started. For
more details, refer to the chapter Configuring the Services.
Prerequisites
• You must have an AWS account with a subscription to the service Amazon Route 53.
• You must have an Amazon user that should only have access to the service Amazon Route
53 and sufficient rights to manage the service.
For security reasons, we strongly recommend that you create this user through the Amazon
IAM module. Besides, the user needs an Access Key ID and a Secret Access Key to manage
the service, you should also generate these keys using the module IAM.
• Before adding the server to SOLIDserver, you should have your AWS account Access Key ID
and Secret Access Key ready.
• You must use the UTC system to ensure that SOLIDserver and the AWS account are set at
the same time. For more details, refer to the procedure To configure the user settings.
• Make sure SOLIDserver is able to contact the AWS services using REST and HTTPS. Other-
wise, even if you add the server to the GUI, it stays in Timeout.
Limitations
Amazon Route 53 Server Limitations
• SOLIDserver only supports unique zone names within one server.
If your Amazon Route 53 server contains several zones named the same way, none of them
can be managed from the GUI.
• DNSSEC is not supported on Amazon Route 53 servers.
• The edition options are limited:
• You can only edit the Main properties and Group access panels of an Amazon Route 53
server managed outside a smart architecture.
• Once an Amazon Route 53 server is managed via a smart architecture, you can only edit
the panel Group access on the server properties page.
• Converting master zones to slave on Amazon Route 53 servers deletes all the records of
the original master zone.
• Some options are not supported on Amazon Route 53 servers:
• You cannot edit the access control of an Amazon Route 53 server or its zone.
• You cannot edit the options of an Amazon Route 53 server or its zone.
These options cannot be edited either from SOLIDserver or from the service Amazon Route
53 itself.
• Some AWS options are not supported by SOLIDserver: the record options Heatlh Check and
Routing Policy are not supported.
If any AWS zone contains records configured with these options, the entire zone is not syn-
chronized.
506
Managing DNS Servers
Before managing an AWS server from the GUI, we recommend that you check the prerequisites,
specificities and limitations of the AWS zones and records you are managing. They are all listed
in the sections Managing Amazon Route 53 Zones.
If you have several AWS accounts, you can manage all your Amazon Route 53 servers from the
GUI.
Once you comply with the Prerequisites, you can follow the procedure below.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. Fill in the following fields to set up the basic server configuration:
Depending on your rights, you may be able to display All available fields. For
more details, refer to the relevant section of the chapter Managing Advanced
Properties.
507
Managing DNS Servers
508
Managing DNS Servers
• Only the supported configuration settings of the other physical servers managed through the
smart architecture are pushed to the Amazon Route 53 server. For more details, refer to the
section Limitations.
• The smart architecture management remains the same: the smart architecture replicates all
the server options and content from one server to the other. However, all the configuration
settings that are incompatible with Amazon Route 53 servers, or not supported, are not replicated
and displayed in the Multi-Status column.
• Any changes performed from the GUI - zones or records addition, edition or deletion - automat-
ically refresh the server, it then replicates the information to your AWS account server.
• You cannot delete the awsdns NS records from the list All RRs of the smart architecture. The
resolution of the Amazon Route 53 server zones rely on them.
You can add an Amazon Route 53 server to the management of the smart while creating the
smart architecture.
This allows to automate the synchronization of the AWS server content. Therefore, all your zones
and records are retrieved by the smart and replicated to all the physical servers you might manage
as well with the new smart.
509
Managing DNS Servers
d. If you want to add other servers to the smart architecture, refer to the section Adding a
DNS Smart Architecture.
e. Click on NEXT . The page Advanced settings opens, finish the configuration following
the procedure in the section Farm Smart Architecture.
8. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed, if you do not see the servers it manages, click on on the right-end side of the
menu.
If you add an Amazon Route 53 server to an existing smart architecture managing other servers,
keep in mind that the zones it contains rely on a specific set of NS records to run properly. Without
all these records, the zones are not viable.
You can check that the replication is properly performed on the page All RRs of the smart archi-
tecture. They should be all listed and OK.
On the page All zones, the column Multi-status indicates any replication problems.
At any time, you can stop managing an AWS server via a smart architecture.
510
Managing DNS Servers
1. Follow the procedure To remove an Amazon Route 53 server from a smart architecture.
2. If your smart architecture manages other servers, you should remove the awsdns NS records
as they are no longer relevant for the smart architecture, as detailed in the procedure To delete
Amazon Route 53 NS resource records.
The server is moved back to the list Available DNS servers or Available Cloud DNS servers.
7. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens. For more details regarding this page,
refer to the last steps of the relevant smart architecture addition procedure in the section
Adding a DNS Smart Architecture.
8. Click on OK to complete the operation. The report opens and closes. If the architecture
manages other DNS servers, you can display them using the button on the right-end
side of the menu.
However, there are some prerequisites, specificities and limitations to take into account.
Prerequisites
• The zone name must be unique: if several zones of the Amazon Route 53 server share the
same name on your AWS account, you cannot manage any of them.
• The zone name must be FQDN and include a TLD.
• Make sure that SOLIDserver is using UTC system, otherwise any changes made from the GUI
cannot be pushed to your AWS account server.
511
Managing DNS Servers
Limitations
• If your AWS zones contain records configured with the options Heatlh Check and Routing
Policy, they cannot be synchronized. These options are not supported by SOLIDserver. You
must remove these options directly via your AWS account to then be able to synchronize and
manage the zone via the GUI.
However, there are some prerequisites, specificities and limitations to take into account.
Prerequisites
• Make sure that SOLIDserver is using UTC system, otherwise, any change made from the GUI
cannot be pushed to your AWS account server.
Limitations
• Only a set of records is supported by Amazon Route 53 servers: NS, MX, A, AAAA, PTR,
CNAME, TXT and SRV. For more details, refer to the section Adding Resource Records.
• If your server is managed via a smart architecture, you can add other types of records, but
their status is N/A and they are not taken into account, or replicated, by your Amazon Route
53 server.
• AWS records configured with the options Heatlh Check and Routing Policy are not supported.
If a zone contains them, it cannot be synchronized.
• The AWS zones resolution relies on the awsdns NS records, so you cannot delete them from
a zone, an AWS server or a smart architecture managing an AWS server.
However, if you stop managing an Amazon Route 53 server via a smart architecture, you can
remove the awsdns records from the smart architecture All zones list as they are no longer
relevant.
512
Managing DNS Servers
Amazon Route 53 servers must be synchronized if they were edited directly from the AWS account.
Some data, like the panel Sources of physical servers, is only visible once the server has been
successfully synchronized at least once.
For more details regarding all the server configuration possibilities (forwarding, recursion, transfer,
blackhole, sortlist, etc.), refer to the chapter Configuring DNS Servers.
You can edit EffcientIP, Nominum and Generic servers to secure their data exchanges with
SOLIDserver. For more details, refer to the section Securing the Management of DNS Servers
Using a TSIG Key.
513
Managing DNS Servers
3. At the end of the line of the server of your choice, click on . The properties page opens.
4. Open all the panels using .
5. In the panel of your choice, click on EDIT . The corresponding wizard opens.
6. Make all the changes you need. For an EfficientIP server, from the panel Main Properties
you can:
a. Tick the box Use DNS as DNSSEC resolver, to enable DNSSEC resolution on the
server. For more details, refer to the chapter Managing DNSSEC on Recursive Servers.
b. If you changed the default SSH password of the appliance embedding the DNS server
or if you want to switch to the new management system, tick the box Configure enroll-
ment parameters. The field "Admin" account password appears.
In the field "Admin" account password, replace the value displayed with the relevant
SSH password.
c. Tick the box Enable HSM, to sign Master zones using HSM. For more details, refer to
the chapter HSM.
7. Click on NEXT , if need be, until you get to the last page of the wizard.
8. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again and refreshes.
By default, EfficientIP servers provide TSIG keys on the properties page of each DNS physical
server. You must edit the server main properties to specify the existing TSIG key you want to
use and secure data exchanges.
If you want to add the TSIG key, refer to the section Configuring DNS Keys.
At zone level you can set up dynamic update if you use the TSIG key specified on the server
in the statement allow-update, for more details refer to the section Configuring DNS Update
Authorizations on a Zone.
• TSIG keys can be added to the ACL admin of the server. This allows to automatically secure
the statement allow-transfer that, by default, grants access to the ACL admin. For more details,
refer to the section Configuring Access Control Lists for a Server.
If you manage your physical servers from a smart architecture, the TSIG keys of the smart archi-
tecture are pushed to the properties of each of the physical servers it manages. So keep in mind
that a TSIG key must be unique to each server, you cannot use the same for several servers.
514
Managing DNS Servers
3. Click on NEXT until you get to the last page of the wizard.
4. Tick the box Configure TSIG parameters if it is not already ticked.
5. In the drop-down list TSIG key name, select the key of your choice.
6. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
8
The standardized protocol for key codes is HMAC-MD5.
515
Managing DNS Servers
Granting access to a server as a resource also makes every item it contains available. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
516
Chapter 36. Configuring DNS Servers
You configure EfficientIP DNS servers and smart architectures from their properties page. Any
configuration set at server level is inherited by all the views and zones of the server.
Most options provide ACL configuration fields, keep in mind that in these fields the order of the
elements listed is important: each restriction or permission is reviewed following the order set in
the list.
If you configure any of these options at view or zone level, the value set at server level is
overridden.
Setting a DNS server as a forwarder allows to prevent leaving DNS information exposed outside
of a network as your DNS servers do not need to send queries outside to their root hints. In ad-
dition, it allows to minimize the volume of external traffic which can be costly and inefficient for
a network with a slow Internet connection or a company with high Internet service costs.
If you specify a list of forwarders on a smart server, you can set the forwarding to:
• first: the DNS server queries the forwarders first, if none of the forwarders in the list are re-
sponsive, the server looks for the answer itself.
• only: the DNS only forward queries to the forwarders in order to avoid an answer seeking.
• none: the forwarding is disabled. This is the default value.
SOLIDserver always sends the query to the forwarder with the lowest round trip time (RTT) in
the list of forwarders configured. The RTT measures how long a remote name server takes to
respond to queries. Each time an EfficientIP DNS server sends a query to a forwarder it starts
an internal clock, and stops it when it receives a response. The RTT is stored to ensures that
queries are sent to the proper forwarder.
517
Configuring DNS Servers
5. In the field Forward mode, select the mode of your choice according to the table below.
7. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, your configuration is
displayed.
You can set a specific forwarding configuration for physical servers managed via a smart
architecture already configured with forward options. This new configuration is inherited by the
views, zones and records of the physical server. Keep in mind that:
• When a forward mode is set on a smart architecture, you cannot set the forward mode to None
on any physical server it manages. You can only set a different forward mode.
• Any configuration set at view or zone level overrides the server level configuration.
You cannot set the forward mode of a physical server managed via a smart architecture to
None.
8. Specify the forwarder(s):
518
Configuring DNS Servers
a. In the field Add a forwarder, type in the address of a forwarder or its name and click on
SEARCH to retrieve its IP address.
9. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, the Forward value is
preceded by the message Smart configuration is overwritten.
To revert the specific configuration and inherit it again, edit the Forwarding to untick the box
Overwrite the smart settings.
A recursive query requires the DNS server to return requested DNS data, or locate the data
through queries to remote DNS servers. When a DNS server receives a query for DNS data it
does not have, it first sends a query to any specified forwarders. If a forwarder does not respond
with any return, it resends the same query to the next configured forwarder until it receives an
answer. If it receives no answer or a negative answer, then it sends a non-recursive query to
specified internal root servers. If no internal root servers are configured, the DNS server sends
a non-recursive query to the Internet root servers.
By default, the DNS recursion is enabled. The DNS properties page displays the panel Recur-
sion that allows you can set different DNS recursion configurations.
Keep in mind that any configuration set at view or zone level overrides the server level
configuration.
519
Configuring DNS Servers
Keep in mind that any configuration set at view or zone level overrides the server level
configuration.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
520
Configuring DNS Servers
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
5. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
Once you set the recursion to yes, the recursive-client statement is enabled. To disable the re-
cursive-clients statement, you must disable the recursion.
The statement default value is 1000, meaning that 1000 simultaneous lookup requests can be
answered by the server. The minimum value is 1 and the maximum value is 4294967295.
521
Configuring DNS Servers
Within SOLIDserver, the notification configuration is done from the panel Notify of the properties
page. This panel displays:
• The type of notification configured for the server. You can set the Notify to Yes or Explicit or
No.
• The Also notify statement IP address and port. This statement allows to notify the managing
smart server of any slave zones updates.
Keep in mind that by default the also notify statement is unset. This implies that the smart
server is informed of the changes performed on slave zones when it refreshes, every hour,
and not instantly.
• The Allow notify directive of the server slave zones. For instance, you can allow all the servers
of a network to notify the slave zones of your server or only a few.
Note that there is an implicit allow-notify directive set when you add a slave zone: when you
set the Master IP address of the slave zone you are allowing the master zones of this server
to send notify messages to your slave zone.
Keep in mind that any configuration set at view or zone level overrides the server level
configuration.
5. If you selected Yes or Explicit, you can set the IP address and port of the server(s) which
slave zones should receive the messages:
1
In this paragraph, to simplify the explanation, we work on the assumption that one server, the master server, contains only master
zones and another, the secondary one, contains only slave zones. It is evidently not accurate: usually a server would manage both
master and slave zones. However, it is customary to configure corresponding slave and master zones that are managed by a different
server.
522
Configuring DNS Servers
a. In the field IP address, type in the IP address of another server. The notify messages
are sent if you chose the notify type Yes or Explicit.
b. In the field Port, you can specify the port number that should receive the notify messages
on the server you specified in the previous field.
c. Click on ADD . The IP address and port number are displayed in the list Also notify as
follows: <ip-address> port: <port-number>.
6. Click on NEXT . The page Allow notify opens. It allows to specify if the server slave zones
can receive master zones notification messages.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again. Your configurations are displayed in the panel Notify.
523
Configuring DNS Servers
Allow query
You can specify which hosts are allowed to issue DNS queries. The allow query properties can
be configured for an entire server including all the zones it contains. By default, queries are allowed
from the local host (localhost) and the local networks (localnets).
Keep in mind that any configuration set at view or zone level overrides the server level
configuration.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
6. Click on NEXT twice to skip the pages Allow-query-cache and Allow transfer.
7. On the page Blackhole, click on OK to complete the operation. The report opens and closes.
The properties page is visible again.
524
Configuring DNS Servers
The allow-query-cache is independent from the allow-query statement but closely linked to
the allow-recursion statement.
If the recursion is set to no, the cache cannot be queried, so it is useless to set an allow-
query-cache match list.
If the recursion is set to yes and the allow-recursion statement is not defined, by default the
localhost and localnets are permitted to query the server cache.
If the recursion is set to yes and the allow-recursion statement is defined with a specific match
list, the local cache access is granted to all the entries of the allow-recursion match list.
The match list defined controls recursive behavior as recursive queries would be useless without
access to the local cache. Typically, if a host is in the allow-recursion match list, it could access
the server the first time and get query result. However, if it is not part of the allow-query-cache
match list then it would not be able to make the same query a second time as it would be saved
on the cache to which it does not have access. On the contrary, if a host is in the allow-query-
cache match list but not in the allow-recursion match list, it would only get results for queries
already sent by another host with the proper access rights. Hence the need to configure carefully
both these statements to avoid conflicts and absurd access configurations.
Keep in mind that any configuration set at view level overrides the server level configuration.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
525
Configuring DNS Servers
Type Description
server level. For more details, refer to the section Configuring Access Control Lists
for a Server.
TSIG key Allow or deny a DNS key defined at server level in the panel Keys.
a
The ACL admin is used by EfficientIP's management platform to configure and exchange data with DNS servers.
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
7. Click on NEXT twice to skip the page Allow-transfer and open the page Blackhole.
8. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
Keep in mind that any configuration set at view or zone level overrides the server level
configuration.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
526
Configuring DNS Servers
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
7. Click on NEXT . The page Blackhole opens.
8. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
Configuring a Blackhole
You can set a list of the IP addresses and network addresses you consider as spam. The
blackhole properties can be configured for an entire server including all the zones it contains. By
default, queries are allowed from the local host and the local networks: all the addresses listed
in the list cannot receive any response from the server or zones.The queries remain unanswered,
in other words, ignored.
527
Configuring DNS Servers
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
This option defines the amount of time a client should keep in its cache the information sent
bay a lame server that has been queried directly. It allows to limit the time the information is
kept as, coming from a lame server, it might not be up-to-date and therefore potentially erro-
neous.
max-cache-size
This option limits the size of the cache memory of a server or view. When the cache memory
size reaches this threshold, the server causes records to expire prematurely. The value 0
can be set to purge the cache only when the records TTL expires.
These options can be set at server or view level. For more details regarding the configuration on
views, refer to the section Configuring Client Resolver Cache Options at View Level. Keep in
mind that any configuration set at view level overrides the server level configuration.
528
Configuring DNS Servers
If you configured DNSSEC on your server or are managing records that relay IPv6 information,
we strongly recommend configuring EDNS: in both cases, the messages sent out usually exceed
512 bytes.
Within SOLIDserver, two EDNS options can be configured at server and view level on EfficientIP
DNS servers using the SSL protocol:
edns-udp-size
This option sets the EDNS UDP buffer size advertised by the server when querying a remote
server. It is set in bytes and allows to specify the size of the packets that you receive.
Typically, you would set this option to enable UDP answers to pass through broken firewalls
that block fragmented packets and/or packets greater than 512 bytes. The value set for this
option is a preference.
max-udp-size
This option sets the maximum EDNS UDP message size sent by the server. It is set in bytes
and allows to specify the maximum size of the packets that you send to a remote server.
Typically, this option would be set to enable UDP answers to pass through broken firewalls
that block fragmented packets and/or packets greater than 512 bytes.
For more details regarding the configuration on views, refer to the section Configuring EDNS
Options at View Level. Keep in mind that any configuration set at view level overrides the
server level configuration.
529
Configuring DNS Servers
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT .The wizard Options configuration opens.
4. In the field Max-udp-size, type in the maximum size of the packets you send. This value is
in bytes and must be set between 512 and 4096. The default value is 4096.
5. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again and displays the value you defined.
Enabling minimal-responses allows the server to only add records to the authority and additional
data sections of the response if they are specifically required by the protocol. For instance, these
sections are included in the delegations and negative responses.
Within the GUI, the statement configuration is closely linked to the statement syntax in the zone
file. Here below is an example of the sortlist statement syntax in the zone file:
In a zone file, the statement would look as follows for the zone many.example.com :
// zone file example.com
$ORIGIN example.com.
many IN A 192.168.3.6
IN A 192.168.4.5
IN A 192.168.5.5
IN A 10.2.4.5
IN A 172.17.4.5
530
Configuring DNS Servers
};
As you can see after the client IP, the response preferences are defined one after the other and
separated by a semi-colon.
Keep in mind that any configuration set at view level overrides the server level configuration.
Amplification attacks are Distributed Denial of Service (DDoS) tactics in which an attacker uses
the IP address of any computer to send high volumes of forged queries using an authoritative
DNS server. The attacker queries are usually small-sized but designed to generate large re-
sponses, thus generating an amplified traffic toward the victim. Considering that the attacker
mimics the query format of the server, the client only sees a large number of responses and
cannot know if the response is real or malicious. This high volume of responses is likely to make
the victim's computer overload and eventually collapse.
531
Configuring DNS Servers
In light of the increasing number of DDoS attacks on the Internet, in 2012 by Paul Vixie and
Vernon Schryver proposed RRL as a method for preventing a caching server from being used
in a DNS Amplification attack. It allows to maintain the type of queries that have been made, that
way the server keeps track of the queries made and can limit the number of responses returned
without changing the nature of the DNS.
Prerequisites
• Having a SOLIDserver appliance in version 5.0.4 or greater.
• Managing an EfficientIP DNS server in version 5.0.4 or greater.
• If necessary, installing the EfficientIP DNS packages in version 5.0.4 or greater. For more details,
refer to the section Managing BIND DNS Servers.
Limitations
• RRL cannot be set at view or zone level, it can only be configured for a whole server.
• RRL can only be configured on EfficientIP DNS servers or smart architectures.
• If RRL settings are configured on a smart architecture managing servers that are not compatible
with RRL, for these servers the RRL configuration is ignored and the Multi-Status column
provides details regarding incompatibilities.
• RRL can be set on a BIND/NSD Hybrid server but the option Log only disables RRL on NSD
servers.
If you set it on a smart architecture that manages different types of servers, it only applies to the
relevant servers. The settings are ignored by all the servers that do not support it.
The field default value is 0, meaning the option is disabled. You can set a value between 1
and 1000. We recommend that you set the value at 10 or higher.
6. In the field Slip, you can type in a number between 0 and 10. This option allows to add an
extra bit to the server responses, the Truncated (TC) bit, and makes the requestor use TCP
to resend the query once they receive the truncated response.The number specified in the
field defines every how many queries the TC bit and TCP are forced.
If the field is empty or set to 0, all the similar queries are dropped. If set to 1, the TC is set
in the response to every query. If set to 2, it is set in the response to every other query. If
set to 3, it is set in the response to every third query, etc.
532
Configuring DNS Servers
We recommend that you set the Slip value to 1 because it limits cache poisoning attacks
- it is worthless for attackers performing volumetric or PPS DDoS attacks - and is less CPU
consuming for flooded resolvers.
7. If you are configuring a BIND server, in the section Log only you can tick the box. It allows
to prevent the rate limiting function from operating and only display in the logs what would
have happened.
Configuring DNS64
SOLIDserver provides, for EfficientIP and BIND servers, a panel on the properties page dedicated
to configuring DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers,
or DNS64.
This mechanism was described in RFC 6147 and allows to rely on a NAT64 server to synthesize
IPv6 addresses and enable communication between IPv6-only clients and IPv4-only DNS servers
and get a valid response to their queries. Which is why DNS64 mechanism is useless on its own.
SOLIDserver does not include a NAT64 server but provides a wizard to configure DNS64 with
the settings that you configured on your own NAT64 server.
Once NAT64 is configured, you can configure DNS64 on the server of your choice. All the fields
available in the GUI are optional, DNS64 can perform the synthesis using only the address and
prefix of the NAT64. It relies on your NAT64 server IPv6 address to IPv4 address translation
settings to synthesize AAAA records from A records. The synthesis is performed as follows:
1. DNS64 uses the NAT64 server address and prefix configuration as the start of the synthesized
IPv6 address.
2. The target IPv4 address is appended to the address and prefix in hexadecimal form.
3. The suffix is appended at the end of the synthesized IP address to get a 128 bit address to
send back to the client in the AAAA record.
When your DNS64 configuration is over, two reverse zones are automatically created. That way,
even the reverse queries of IPv6 clients can be synthesized and answered.
The mechanism is completely transparent: the client does not know that the queried server only
manages IPv4 related data as, after querying it, the client receives records that can be used in
an IPv6 environment.
Prerequisites
• You must have SOLIDserver in version 5.0.0 or greater.
• You must manage:
• An EfficientIP DNS server in version 5.0.0 or greater; or
• A BIND server in version 9.8 or higher (EfficientIP BIND package).
• You must manage your server through SSL.
• You must have a NAT64 server configured on your network.
• You must have the NAT64 server address and prefix ready when you start configuring. Note
that depending on your NAT64 server vendor, you might not be able to set the address and
533
Configuring DNS Servers
prefix of your choice. In this case you must use the ones provided by the vendor during the
DNS64 configuration.
Limitations
• DNS64 can "break" DNSSEC. For more details, refer to the substatement break-dnssec.
• DNS64 cannot be configured on Hybrid DNS engines.
Allows you to specify the name of a server. The server you declare in that field should be
the server for which you are configuring DNS64. Once the substatement is set, the server
name is saved in the SOA of the reverse zones that DNS64 automatically creates, that way
the server can be queried in reverse without further configuration.
Allows you to specify the email address of the contact managing the server - declared in the
substatement dns64-server - and the zones it contains. The contact is saved as well in the
SOA of the reverse zones that DNS64 automatically creates. No need to specify a contact
if you did not specify dns64-server substatement.
Allows you to specify the IPv6 address set on the NAT64 server following the syntax <start-
of-IPv6-address>:: . Depending on the NAT64 server of your network, you can either set the
address of your choice or use the one already set on the NAT64 server. Without the prefix,
filling this field is useless.
Allows you to specify the prefix set on the NAT64 server. It should be: 32 bits, 40 bits, 48
bits, 56 bits, 64 bits or 96 bits. Depending on the NAT64 server of your network, you can
either set the prefix of your choice or use the one already set on the NAT64 server. No need
to specify a prefix if you did not specify an address.
Allows you to specify a suffix following the syntax ::<end-of-IPv6-address>. The suffix is ap-
pended to the synthesized IP address (composed as follows: <address-field-value>:<queried-
ipv4-address-in-its-hexadecimal-form>).
Default value: :: . No need to specify a suffix if you specified a 96 bits prefix, BIND default
value is automatically applied.
534
Configuring DNS Servers
break-dnssec
Allows you to interact with DNSSEC. If you set it to yes, DNS64 synthesizes the responses
authoritative and recursive queries even if the resulting records are considered invalid by the
queried signed zones. Which is why it is considered to "break" DNSSEC. If set to no, the
DNS64 synthesis is not performed if zones are signed with DNSSEC.
Allows you to decide to use DNS64 synthesis in case of recursive queries. If set to yes, only
the server responses to recursive queries are synthesized. If set to no, all the server responses
are synthesized.
Allows you to set or use existing ACLs to define which DNS clients get a synthesized response
to their queries.
Default value: none. If you only specify an address and prefix this value is automatically ap-
plied.
mapped
Allows you to set or use existing ACLs to prevent DNS64 from synthesizing some IPv4 ad-
dresses of your network. Any IPv4 address listed in the ACLs is ignored by DNS64 and
therefore never returned as an IPv6 address in the response.
Default value: any. If you only specify an address and prefix this value is automatically applied.
exclude
Allows you to set or use existing ACLs to exclude a list of IPv6 addresses. As DNS64 is
dedicated to synthesizing IPv6 addresses from IPv4 addresses, if any zone contains AAAA
records DNS64 ignores the zone. Therefore it ignores the A records it might contain. Setting
up the exclude substatement allows to ignore the AAAA records of a zone, your exclude
substatement ACL must contain all the IPv6 addresses declared in your AAAA records. That
way you can make sure that DNS64 synthesizes all the A records of the zone. The IPv6 ad-
dresses you declare must be part of or match the range of addresses declared for the NAT64
server (address and prefix).
Default value: none. If you only specify an address and prefix this value is automatically ap-
plied.
535
Configuring DNS Servers
5. In the drop-down list Prefix, select 32 bits, 40 bits, 48 bits, 56 bits, 64 bits or 96 bits. For
more details, refer to the section DNS64 Supported Substatements.
6. Once you selected a Prefix, the field and drop-down lists Address, Suffix, Break-dnssec
and Recursive-only appear. Fill them in according to your needs. For more details, refer to
the section DNS64 Supported Substatements.
Note that the field Suffix is not displayed if you select the Prefix 96 bits.
You can choose to only configure the Address and Prefix for your DNS64 server and contact.
In which case, SOLIDserver sets the substatement client, mapped and exclude to their
DNS64 Supported Substatements. To do so, click on NEXT until the last page of the wizard
and click on OK to commit your configuration.
7. Click on NEXT . The page DNS64 configuration: Client opens.
You can define an ACL that lists the DNS clients that get a synthesized response to their
queries. For more details regarding the substatement, refer to the section DNS64 Supported
Substatements.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
To order the entries, select them one by one and click on the arrows to move them up or
down .
8. Click on NEXT . The page DNS64 configuration: Mapped opens.
536
Configuring DNS Servers
You can define an ACL that lists the IPv4 addresses that are ignored by DNS64. The ACL
configuration is detailed in the step 6 of this procedure. For more details regarding the sub-
statement, refer to the section DNS64 Supported Substatements.
9. Click on NEXT . The page DNS64 configuration: Exclude opens.
You can define an ACL that lists the IPv6 addresses that are ignored by DNS64. The ACL
configuration is detailed in the step 6 of this procedure. For more details regarding the sub-
statement, refer to the section DNS64 Supported Substatements.
10. Click on OK to complete the operation. The report opens and closes. The properties page
is available again, the panel DNS64 displays your configuration.
To disable DNS64, you must open the wizard DNS64 configuration, empty all the fields and select
None in the drop-down lists.
From the Sources and Sources V6 panels, through their IP address, you can configure physical
interfaces that should be used for the server transfer and notify options. These panels only appear
after the first synchronization of the physical server. When editing these panels, you can define
the following statements:
query-source
This statement allows to define the IPv4 address and/or port used as the source of the
server or view outgoing queries. By default, BIND uses any server or view interface IP address
and a random port for outgoing queries.
Using a fixed port number allows to control UDP operations but can be extremely dangerous:
it can lead to cache poisoning if used with any caching DNS server definition as any attacker
would need to guess the transaction ID to get both the specified interface IP address and
port number. This statement is displayed on servers and views properties page.
query-source-v6
This statement allows to define the IPv6 address and/or port used as the source of the
server or view outgoing queries. By default, BIND uses any server or view interface IP address
and a random port for outgoing queries.
Using a fixed port number allows to control UDP operations but can be extremely dangerous:
it can lead to cache poisoning if used with any caching DNS server definition as any attacker
would need to guess the transaction ID to get both the specified interface IP address and
port number. This statement is displayed on servers and views properties page.
transfer-source
This statement allows to determine the IPv4 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
537
Configuring DNS Servers
transfer-source-v6
This statement allows to determine the IPv6 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
use-alt-transfer-source
This statement allows to set the use of an alternate interface IP address for the transfer if
the transfer-source or the transfer-source-v6 were to fail. This statement configuration is
displayed on the physical server, view and slave zones properties page.
This statement definition is only configurable from the panel Sources but applies to interfaces
whether they were identified through an IPv4 or an IPv6 address.
Its default value is no if the server contains views and yes if the server does not contain any
view.
alt-transfer-source
This statement allows to determine the alternate IPv4 address of the interface used to execute
the zones transfer on the server if the transfer-source fails and if the use-alt-transfer-source
is enabled. You can also specify a port for this statement. Its configuration is displayed on
the physical server, views and slave zones properties page.
alt-transfer-source-v6
This statement allows to determine the alternate IPv6 address of the interface used to execute
the zones transfer on the server if the transfer-source-v6 failed and if the use-alt-transfer-
source is enabled.You can also specify a port for this statement. Its configuration is displayed
on the physical server, views and slave zones properties page.
notify-source
This statement allows to define the IPv4 address of the physical interface used for all the
server outgoing notify operations. You can also specify a port for this statement. It is used
by master zones and its configuration is therefore displayed on the physical server, views
and master zones properties page.
notify-source-v6
This statement allows to define the IPv6 address of the physical interface used all the server
outgoing notify operations.You can also specify a port for this statement. It is used by master
zones and its configuration is therefore displayed on the physical server, views and master
zones properties page.
Keep in mind that any configuration set at view or zone level overrides the server level
configuration.
538
Configuring DNS Servers
4. Configure the transfer statements. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise, all the transfer operations would fail.
a. In the field Query-source address, type in the IPv4 address of the interface used for
outgoing queries.
b. In the field Query-source port, you can type in the port number used for outgoing
queries. Keep in mind that specifying a port number can lead to cache poisoning if DNS
server definitions are not set properly.
c. In the field Transfer-source address, type in the IPv4 address to be used for the zones
transfer operations. Specify an interface that you already configured on the appliance.
d. In the field Transfer-source port, you can specify which port on the interface should be
used.
e. In the drop-down list Use-alt-transfer-source, set the use of an alternate interface if
need be.
539
Configuring DNS Servers
4. Configure the transfer statements. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the transfer operations would fail.
a. In the field Query-source-v6 address, type in the IPv6 address of the interface used for
outgoing queries.
b. In the field Query-source-v6 port, you can type in the port number used for outgoing
queries. Keep in mind that specifying a port number can lead to cache poisoning if DNS
server definitions are not set properly.
c. In the field Transfer-source-v6 address, type in the IPv4 address to be used for the
zones transfer operations. Specify an interface that you already configured on the appli-
ance. If you defined the use-alt-transfer-source statement in the Sources panel, it applies
to the alternate interfaces declared in IPv4 (Alt-transfer-source address) and IPv6 (Alt-
transfer-source address-v6).
d. In the field Transfer-source-v6 port, you can specify which port on the interface should
be used.
e. If you enabled the use-alt-transfer-source in the Sources panel, in the field Alt-transfer-
source-v6 address, type in the IPv6 address of the alternate interface. It must also be
configured on the appliance.
f. If you enabled the use-alt-transfer-source in the Sources panel, in the field Alt-transfer-
source-v6 port, you can specify which port on the interface should be used.
5. Configure the notify statement. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise, all the notify operations would fail.
a. In the field Notify-source-v6 address, type in the IPv6 address to be used for the outgoing
notify operations. Specify an interface that you already configured on the appliance.
b. In the field Notify-source-v6 port, you can specify which port on the interface should
be used.
6. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again and displays the values you defined.
Note that if you edited the ACL admin of the server, the configuration is complete because,
by default, the ACL admin of the physical server is specified in the statement allow-update of
the master zones.
540
Configuring DNS Servers
Note that instead of configuring the ACL admin to allow the securing TSIG key, you could allow
the IP address of SOLIDserver and restrict the default permissions. However, allowing updates
based on the requestor IP address is insecure, we strongly recommend using the TSIG key
protocol filtering rather than an IP address based filtering.
541
Configuring DNS Servers
When set at server level, the ACLs can be used on the views and zones of the server. Once
created, you can use an ACL to configure the statements allow-recursion, allow-notify,
allow-query, allow-query-cache, allow-transfer, blackhole at any of relevant level of the
DNS hierarchy. You could, for instance, create one ACL that specifies which part of the network
is denied access or the IP address of the server that should always receive the notification
messages, etc.
Note that by default EfficientIP servers provide the ACL admin. You can edit it according to your
needs but you cannot delete it.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
All the entries of the ACL values constitute the content of your ACL.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
542
Configuring DNS Servers
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again. Your ACL is listed in the panel ACL.
Once created, an ACL includes permissions and restrictions that you allow or deny access
to depending on the configuration you set:
• If you allow access to the ACL, every permission it contains are granted access to,
every restriction it contains are denied access to.
• If you deny access to the ACL, the contrary is set: every permission it contains are
denied access to, every restriction it contains are granted access to.
To reorder the entries, select them one by one and click on the arrows to move them up
or down .
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
543
Configuring DNS Servers
The information is encrypted via a technique called HMAC (Keyed-Hashing for Message Authen-
tication, see RFC 2104) which employs a shared secret and a one-way cryptographic hash
function to sign data. This shared secret is used a password known only to the two parties involved
in the exchange.
From the properties page of EfficientIP, Nominum and Generic servers as well as smart architec-
tures you can add, edit and delete TSIG keys. Once a key is added, you can use it:
• To secure the server with a unique TSIG key. For more details, refer to the section Securing
the Management of DNS Servers Using a TSIG Key.
• In your ACLs at server, view and/or zone level. For more details, refer to the chapters Config-
uring DNS Servers, Configuring DNS Views and Configuring DNS Zones.
• When adding and editing slave zones, RPZ or not, and stub zones. For more details, refer to
the chapters Managing DNS Zones and DNS Firewall (RPZ).
• To set up dynamic update for you master zones. For more details, refer to the sections Config-
uring Access Control Lists for a Server and Authenticating the Zones Dynamic Update from
the Server.
Note that TSIG keys are not supported by Microsoft servers. However, you can configure their
zones for dynamic update via GSS-TSIG keys.
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
544
Configuring DNS Servers
6. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
Only administrators with a good understanding of BIND configuration files should perform
these operations.
The prerequisites, limitations and procedures to follow are all described in the appendix Config-
uring Non-Supported BIND Options.
Once the non-supported options are included to the configuration file, they are processed like
any other option unless their syntax is incorrect or the option itself was already set. In which case,
the included options are ignored until the proper changes have been made.
You can implement anycast via the routing protocols OSPF, BGP and IS-IS and relies on
a Quagga package, a host-based routing software, already stored on the appliance.
545
Configuring DNS Servers
Prerequisites
• Several servers in a pool must share 1 or anycast IPs.
• The servers must advertise their IP(s) to their neighboring routers.
• The routers exchange the routes information. That way if one server fails, the routers automat-
ically recompile the routing tables to redirect the DNS clients.
• The 3 steps anycast configuration must be completed on all the appliances that manage a
DNS server that you intend to include to the anycast routing scheme. This applies whether the
servers are managed via a smart architecture or not.
With this type of topology, the anycast IP address is advertised from multiple locations and the
router ends up choosing the best path to that IP address, according to the metric in use by the
routing protocol. Once you finished the configuration detailed in the sections below, the DNS
servers managed via SOLIDserver use anycast.
SOLIDserver contains a Quagga package that must be taken into account in the system config-
uration file to be used.
546
Configuring DNS Servers
Note that you can support more than one routing protocol if you specify several daemons
in the configuration file, separated by a space. It could be set as follows quagga_dae-
mons="zebra ospfd bgpd isisd".
e. Add the following line to the file to specify the anycast dedicated IP address:
# Expected syntax: ifconfig_<interface-name>_alias0="inet <IP-address> netmask <netmask>"
# Example:
b. Add the following line to the file to configure your access credentials:
hostname quagga-router
username root nopassword
Now you need to configure the package following the section below.
Once you configured the appliance to take into account the Quagga package, as detailed in the
section Configuring the Appliance for OSPF Anycast, you can configure the package and OSPF
routing.
547
Configuring DNS Servers
# Specify the name of the interfaces used by your clients. "bge1" and "lo0" are examples.
interface bge1
ip address 192.168.53.2/24
interface lo0
ip address 192.168.55.2/32
5. In this directory, create the OSPF configuration file using the following commands:
# emacs ospfd.conf
It should contain the appliance hostname, authentication details, response time, interfaces
dedicated to OSPF, access list and log file location like in the example below.
# more /data1/etc/quagga/ospfd.conf
hostname dns-anycast-1
# Specify the proper interface. "bge1" was specified in zebra.conf in our example.
interface bge1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 mypassword
ip ospf priority 0
ip ospf hello-interval 1
ip ospf dead-interval 5
router ospf
log-adjacency-changes
ospf router-id 192.168.53.2
area 20 authentication message-digest
area 20 nssa
network 192.168.53.0/24 area 20
redistribute connected metric-type 1
distribute-list ANYCAST out connected
!
access-list ANYCAST permit 192.168.55.2/32
To restart quagga
1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s
548
Configuring DNS Servers
3. In the file /var/log/zebra.log you can check the Quagga dedicated logs. If everything
went well, you should have three lines similar to the ones below:
// example of a sucssessfull configuration
You can make sure that DNS anycast is successfully implemented, on the router itself and on
SOLIDserver, via a set of commands that ensure that the IP addresses used during the configur-
ation are part of the routes.
549
Configuring DNS Servers
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
192.168.53.1 1 FULL/DR 36.591s 192.168.53.1 eth0:200.0.0.1 0 0 0
Prerequisites
With this type of topology, the anycast IP address is advertised from multiple locations and the
router ends up choosing the best path to that IP address, according to the metric in use by the
routing protocol. Once you finished the configuration detailed in the sections below, the DNS
servers managed via SOLIDserver use anycast.
BGP routing protocol prerequisites, you must have the following information ready:
• Make sure the network flows are properly configured, as detailed in the appendix Matrices of
Network Flows.
• Have the following information ready:
• The local AS Number, EfficientIP AS Number.
• The remote AS Number, the client AS Number.
• The Anycast IP address.
• The Neighbor IP address.
550
Configuring DNS Servers
SOLIDserver contains a Quagga package that must be taken into account in the system config-
uration file to be used.
Note that you can support more than one routing protocol if you specify several daemons
in the configuration file, separated by a space. It could be set as follows quagga_dae-
mons="zebra ospfd bgpd isisd".
e. Add the following line to the file to specify the anycast dedicated IP address:
# Expected syntax: ifconfig_<interface-name>_alias0="inet <IP-address> netmask <netmask>"
# Example:
b. Add the following line to the file to configure your access credentials:
hostname quagga-router
username root nopassword
551
Configuring DNS Servers
reboot
Now you need to configure the package following the section below.
Once you configured the appliance to take into account the Quagga package, as detailed in the
section Configuring the Appliance for BGP Anycast, you can configure the package for BGP
routing.
# Specify the name of the interfaces used by your clients. "bge1" and "lo0" are examples.
interface bge1
ip address 192.168.53.2/30
interface lo0
ip address 192.168.55.2/32
5. In this directory, create the BGP configuration file using the following commands:
# emacs bgpd.conf
It should contain the appliance hostname, authentication details, response time, interfaces
dedicated to BGP, access list and log file location like in the example below.
# more /data1/etc/quagga/bgpd.conf
hostname dns-anycast-1
password zebra
log syslog
router bgp 64500
bgp router-id 192.168.53.2
network 192.168.56.1/32
timers bgp 5 10
neighbor 192.168.53.1 remote-as 65000
neighbor 192.168.53.1 soft-reconfiguration inbound
neighbor 192.168.53.1 activate
552
Configuring DNS Servers
To restart quagga
1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s
To make sure that DNS anycast is successfully implemented, on the router itself and on
SOLIDserver, you can use a set of commands that ensure the IP address used during the con-
figuration are part of the routes.
553
Configuring DNS Servers
Sent Rcvd
Opens: 2 2
Notifications: 1 0
Updates: 2 0
Keepalives: 50 43
Route Refresh: 0 0
Capability: 0 0
Total: 55 45
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Inbound soft reconfiguration allowed
Community attribute sent to this neighbor(both)
0 accepted prefixes
Connections established 2; dropped 1
Last reset 00:02:02, due to BGP Notification send
Local host: 192.168.53.2, Local port: 27184
Foreign host: 192.168.53.1, Foreign port: 179
Nexthop: 192.168.53.2
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Estimated round trip time: 105 ms
Read thread: on Write thread: off
Prerequisites
554
Configuring DNS Servers
• The routers exchange the routes information. That way if one server fails, the routers automat-
ically recompile the routing tables to redirect the DNS clients.
• The 3 steps anycast configuration must be completed on all the appliances that manage a
DNS server that you intend to include to the anycast routing scheme. This applies whether the
servers are managed via a smart architecture or not.
With this type of topology, the anycast IP address is advertised from multiple locations and the
router ends up choosing the best path to that IP address, according to the metric in use by the
routing protocol. Once you finished the configuration detailed in the sections below, the DNS
servers managed via SOLIDserver use anycast.
SOLIDserver contains a Quagga package that must be taken into account in the system config-
uration file to be used.
Note that you can support more than one routing protocol if you specify several daemons
in the configuration file, separated by a space. It could be set as follows quagga_dae-
mons="zebra ospfd bgpd isisd".
e. Add the following line to the file to specify the anycast dedicated IP address:
# Expected syntax: ifconfig_<interface-name>_alias0="inet <IP-address> netmask <netmask>"
# Example:
555
Configuring DNS Servers
b. Add the following line to the file to configure your access credentials:
hostname quagga-router
username root nopassword
Now you need to configure the package following the section below.
Once you configured the appliance to take into account the Quagga package, as detailed in the
section Configuring the Appliance for IS-IS Anycast, you can configure the package for IS-IS
routing.
5. In this directory, create the IS-IS configuration file using the following commands:
# emacs isisd.conf
It should contain interfaces used for IS-IS communication and for anycast, an IS-IS address
and log file location like in the example below:
# more /data1/etc/quagga/isisd.conf
hostname dns-anycast-1
password mypassword
enable password mypassword
556
Configuring DNS Servers
interface em3
ip router isis ISIS_0
interface lo0
ip router isis ISIS_0
To restart quagga
1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s
3. In the file /var/log/zebra.log you can check the Quagga dedicated logs using the fol-
lowing command:
# tail -f /var/log/zebra.log
To make sure that DNS anycast is successfully implemented, on the router itself and on
SOLIDserver, you can use a set of commands that ensure the IP address used during the con-
figuration are part of the routes.
557
Configuring DNS Servers
[...]
192.168.99.0/32 is subnetted, 1 subnets
i L1 192.168.99.8 [115/20] via 192.168.1.50, 00:00:33, FastEthernet0/0
[...]
DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS
resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses ori-
ginate from Cisco Umbrella and haven't been tampered with.
Note that:
• The DNSCrypt protocol uses the port 443, in TCP and UDP, which is usually reserved to HTTPS.
It is possible that some equipments, such as firewalls, IDP or IPS detect a wrongful use of the
port. Make sure these equipments are configured to allow this traffic.
• You cannot integrate Cisco Umbrella on Hybrid servers. For more details on Hybrid servers,
refer to the chapter Hybrid DNS Service.
• Once you integrated Cisco Umbrella, you can complete the CLI configuration and forward the
client IP address. For more details, refer to the section Forwarding the Client IP Address.
2
For more details regarding Cisco Umbrella services, refer to the proprietary website at https://umbrella.cisco.com/.
558
Configuring DNS Servers
c. Retrieve your DNSCrypt parameters using the script umbrella_setup. You must specify
the API key and API secret you copied earlier and the name of the device of your choice,
as defined in your Network Devices list, as follows:
/usr/local/nessy2/script/umbrella_setup <Your-Cisco-Umbrella-API-Key>
<Your-Cisco-Umbrella-API-Secret> <Your-Network-Devices-Cisco-Umbrella-Device-Name>
559
Configuring DNS Servers
3. Add the following line to the file to specify the IP address dedicated to the proxy
DNSCrypt:
ifconfig_lo0_alias53="inet 127.0.1.53 netmask 255.0.0.0"
Now, every DNS query trafficking through the appliance is directly forwarded to the
Cisco Umbrella Cloud for resolution using your organization ID and device ID, and
therefore, your Umbrella policies.
k. Repeat all the steps for each appliance you want to configure.
If you have cascaded several resolvers, the IP address of a client is overwritten every time it is
forwarded. Therefore, once the query gets to the resolver that actually performs the resolution,
the source IP address it receives is no longer the one of the original client. Forwarding the original
client IP address between resolvers allows to track it, no matter how many resolvers forwarded
the original query.
To enable forwarding of the client IP address, you must configure the statement server with
the following options:
• edns-opendns set to yes.
• edns-opendns-orgid set with the administrative value of your choice, it must be composed of
digits. If you did not integrate Cisco Umbrella you can specify any value, otherwise you must
specify the relevant organization ID.
560
Configuring DNS Servers
• edns-opendns-deviceid set with the administrative value of your choice, it must be hexadecimal.
If you did not integrate Cisco Umbrella you can specify any value, otherwise you must specify
the relevant device ID.
If you prefer to forward the client IP address declared in the OpenDNS EDNS option, you must
also set the option:
• edns-opendns-forward to yes. If you integrated Cisco Umbrella on any of your cascaded resolv-
ers, you should enable this option to benefit from Umbrella full reporting capabilities.
Note that:
• You should not set the option edns-opendns-forward on the closest server to the DNS clients.
• You cannot forward the client IP address on Hybrid servers. For more details on Hybrid servers,
refer to the chapter Hybrid DNS Service.
• DNS Guardian servers provide dedicated parameters to identify and monitor clients using their
IP address or EDNS options. For more details, refer to the section Managing Guardian Views
in the chapter Managing Guardian Protection.
If you did not integrate Cisco Umbrella you can specify any value, it must be composed
of digits.
c. You must specify the device ID as follows:
edns-opendns-device <your-device-id>;
If you did not integrate Cisco Umbrella you can specify any value, it must be hexadecimal.
d. You can forward the client IP address declared in the OpenDNS EDNS option as follows:
edns-opendns-forward yes;
If you did not enable edns-opendns and set the edns-opendns-orgid and edns-opendns-
device with a value, the option is ignored.
561
Configuring DNS Servers
4. Make sure the whole configuration file is still viable using the command::
If no errors are returned and the configuration file is OK, go to the next step. If not, you must
edit the content of the included file because incorrect configurations are ignored.
5. Once the configuration is OK, restart the DNS daemon to take into account your changes
with the command:
service ipmdns.sh restart
562
Chapter 37. Managing DNS Views
You can add and manage views to serve one version of a zone to one set of clients and a different
version of a zone to another set of clients. A view can manage DNS zones and RPZ zones.
Views provide a different answer to the same DNS query, depending on the IP source of the
query or the IP where the client packet is received. You can add multiple views of a given zone,
with a different set of records in each of them. You can also have common resource records in
multiple zones.
DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE
563
Managing DNS Views
Delayed create The creation or update is delayed until the view is created on the physical server(s) of the
smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the view is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.
You can also rely on the column Multi-status to monitor your view configuration with messages
regarding the compatibility with Hybrid. For more details, refer to the section Understanding the
Column Multi-Status.
The list match-clients filters access based on the location of the query. It allows to define which
IP address or network is able, or not, to access the zone(s) managed by the view.
Figure 37.2. Defining access to zones using the list match-clients of two views
564
Managing DNS Views
The list match-destinations filters access based on the interface receiving the query. It allows
to define through which interface it possible, or not, to access the zone(s) managed by the view.
Figure 37.3. Defining access to zones using the list match-destinations of two views
Keep in mind that if you add views in a server that already contains zones, all the zones
are moved to that view. If you need several views, you have to add another view and then move
the zones in the view of your choice. For more details regarding zones migration, refer to the
section Copying or Moving DNS Zones. Once you add one or more views, you can no longer
manage zones independently. All zones belong to a view.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field DNS view name, type in a unique and explicit name. This name cannot contain
special characters, it can only contain letters and numbers.
If you want to add a view and configure it later, click on NEXT until to get to the last page of
the wizard and click on OK to complete the operation. The default configuration settings of
a view are detailed after this procedure.
7. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
565
Managing DNS Views
Make sure the order of the values in the list ACL values suits your needs: the order of
the elements listed is important as each restriction or permission is reviewed following
the order you set in the list. To order the entries, select them one by one and click on
the arrows to move them up or down .
10. Click on NEXT . The page Match destinations opens.
11. You can configure the list ACL values as detailed in step 9.
12. Click on NEXT . The page DNS views order opens.
13. In the field DNS views order, the view you are adding is listed. It is always listed at the bottom
of the list.
Once you added more than one view, you can order the list using and . Within a server,
each view match clients and match destinations is reviewed following the order set in this
field. For more details, refer to the section Editing the Order of the Views.
14. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the configuration is visible in the columns Match clients and Match destinations.
Note that:
• By default, if you do not configure any list for a view:
• The match clients is configured with a key named key <viewname>.
566
Managing DNS Views
• The match destinations is configured with a key key <viewname> and the ACL any. If you
do not edit or delete this ACL, it grants access to anyone.
• Adding a view automatically edits the match clients and match destinations of the existing
view(s), with a key ! key <newviewname>. This ensures that the views deny access to each
other and manage separate zones and RRs.
• Every time you add a new view, the Status of all the views changes from OK to Delayed
create while their match clients is being updated. Once it is done, they all change back to OK.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. You cannot edit the field DNS view name, the view name is displayed in gray.
6. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
7. Click on NEXT . The page Match clients opens.
8. To add permissions and restrictions to the ACL, configure the Type and Restriction as detailed
in the procedure, fill in the fields as detailed in the procedure Configure the list ACL values.
9. To edit the permissions and restrictions of the ACL values:.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
1
The destination IP address is actually a DNS server interface.
567
Managing DNS Views
To order the entries, select them one by one and click on the arrows to move them up or
down .
10. Click on NEXT . The page Match destinations opens.
11. Edit the list ACL Values as detailed in step 7.
12. Click on NEXT . The page DNS views order opens.
13. In the field DNS views order, reorder the views according to your needs using and . For
more details, refer to the section Editing the Order of the Views below.
14. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the changes are visible in the columns Match clients and Match destinations.
Ordering views on a server allows to specify in which order the match client and match destination
configurations of each view (ACL, networks, etc.) are reviewed. This, in turn, impacts the DNS
client queries responses. The order of the views you set is followed strictly: once a match is
found, the rest of the restrictions and permissions are ignored. The first view reviewed is 0, the
second on is 1, and so forth. This order is saved in the DNS server configuration.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
7. Click on NEXT . The page Match clients opens.
8. Click on NEXT . The page Match destinations opens.
9. Click on NEXT . The page DNS views order opens.
10. In the field DNS views order, reorder the views according to your needs using and .
11. Click on OK to complete the operation. The report opens and closes. The page refreshes.
The new order set is visible in the column Order.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
568
Managing DNS Views
If you want get rid of all the views and manage zones via the DNS server itself, refer to the section
Going Back to Managing Zones Without Views.
To delete a view
1. In the sidebar, go to DNS > Views. The page All views opens.
2. Filter the list if need be.
3. Tick the view you want to delete.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The view is in Delayed
delete until it is no longer listed. If the server has several views, the zones and records
managed by the view you delete are deleted as well.
Granting access to a view as a resource also makes every item it contains available. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
With that in mind, we recommend that you follow the steps below to successfully get rid of the
views when you no longer need them.
569
Managing DNS Views
2. Migrate all the zones you want to keep in that view. For more details regarding zones migra-
tion, refer to the section Copying or Moving DNS Zones.
3. One by one, tick and delete the unwanted views. For more details, refer to the procedure
To delete a view.
4. Once the only remaining view is the one that holds all the zones you want to work with, tick
it and delete it. The zones and RRs it contains are kept and still listed in the pages All zones
and All RRs of the server. Now you can manage them through the server directly.
570
Chapter 38. Configuring DNS Views
Like EfficientIP DNS servers, the views can be configured individually from their properties page
to set a series of behaviors for the zones they contain.
Any configuration set at view level overwrites what was set at server level, on physical servers
or smart architectures.
571
Configuring DNS Views
7. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, your configuration is
displayed.
You can set a specific forwarding configuration for a view belonging to a physical server
managed via a smart architecture. This new configuration is inherited by the zones and records
of the view. Keep in mind that:
• When a forward mode is set on a smart architecture view, you cannot set the forward mode
to None on a view belonging to a physical server managed via a smart architecture. You can
only set a different forward mode.
• Any configuration set at zone level overrides the view level configuration.
9. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, the Forward value is
preceded by the message Smart configuration is overwritten.
To revert the specific configuration and inherit it again, edit the Forwarding to untick the box
Overwrite the smart settings.
572
Configuring DNS Views
Within SOLIDserver, the notification configuration is done from the panel Notify of the properties
page. This panel displays:
• The notification type configured for the view,
• The slave zones that receive the notify messages through their managing view (Also notify),
• The allow-notify directive of the view slave zones. For instance, you can allow all the servers
of a network to notify the slave zones of your server or only a few.
Note that there is an implicit allow-notify directive set when you add a slave zone: when you set
the Master IP address of the slave zone you are allowing the master zones of this server to send
notify messages to your slave zone.
Keep in mind that any configuration set at view level overrides the server level configuration
and any configuration set at zone level overrides the view level configuration.
7. If you selected Yes or Explicit, you can set the IP address and port of the server(s) which
slave zones should receive the messages:
a. In the field IP address, type in the IP address of another server. The notify message is
sent if you chose the notify type Yes or Explicit.
b. In the field Port, you can specify the port number that should receive the notify messages
on the server you specified in the previous field.
c. Click on ADD . The IP address and port number are displayed in the list Also notify as
follows: <ip-address> port: <port-number>.
8. Click on NEXT . The page Allow notify opens. It allows to specify if the view slave zones can
receive master zones notification messages.
573
Configuring DNS Views
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
9. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again. Your configurations are displayed in the panel Notify.
From the view properties page, you can edit its recursive behavior through the panel Recursion.
By default, its content is inherited from the server.
Keep in mind that any configuration set at view level overrides the server level configuration.
574
Configuring DNS Views
Once the recursion is restricted at view level, it overrides the server recursion configuration
and applies to the zones it contains.
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
575
Configuring DNS Views
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
Allow Query
You can specify which hosts are allowed to issue DNS queries.
The allow-query configuration set at view level overrides the allow query defined at server level.
Once the statement is set for a view, it applies to all the zones it contains.
Keep in mind that any configuration set at view level overrides the server level configuration
and any configuration set at zone level overrides the view level configuration.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
576
Configuring DNS Views
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
6. Click on NEXT twice to skip the page Allow-query-cache and open the page Allow-transfer.
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again, your configuration is listed in the list Allow-query of the panel Access control.
The allow query cache configuration set at view level overrides the allow query cache
defined at the server level. Once the statement is set for a view, it applies to all the zones it
contains.
Allow-query-cache statement particularities
The allow-query-cache is independent from the allow-query statement but closely linked to
the allow-recursion statement.
If the recursion is set to no, the cache cannot be queried, so it is useless to set an allow-
query-cache match list.
If the recursion is set to yes and the allow-recursion statement is not defined, by default the
localhost and localnets are permitted to query the server cache.
If the recursion is set to yes and the allow-recursion statement is defined with a specific match
list, the local cache access is granted to all the entries of the allow-recursion match list.
The match list defined controls recursive behavior as recursive queries would be useless without
access to the local view cache. Typically, if a host is in the allow-recursion match list, it could
access the view the first time and get query result. However, if it is not part of the allow-query-
cache match list then it would not be able to make the same query a second time as it would be
saved on the cache to which it does not have access. On the contrary, if a host is in the allow-
query-cache match list but not in the allow-recursion match list, it would only get results for
queries already sent by another host with the proper access rights. Hence the need to configure
carefully both these statements to avoid conflicts and absurd access configurations.
577
Configuring DNS Views
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
7. Click on NEXT . The page Allow-transfer opens.
8. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again, your configuration is listed in the list Allow-query-cache of the panel Access
control.
The allow-transfer option configuration basically creates an ACL dedicated to controlling transfers
so keep in mind that the order of the elements listed in the field ACL values is important as
each restriction or permission is reviewed following the order you set in the list.
The allow-transfer property set at view level overrides the allow query defined at server level.
Once the statement is configured at view level, it applies to all the zones it contains.
Keep in mind that any configuration set at view level overrides the server level configuration
and any configuration set at zone level overrides the view level configuration.
578
Configuring DNS Views
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Access control using . This panel displays different options: Allow-query,
Allow query cache and Allow-transfer.
4. Click on EDIT . The wizard Allow-query opens.
5. Click on NEXT . The page Allow query cache opens.
6. Click on NEXT . The page Allow-transfer opens.
7. Set up the allow-transfer match list.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
8. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again, your configuration is listed in the list Allow-transfer of the panel Access
control.
These options set at view level override the server level configuration. Once they are con-
figured at view level, they apply to all the zones it contains.
For more details regarding these two options, refer to the section Configuring Client Resolver
Cache Options at Server Level.
579
Configuring DNS Views
These options set at view level override the server level configuration. Once they are con-
figured at view level, they apply to all the zones it contains.
For more details regarding these options, refer to the section Configuring EDNS Options at
Server Level.
580
Configuring DNS Views
For more details regarding the sortlist statement, refer to the section Configuring a Sortlist at
Server Level.
Keep in mind that any configuration set at view level overrides the server level configuration.
Configuring DNS sources allows to set physical interfaces at view level to be systematically used
for all notify operations and zone transfer. DNS sources configuration can be inherited from the
server. If set at view level, it is inherited by the zones. The inheritance details are visible on both
the views and zones properties page.
Keep in mind that any configuration set at view level overrides the server level configuration
and any configuration set at zone level overrides the view level configuration.
From the Sources and Sources V6 panels, through their IP address, you can configure physical
interfaces to be used for the view transfer and notify options. When editing these panels, you
can define the following statements:
query-source
This statement allows to define the IPv4 address and/or port used as the source of the
server or view outgoing queries. By default, BIND uses any server or view interface IP address
and a random port for outgoing queries.
Using a fixed port number allows to control UDP operations but can be extremely dangerous:
it can lead to cache poisoning if used with any caching DNS server definition as any attacker
581
Configuring DNS Views
would need to guess the transaction ID to get both the specified interface IP address and
port number. This statement is displayed on servers and views properties page.
query-source-v6
This statement allows to define the IPv6 address and/or port used as the source of the
server or view outgoing queries. By default, BIND uses any server or view interface IP address
and a random port for outgoing queries.
Using a fixed port number allows to control UDP operations but can be extremely dangerous:
it can lead to cache poisoning if used with any caching DNS server definition as any attacker
would need to guess the transaction ID to get both the specified interface IP address and
port number. This statement is displayed on servers and views properties page.
transfer-source
This statement allows to determine the IPv4 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
transfer-source-v6
This statement allows to determine the IPv6 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
use-alt-transfer-source
This statement allows to set the use of an alternate interface IP address for the transfer if
the transfer-source or the transfer-source-v6 were to fail. This statement configuration is
displayed on the physical server, view and slave zones properties page.
This statement definition is only configurable from the panel Sources but applies to interfaces
whether they were identified through an IPv4 or an IPv6 address.
Its default value is no if the server contains views and yes if the server does not contain any
view.
alt-transfer-source
This statement allows to determine the alternate IPv4 address of the interface used to execute
the zones transfer on the server if the transfer-source fails and if the use-alt-transfer-source
is enabled. You can also specify a port for this statement. Its configuration is displayed on
the physical server, views and slave zones properties page.
alt-transfer-source-v6
This statement allows to determine the alternate IPv4 address of the interface used to execute
the zones transfer on the server if the transfer-source fails and if the use-alt-transfer-source
is enabled. You can also specify a port for this statement. Its configuration is displayed on
the physical server, views and slave zones properties page.
notify-source
This statement allows to define the IPv4 address of the physical interface used for all the
server outgoing notify operations. You can also specify a port for this statement. It is used
by master zones and its configuration is therefore displayed on the physical server, views
and master zones properties page.
582
Configuring DNS Views
notify-source-v6
This statement allows to define the IPv6 address of the physical interface used all the server
outgoing notify operations.You can also specify a port for this statement. It is used by master
zones and its configuration is therefore displayed on the physical server, views and master
zones properties page.
583
Configuring DNS Views
a. In the field Notify-source address, type in the IPv4 address to be used for outgoing
notify operations. Specify an interface that you already configured on the appliance.
b. In the field Notify-source port, you can specify which port on the interface should be
used.
6. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again and displays the values you defined.
584
Chapter 39. Managing DNS Zones
When deploying a name server, it is important to understand the difference between a zone and
a domain. A zone is a delegated point within a DNS structure, and is made up of adjoining elements
of the domain structure, which are governed by a name server.
SOLIDserver allows you to create and manage 6 types of zones: Master, Slave, Forward, Stub,
Hint and Delegation-Only. Each type of zone provides specific options that you can set when
creating or editing the zones.
If you want to create RPZ zones, refer to the chapter DNS Firewall (RPZ).
DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE
The properties page displays the configuration details of each zone in a set of panels. For more
details regarding how to edit the panel Name servers, Forwarding, Notify, Sources or Sources
V6 of a zone, refer to the chapter Configuring DNS Zones.
585
Managing DNS Zones
Delayed create The creation or update is delayed until the zone is created on the physical server(s)
of the smart architecture. The creation is automatically done after a maximum of 1
minute.
Delayed delete The deletion is delayed until the zone is deleted from the physical server(s) of the
smart architecture. The deletion is automatically done after a maximum of 1 minute.
Timeout The zone is not available.
Not authoritative The zone configuration is incorrect, in the SOA another server was set as authoritative.
Refused The DNS server refuses the transfer between the current zone and the management
platform, check the parameter allow-transfer on the zone or server properties page.
No RR Only for forward zones. There is no RR to transfer for the zone.
N/A Only for Amazon Route 53 servers. The zone is not a Master or does not have a
TLD.
Moreover, the column Multi-status provides you with emergency, warning, critical, error or inform-
ational messages regarding the compatibility with Hybrid. For more details, refer to the section
Understanding the Column Multi-Status.
Note that:
• SOLIDserver can be used for Hosting Active Directory Domain Zones.
• You can also import zones, for more details refer to the section Importing Zones in the chapter
Importing Data from a CSV File.
If you want to create RPZ zones, refer to the chapter DNS Firewall (RPZ).
586
Managing DNS Zones
The most common use of Master zones is to configure them with a slave zone of the same name
that stores all its records, in a Master/Slave configuration where the master server contains the
master zones and the slave server contains the slave zones. However, if you want to make the
DNS available at all times, you can use a multiple master configuration. In which case, all DNS
servers are master servers for each zone. This disposition requires to propagate any change,
made to a zone file or the DNS configuration, to every DNS server configured as master.
Therefore, we recommend that you manage your master servers through a DNS Multi-Master
smart architecture. For more details regarding its configuration, refer to the section Multi-Master
Smart Architecture.
If you want to create an RPZ master name zone, refer to the chapter DNS Firewall (RPZ).
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically and specified in the zone details on the next page of the wizard.
If your server does not contain any view, the page is not displayed.
6. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the list DNS zone type, select Master.
8. In the list DNS zone resolution: select Name or Reverse and click on NEXT . The next page
opens.
9. Configure the zone's basic parameters.
a. For a Name zone:
587
Managing DNS Zones
10. If you are managing an Active Directory integrated Microsoft DNS server, you might want to
configure the Expert Mode and/or AD integrated parameters. If not, go to step 11.
588
Managing DNS Zones
Note that the column AD integrated on the page All zones allows to display the AD integration
configuration (Yes, No, N/A) of each zone. For more details, refer to the section Customizing
the List Layout.
11. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
12. Click on NEXT . The last page opens.
13. All fields are compulsory and automatically filled, they configure the SOA of the zone. You
can edit them.
You can set the value by default for the parameters above, except for the Primary server
and Serial number. For more details, refer to the procedure To configure the default SOA
parameters of Master zones below.
14. Click on OK to complete the operation. The report opens and closes. The zone is listed and
is marked Delayed create before being marked OK.
During the first Master zone addition, the allow-update option is by default configured
with the ACL admin. Within SOLIDserver admin corresponds to any, so you might want to
change the ACL and restrict the option use. For more details, refer to the section Configuring
DNS Update Authorizations on a Zone. Note that you can also configure such ACL for sev-
eral zones at once. For more details, refer to the section Setting Authorizations.
You can edit a master zone at any time. For more details, refer to the section Editing a Master
Zone.
Note that you can configure default values for the SOA record that is automatically created when
you add a master zone.
589
Managing DNS Zones
3. Edit the fields with the values you want to be automatically used when adding a master zone:
4. Click on OK to complete the operation. The report opens and closes. When adding a master
zone, the DNS zone advanced parameters now auto-completes with the values you indicated
for the SOA.
They are usually created on slave name servers that receive their information from master name
servers through a zone transfer, the master zone and the slave zone on each server are named
the same. During the zone transfer, the master zone sends a NOTIFY to all the slave zone(s) it
knows. The zone content is only sent to the slave zones authorized to receive the transfer, the
other zones receive an error message. Note that several master servers can be configured for
one slave server.
If you want to create an RPZ slave name zone, refer to the chapter DNS Firewall (RPZ).
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
590
Managing DNS Zones
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the list DNS zone type, select Slave.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. Configure the zone's basic parameters.
a. For a Name zone:
11. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
591
Managing DNS Zones
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
12. Click on NEXT . The last page opens.
13. Set up the list of master servers for the zone using the table below:
Once the IP, port and key are configured, click on ADD . The configuration is moved to the
list Masters.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
592
Managing DNS Zones
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the list DNS zone type, select Forward.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. Configure the zone's basic parameters.
a. For a Name zone:
11. If you are managing a Microsoft DNS server through a smart architecture, you might want
to configure the parameters of the Expert Mode:
593
Managing DNS Zones
12. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
13. Click on NEXT . The last page opens.
14. Configure the forwarders and forward mode for the zone. The fields Forwarders list and
Forward Mode are mandatory.
a. In the field Add a forwarder (IP), type in the IP address of the master server to which
the queries should be forwarded to and click on ADD .
The IP address is moved to the Forwarders list. Repeat these actions for as many
servers as needed. The order of the servers in the list is not important.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
b. Select a Forward Mode for the zone, it can be either First, Only or None. This field is
mandatory.
594
Managing DNS Zones
Once the server IP address and the forward mode are configured, click on . The
configuration is moved to the Forwarders list.
15. Click on OK to complete the operation. The report opens and closes. The zone is listed and
is marked Delayed create before being marked OK.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the list DNS zone type, select Stub.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. Configure the zone's basic parameters.
a. For a Name zone:
595
Managing DNS Zones
Field Description
updated by the zone records. For more details, refer to the section Configuring
DNS Advanced Properties.
a
Available on IETF website at https://tools.ietf.org/html/rfc1034.
11. If you are managing a Microsoft DNS server through a smart architecture, you might want
to configure the parameters of the Expert Mode:
596
Managing DNS Zones
Field Description
ted by default, it is the only option available for zones created in a smart archi-
tecture. This option is not available for Stub zones.
All DNS servers in the AD domain: select this option to replicate the zone
parameters and content to all the DNS servers of the AD domain.
All DNS servers in the AD forest: select this option to replicate the zone para-
meters and content to all the DNS servers of the AD forest.
12. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
13. Click on NEXT . The last page opens.
14. Set up the list of master servers for the zone using the table below:
Once the IP, port and key are configured, click on ADD . The configuration is moved to the
list Masters.
The hint zone updates the local server cache with a list of the 13 root-servers saved in the form
of A records (from a.root-servers.net to m.root-servers.net). Therefore, one hint zone per server
or view is enough. When the server starts up, it uses the hint zone to query a root zone and obtain
the complete list of the current authoritative root servers. This list is then used by the name
server as a starting point for any domain query, if there is no locally defined zone (slave or master)
or cached answers. A hint zone should be updated every 12 months or whenever there are dis-
crepancies returned in the log messages, when the DNS server loads for instance.
597
Managing DNS Zones
Note that the hint zone can also contain an internal list and be used locally; in this case, the
configuration is running an internal name service on a closed network, or the name server is not
defined but recursive queries are required.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the list DNS zone type, select Hint.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
11. Click on OK to complete the operation. The report opens and closes. The zone is listed,
named and marked OK.
When a zone is declared as delegation-only, it does not contain any record. You can use deleg-
ation-only zones to filter out wildcard or synthesized data from NAT boxes or from authoritative
name servers whose undelegated (in-zone) data is of no interest.They can also be used to enforce
the delegation-only status of infrastructure zones (e.g. COM, NET, ORG).
The name of the delegation-only zone is the domain for which you send the NXDOMAIN response,
any subdomain responds normally.
598
Managing DNS Zones
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the list DNS zone type, select Delegation-Only.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. Configure the zone's basic parameters.
a. For a Name zone:
599
Managing DNS Zones
Field Description
Reverse type Select the reverse resolution method: IPv4 in-addr.arpa, E164 arpa, IPv6 int
or IPv6 arpa. Once selected, the extension is automatically displayed in the
field Name. This field is mandatory.
IPv4 in-addr.arpa You can select this field to configure IPv4 reverse-mapping.
E164 arpa You can select this field to configure telephone number mapping for the
zone, it uses the phone numbers dedicated reverse mapping domain suffix
(e164.arpa).
IPv6 int You can select this field to configure IPv6 reverse-mapping. Note that this
extension is deprecated, so unless your IPv6 configuration is older than 2001
we recommend that you use the IPv6 arpa extension. For more details, refer
a
to RFC 4159 .
Ipv6 arpa You can select this field to configure IPv6 reverse-mapping.
View Select the view in which the zone should be created. If there are no views
in the selected server, the list is empty.
Space You can select an existing IPAM space to associate with the zone or None.
If DNS to IPAM advanced properties are configured, the selected space is
updated by the zone records. For more details, refer to the section Configuring
DNS Advanced Properties.
a
Available on IETF website at https://tools.ietf.org/html/rfc4159.
Keep in mind that the name of your delegation-only zone is a domain that, once querried,
sends an NXDOMAIN response to the client.
11. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
12. Click on OK to complete the operation. The report opens and closes. The zone is listed and
marked OK.
On Active Directory integrated Microsoft DNS servers, when you add Master, Slave, Forward or
Stub zones the box AD integrated allows to set up the AD replication of your choice. Note than
once set, you cannot edit the AD replication configuration unless you delete the zone and recreate
it. For more details, refer to the sections Adding a Master Zone, Adding a Slave Zone, Adding a
Forward Zone or Adding a Stub Zone.
Keep in mind that the DNS Multi-Master smart architecture can reproduce Microsoft's Multi-
Master behavior. For more details, refer to the section Multi-Master smart architecture.
You can synchronize zones to force a retrieval of the latest changes and records.
600
Managing DNS Zones
To synchronize zones
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) you want to synchronize.
3. In the menu, select Edit > Status > Synchronize. The wizard Synchronization opens.
4. Click on OK to complete the operation.The report opens and closes when the synchronization
is over. The page reloads.
You can also synchronize the entire content of a zone, rather than only the latest change. The
option Force full synchronization retrieves and uploads the complete content of a zone and resets
the serial number of the SOA of the zone.
Resetting the SOA serial ensures that the entire zone data is up to date. It can be useful if you
restored a server that you used to manage, as you might have a synchronization drift between
the data that SOLIDserver stored locally and all the changes that have been performed directly
on the server since you last managed it.
If you want to edit RPZ zones, refer to the chapter DNS Firewall (RPZ).
The top gray area sums up the zone parameters: its Name, Type, Server and View.
4. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
601
Managing DNS Zones
5. Edit the Space and/or the AD integrated and AD replication configuration if need be. Note
that you cannot edit any other parameter.
In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
6. Click on NEXT . The last page opens.
7. Edit the SOA parameters if need be.
8. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).
You can also add and delete NS records, for multiple master zones at once, from the page All
zones.
The top gray area sums up the zone parameters: its Name, Type, Server and View.
4. If you or your administrator created classes at zone level, in the list DNS zone class select
a class or None.
602
Managing DNS Zones
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the Space and/or the AD integrated and AD replication configuration if need be. Note
that you cannot edit any other parameter.
In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
6. Click on NEXT . The last page opens.
7. If you want to add another master server, refer to the step 14 of the procedure To add a
slave zone.
8. If you want to edit a server, select it in the list Masters.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
9. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the Space and/or the AD integrated and AD replication configuration if need be. Note
that you cannot edit any other parameter.
In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
603
Managing DNS Zones
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
6. Click on NEXT . The last page opens.
7. If you want to add another forwarding master server refer to the step 14 of the To add a
forward zone procedure.
8. In the fields Add a forwarder (IP) and Forward Mode, fill in the address of the master server
and select if the zone should forward Only or send a query First.
9. If you want to delete a server, select it in the list Forwarders list and click on . The server
is no longer listed in the list.
10. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the Space if need be. Note that you cannot edit any other parameter, including the
configuration of the parameters AD integrated and AD replication.
In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
6. Click on NEXT . The last page opens.
7. If you want to add another master server refer to the step 14 of the To add a stub zone pro-
cedure.
8. If you want to edit a server, select it in the list Masters.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
9. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).
604
Managing DNS Zones
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the panel.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the Space and/or the AD integrated and AD replication configuration if need be. Note
that you cannot edit any other parameter.
In the drop-down list Advanced properties, Default is selected, meaning that only the
fields/options that your administrator included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields. For more details,
refer to the relevant section of the chapter Managing Advanced Properties.
605
Managing DNS Zones
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).
606
Managing DNS Zones
6. Click on OK to complete the operation. The report opens and closes. The page All zones
reloads.
7. In the column Name, click on the name of the zone(s) you edited to display the records it
now contains.
To copy a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone (s) you want to copy on another server or view.
3. In the menu, select Edit > Migrate. The wizard Copying/Moving zones opens.
4. In the drop-down list Method, select Copy.
5. In the drop-down list Target server, select the DNS server where you want to copy the se-
lected zone. The wizard refreshes.
6. If the selected server has views, the drop-down list Target view appears, select the view of
your choice. The wizard refreshes.
7. Tick the box Asynchronous to run the creation of records in the background. This option
shortens the process but the records do not appear instantly on the page All RRs.
8. Click on OK to complete the operation. The report opens and closes. The page All zones is
visible again and displays the duplicated zone. If you selected a view, the zone is also listed
in the list All zones of said view.
To move a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone (s) you want to copy on another server or view.
3. In the menu, select Edit > Migrate. The wizard Copying/Moving zones opens.
4. In the drop-down list Method, select Move.
5. In the drop-down list Target server, select the DNS server where you want to move the se-
lected zone. The wizard refreshes.
6. If the selected server has views, the Target view drop-down list appears, select the view of
your choice. The wizard refreshes.
7. Tick the box Asynchronous to run the creation of records in the background. This option
shortens the process but the records do not appear instantly on the page All RRs.
8. Click on OK to complete the operation. The report opens and closes. The page All zones is
visible again and displays the migrated zone. If you selected a view, the zone is also listed
on the page All zones of said view.
607
Managing DNS Zones
forwarders, master servers or configure authorizations for specific users. Keep in mind that you
can define new settings or use the parameters of existing zones.
Setting a Space
You can associate multiple zones, of any type, with the same IPAM space.
Setting Authorizations
You can set different types of authorizations and restrictions at zone level to limit zone transfers
and queries or manage DNS update. You can set the same authorizations properties for multiple
zones at once.
• You can configure the allow-transfer authorization only for master and slave zones.
• You can configure the allow-query authorization only for master, slave and stub zones.
• You can configure the allow-update authorization only for master zones.
608
Managing DNS Zones
Type Description
TSIG key Allow or deny a DNS key defined at server level in the panel Keys.
a
The ACL admin is used by EfficientIP's management platform to configure and exchange data with DNS
servers.
609
Managing DNS Zones
(!). Keep in mind that the entries order matters, each restriction or permission listed is
reviewed following the order you set. To order the entries, select them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
610
Managing DNS Zones
reviewed following the order you set. To order the entries, select them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
6. If you want to set the properties of an existing zone to the selected zone(s):
a. In the drop-down list Source, select Use existing zone parameters.The wizard refreshes
and the drop-down list Zone appears.
b. In the drop-down list Zone, select the zone whose properties you want to apply to your
selection.
7. If you want to set a specific update policy:
a. In the drop-down list Source, select New settings.
b. Tick the box Use GSS-TSIG/update-policy. The wizard refreshes, the update-policy re-
lated fields replace the other fields of the wizard.
c. Configure the dynamic update permissions and restrictions for your zone:
611
Managing DNS Zones
Option Description
RR type Select which record type(s) the configuration set in the previous fields applies to. It can
be Specific or Any.
Specific Configure permissions for the record types of your choice via the lists Available types
and Selected type(s). In the list Available types, select A, AAAA, CNAME, HINFO,
AFSDB, MX, PTR, NS, SRV, TXT, WKS, NSAP or DNAME and click on to move it
to the list Selected type(s). Repeat this action for as many record types as you need.
Any Allows to apply the configuration to all the update-policy record types: A, AAAA, CNAME,
HINFO, AFSDB, MX, PTR, NS, SRV, TXT, WKS, NSAP and DNAME.
d. Once you configured the fields, click on ADD . Your update-policy entry is moved to the
Update-policy list. The page refreshes.
e. You can configure as many entries as you want.
To organize the list, use the buttons and . Each restriction or permission is reviewed
and processed following the order set in the list.
8. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the zone(s) properties page, in the panel Main properties.
Setting Forwarders
You can associate multiple master, slave, forward and stub zones to the same forward parameters
at once.
612
Managing DNS Zones
You can force a notify, refresh or retransfer right away if needed. Keep in mind that:
• You can only force a zone content update on BIND and EfficientIP DNS servers. Other servers
do not support RNDC commands
• You cannot use these options on Hybrid DNS servers. For more details, refer to the chapter
Hybrid DNS Service.
The option Force notify allows to send a notify, or also-notify, from the zone(s) you select. Keep
in mind that:
• The option uses the information of NS records named like the zone you select. Therefore, it
cannot work if the selected zone does not contain at least one NS record named after the zone
itself.
• The notify, and also-notify, can be inherited from the server or view. If the notify is disabled on
the zone, the option cannot be used.
613
Managing DNS Zones
4. Click on OK to complete the operation. The report opens and closes when the operation is
over. The page reloads.
To also force the record creation, refer to the section Forcing DNS Zones Retransfer.
The option Force retransfer triggers the creation and update of the records present in the Master
zone(s), and their values, within the selected Slave zone(s). Note that:
• If your Slave zone contains more records than the Master zone, the option deletes the outdated
records.
• The option is taken into account immediately in the DNS database, but you need to synchronize
the zones to see them in the GUI.
To only update the values of the existing records of Slave zone(s), but not create new records,
refer to the section Forcing DNS Zones Refresh.
614
Managing DNS Zones
On smart architectures, you can disable a zone at any time. Once disabled, a zone is no longer
available and therefore cannot be queried.
Disabling a zone allows to maintain or edit its content without impacting the physical server that
manages it, it can be helpful if you intend to move or repair its managing server(s).
To enable/disable a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zones you want to enable or disable.
3. In the menu, select Edit > Status > Enable or Disable. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. The zone Status
changes to OK or Unmanaged.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
To delete a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Filter the list if need be.
3. Tick the zone(s) you want to delete.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The zone is marked
Delayed delete until it is no longer listed.
615
Managing DNS Zones
Granting access to a zone as a resource also makes every item it contains available. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
616
Chapter 40. Configuring DNS Zones
Like EfficientIP DNS servers, smart architectures and views, zones can be configured individually
from their properties page to set a series of behaviors for the records they contain.
Any configuration set at zone level overwrites what was set at server level, on physical servers
or smart architectures, and view level.
If, for any of these reasons, you could benefit from delegating zones, it might make sense to re-
structure your namespace by adding additional zones. When choosing how to structure zones,
you should use a plan that reflects the structure of your organization. When delegating zones
within your namespace, be aware that for each new zone you add, you need delegation records
(NS) in other zones that point to the authoritative DNS servers for the new zone. This is necessary
both to transfer authority and to provide correct referral to other DNS servers and clients of the
new servers being made authoritative for the new zone.
To make a server known to others outside of the new delegated zone, two RRs are needed in
the parent zone to complete delegation to the new zone. These RRs include:
• An NS record to effect the delegation. This RR is used to advertise that the server named is
an authoritative server for the delegated subdomain.
• An A record (also known as a glue record) is needed to resolve the name of the server specified
in the NS record to its IP address. The process of resolving the host name in this record to the
delegated DNS server in the NS record is sometimes referred to as glue chasing. In reality,
the A record is not required when it comes to configuring zones delegation; however, if you
add it, you save the DNS client some time as you give in one query the authoritative server of
the child zone and IP address. That way, there is no need to query twice to first get the server
and then its IP address.
617
Configuring DNS Zones
3. In the panel Name Servers, click on EDIT . The wizard Authoritative DNS servers opens.
4. In the field DNS server name, type in the name of the server of your choice. Repeat these
actions for as many servers as needed.
5. Click on ADD . The server is moved to the list Authoritative DNS servers.
6. Click on NEXT . The page Delegated data opens.
7. In the field Delegation, type in the name of the RR and the server you want to delegate it
following the syntax: RRname > dnsserver.name.
8. Click on ADD . Your data is moved to the list Delegated data. Repeat these actions for as
many RRs and servers as needed.
9. Click on OK to complete the operation. The report opens and closes. The configuration
parameters are visible in the panel.
Configuring delegation only adds the NS record. For more details regarding the A record addition,
refer to the section Configuring the Delegation at Record Level.
In the parent master reverse zone, the classless in-addr.arpa delegation adds CNAME resource
records for each address you want to delegate. It also adds an NS record for each delegated
server. Note that the NS record of each delegated server can be added in a domain different
from in-addr.arpa using a suffix for the CNAME records value. For the reverse lookup to function
properly, the delegated server(s) should contain the PTR records associated with each address.
618
Configuring DNS Zones
10. Click on OK to complete the operation. The report opens and closes. The page All RRs is
visible again. There are as many CNAME records as delegated addresses and as many a
NS records as delegated servers. In the column Value, each address is listed according to
the format you chose, if you added a suffix, it is visible in that column as well.
b. Click on ADD to move it to the list Forwarders. Repeat these actions for as many forward-
ers as needed.
8. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, your configuration is
displayed.
You can set a specific forwarding configuration for a zone belonging to a physical server
managed via a smart architecture. Keep in mind that:
• When a forward mode is set on a smart architecture, you cannot set the forward mode to Default
on a zone belonging to a physical server managed via a smart architecture. You can only set
a different forward mode.
• Any configuration set at zone level overrides the view or server level configuration.
619
Configuring DNS Zones
b. Click on ADD to move it to the list Forwarders. Repeat these actions for as many forward-
ers as needed.
10. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, the Forward value is
preceded by the message Smart configuration is overwritten.
To revert the specific configuration and inherit it again, edit the Forwarding to untick the box
Overwrite the smart settings.
The notification configuration is done from the panel Notify of the properties page of each zone.
This panel displays:
• The notification type configured for the server,
• The slave zones that should receive the notify messages through their managing server,
• The allow-notify directive configuration of the slave zones. For instance, you can allow all the
servers of a network to notify the slave zones of your server or only a few.
Note that there is an implicit allow-notify directive set when you add a slave zone: when you set
the Master IP address of the slave zone you are allowing the master zones of this server to send
notify messages to your slave zone.
Keep in mind that any configuration set at zone level overrides the configuration set at
server or view level.
620
Configuring DNS Zones
3. At the end of the line of the master zone of your choice, click on . The properties page
opens.
4. Open the panel Notify using and click on EDIT . The wizard opens.
5. If you or your administrator created classes, the DNS zone class list is visible. Select a class
or None and click on NEXT . The next page opens.
6. In the drop-down list Notify, configure the zone notification behavior following the table below.
7. If you selected Yes or Explicit, you can set the IP address and port of the server(s) which
slave zones should receive the messages:
a. In the field IP address, type in the IP address of another server. The notify message is
sent if you chose the notify type Yes or Explicit.
b. In the field Port, you can specify the port number that should receive the notify messages
on the server you specified in the previous field.
c. Click on ADD . The IP address and port number are displayed in the list Also notify as
follows: <ip-address> port: <port-number>.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
8. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again. Your notify and also-notify settings are displayed in the panel Notify.
621
Configuring DNS Zones
Field Description
No No notify message is sent when changes are performed in the master zones.
Yes The notify messages are sent to the target of the NS records of the master zone. It is also
sent to the IP address(es) specified in the field IP address below.
Explicit The notify messages are only sent to the IP address(es) specified in the field IP address
below.
7. If you selected Yes or Explicit, you can set the IP address and port of the server(s) which
slave zones should receive the messages:
a. In the field IP address, type in the IP address of another server. The notify message is
sent if you chose the notify type Yes or Explicit.
b. In the field Port, you can specify the port number that should receive the notify messages
on the server you specified in the previous field.
c. Click on ADD . The IP address and port number are displayed in the list Also notify as
follows: <ip-address> port: <port-number>.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
8. Click on NEXT . The page Allow notify opens. It allows to specify if the slave zone can receive
master zones notification messages.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
622
Configuring DNS Zones
9. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again. Your notify, also-notify and allow-notify settings are displayed in the panel
Notify.
Keep in mind that once the allow query is configured at zone level, it overrides the config-
uration at server or view level.
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
623
Configuring DNS Zones
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
5. Click on NEXT . The page Allow-transfer appears.
6. Click on NEXT . The page Allow-update appears.
7. Click on OK to complete the operation. The report opens and closes. The parameters are
visible in the panel Access control, in the list Allow-query.
Keep in mind that once the allow-transfer is configured at zone level, it overrides the con-
figuration set at server or view level.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
624
Configuring DNS Zones
Dynamic update replaces or deletes records in a master server by sending it a special form of
DNS messages. The format and meaning of these messages is specified in RFC 2136 and indic-
ates which servers or clients are authorized to dynamically update the DNS master zones. By
default, all DNS update queries are rejected. Note that:
• You can only complete the master zones configuration from the GUI on EfficientIP and
Nominum servers
• You cannot edit the zone update authorizations of Generic servers from the GUI, it has to be
done locally.
• You cannot configure dynamic update on Microsoft servers as they do not support TSIG keys.
However you can configure them with secure dynamic update using GSS-TSIG keys. For more
details, refer to the section Configuring Secure Dynamic Update.
Keep in mind that allowing updates based on the requestor IP address is insecure, we strongly
recommend using the TSIG key protocol filtering rather than an IP address based filtering.
Using the drop-down lists Type and Restriction, you can configure as many restrictions as
you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type contains
the following options:
625
Configuring DNS Zones
Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
6. Click on OK to complete the operation. The report opens and closes. The parameters are
visible in the panel Access control, in the list Allow-update.
At zone level, configuring DNS sources allows to set physical interfaces that should be system-
atically used for all notify operations and zone transfer. DNS sources can be inherited from the
server and views or set for a zone. The inheritance details are visible the zones properties page.
Keep in mind that once the sources are configured at zone level, they override the config-
uration set at server or view level.
This statement allows to define the IPv4 address of the physical interface used for all the
server outgoing notify operations. You can also specify a port for this statement. It is used
by master zones and its configuration is therefore displayed on the physical server, views
and master zones properties page.
626
Configuring DNS Zones
notify-source-v6
This statement allows to define the IPv6 address of the physical interface used all the server
outgoing notify operations.You can also specify a port for this statement. It is used by master
zones and its configuration is therefore displayed on the physical server, views and master
zones properties page.
Keep in mind that once the sources are configured at zone level, they override the config-
uration set at server or view level.
This statement allows to determine the IPv4 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
627
Configuring DNS Zones
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
transfer-source-v6
This statement allows to determine the IPv6 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
use-alt-transfer-source
This statement allows to set the use of an alternate interface IP address for the transfer if
the transfer-source or the transfer-source-v6 were to fail. This statement configuration is
displayed on the physical server, view and slave zones properties page.
This statement definition is only configurable from the panel Sources but applies to interfaces
whether they were identified through an IPv4 or an IPv6 address.
Its default value is no if the server contains views and yes if the server does not contain any
view.
alt-transfer-source
This statement allows to determine the alternate IPv4 address of the interface used to execute
the zones transfer on the server if the transfer-source fails and if the use-alt-transfer-source
is enabled. You can also specify a port for this statement. Its configuration is displayed on
the physical server, views and slave zones properties page.
alt-transfer-source-v6
This statement allows to determine the alternate IPv6 address of the interface used to execute
the zones transfer on the server if the transfer-source-v6 failed and if the use-alt-transfer-
source is enabled.You can also specify a port for this statement. Its configuration is displayed
on the physical server, views and slave zones properties page.
Keep in mind that once the sources are configured at zone level, they override the config-
uration set at server or view level.
628
Configuring DNS Zones
629
Chapter 41. Managing DNS Resource
Records
The resource records belong to your zones. They usually are contained in master zones and can
be replicated to slave zones if need be.
On the page All RRs, all records are listed and the column RR name indicates if you can edit a
record or not.
A record name not underlined indicates that you cannot edit it. In this case, you cannot edit
the four records listed because they belong to a physical server managed via a smart archi-
tecture.
An underlined record name indicates that you can edit it. If you click on a name, you open
the wizard Edit a DNS RR.
In this case, the underlined records belong to a smart architecture, any changes you make
are pushed to the physical server managed via the smart.
The SOA record is never underlined because, unlike other records, you cannot edit its
properties from the page All RRs.
This lock indicates that the server records cannot be edited. In this case, the server listed
is a physical server managed via a smart architecture.
This button, when gray, indicates that you are displaying the records of both the smart archi-
tecture and the physical server(s) it manages.
SOLIDserver supports many types of resource records, most can be added to a zone, some are
automatically created when you add a zone. All the supported records are listed in the table below.
630
Managing DNS Resource Records
631
Managing DNS Resource Records
When you create a master zone, it automatically contains an SOA record and an NS record. This
NS is not generated until the server is synchronized.
DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE
If you created RPZ zones, their records; or rules, are listed on the page All RPZ rules. For more
details, refer to the chapter DNS Firewall (RPZ).
Resource records do not have a properties page, all their information is displayed in the list.
Delayed create The creation or update is delayed until the resource record is created on the physical
server(s) of the smart architecture. The creation is automatically done after a maximum
of 1 minute.
Delayed delete The deletion is delayed until the resource record is deleted from the physical server(s) of
the smart architecture. The deletion is automatically done after a maximum of 1 minute.
632
Managing DNS Resource Records
When you add master zones, the SOA record and an NS record are created automatically.
This NS is only generated after the server is synchronized. You can create other NS records in
the zone.
Adding an A Record
The IPv4 Address (A) record maps a host name to an IPv4 address. It can be added to the page
All RRs of any Master zone. A single host can be mapped toward several A records, or IP ad-
dresses, that create an RRset. In this case, the DNS server responds to queries with all the ad-
dresses defined but the order depends on the rrset-order statement of the server configuration
file.
633
Managing DNS Resource Records
If you do not name an A record, it takes the same name as the zone it belongs to, which allows
DNS clients to find the IPv4 address of your host using only its domain name. This way, querying
the zone name example.com would be resolved immediately and provide access to your host
through its IP address.
If you do not name an AAAA record, it takes the same name as the zone it belongs to, which allows
DNS clients to find the IPv6 address of your host using only its domain name. This way, querying
the zone name example.com would be resolved immediately and provide access to your host
through its IPv6 address.
634
Managing DNS Resource Records
6. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
7. In the field Sub-type, type in the version of service AFS used: 1 (AFS version 3.0) or 2 (OSF
DCE/NCA version).
8. In the field AFS server, type in the AFS hostname.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.
635
Managing DNS Resource Records
6. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
7. In the field Type type in the number, between 0 and 65535, that specifies the type of certific-
ate. For more details, refer to the appendix DNS Resource Records Related Fields.
8. In the field Key tag, type in the certificate's key tag, a 16-bit value computed for the key
embedded in the certificate.
9. In the field Algorithm, type in the public key's cryptographic algorithm.
10. In the field Certificate or CRL, type in the certificate, encoded in base-64 format.
11. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.
Keep in mind that each CNAME RR name is unique: you cannot have several records named
www in the same zone. Their complete name would be www.example.com and as the CNAME
is an alias, it should provide a link toward a canonical name that has not been declared in the
zone yet.
There should be as many hostname aliases as there are CNAME records in your zone.
636
Managing DNS Resource Records
Keep in mind that a DNAME record rewrites the subdomain suffix and applies to all its subdomains.
A DNAME record rewriting a query from support.company.com to support.company.corp also
applies to queries for fr.support.company.com or es.support.company.com . The DNAME config-
uration applies to any label located left of the specified domain name.
A zone configured with a DNAME has records that send back the proper information to DNS clients.
If the value of the DNAME is support.company.corp, there should be an A record, for instance,
named support.company.corp providing an IP address clients can reach.
Keep in mind that unlike a CNAME, the DNAME points a name and not to a record within the
zone.
637
Managing DNS Resource Records
You do not need to add a DNSKEY record if you signed zones from the GUI, it is created
automatically for each zone.
If you manage from the GUI an external DNS server that contains one or more zones already
signed with DNSSEC, you can add a DNSKEY record to each concerned zone. When the zone
signature is not performed using the appliance, SOLIDserver cannot push the DNSSEC keys to
the server and displays them like any other signed zone. Therefore:
• The DNSKEY record is not listed among the records of the zones.
• The DNSSEC keys of each zone are not listed on the page All DNSSEC keys.
• The zones are not displayed as DNSSEC compliant even though they are.
Adding a DNSKEY record can therefore ease up the zone management and ensure that the
zones you signed from another platform are marked yes in the column DNSSEC. For more details,
refer to the chapter DNSSEC.
To successfully add a DNSKEY record, you need the DNSKEY flags, protocol, algorithm and
key; all of which are available in txt file generated after the zone signature.
Adding a DS Record
The Delegation Signer (DS) record is a DNSSEC that creates the chain of trust or authority from
a signed parent to a child zone. It can be used to verify the validity of the ZSK of a subzone. It is
composed of the parent zone key tag, key algorithm, digest type and digest itself. For more details,
refer to the section Managing DNSSEC on Authoritative Servers.
To add the DS records, refer to the section Publishing the Delegation Signer in the Parent Zone.
638
Managing DNS Resource Records
Keep in mind that if you name an HINFO record like an A or AAAA record, they are linked together
in the zone file and provide additional information when the domain name they share (an
identical Complete name in the GUI) is queried.
The HINFO can also be used as a specific TXT record and contain other information.
639
Managing DNS Resource Records
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.
Adding an MX Record
The Mail Exchanger (MX) record allows to set the name and relative preference of your mail ex-
changers, in other words, mail servers for the zone. Keep in mind that:
• An MX record should not point to a CNAME record, as detailed in section 10.3 of RFC
2181. Therefore, if you have a CNAME called mail for the zone example.com (its complete
name would be mail.example.com) and if one of your mail exchangers name is mail.ex-
ample.com, you need to remove the alias from the zone to be able to declare the mail exchanger
name in the MX record. To make the answer for the MX more efficient, you should also add
an A or AAAA record pointing to the IP address of the mail server.
• If the mail server stated in one of the MX records lies in the zone, you should add an A
record. This A record name becomes the mail server and its value becomes its IP address.
You can add as many MX records as you need in your master zones, it all depends on the
number of mail exchangers you want to declare.
640
Managing DNS Resource Records
5. In the field RR name, you can name your RR. The field Complete name auto-completes and
displays the RR full name as follows: RRname.zonename .
6. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
7. In the field Order, type in a number between 0 and 65535 to define which RR has priority if
there are several NAPTR records in the zone. The lowest value has the priority over the
other record(s).
8. In the field Preference, type in a number between 0 and 65535 to define which RR has pri-
ority if several NAPTR records have the same Order in the zone. The lowest value has the
priority over the other record(s).
9. In the field Flags, type in the string that corresponds to the action you want your client applic-
ation to perform.
10. In the field Service, type in the services parameters needed according to your client applic-
ation syntax.
11. In the field Regex, type in the string that contains a substitution expression to be applied to
the original string specified in the field Flags.
12. In the field Replace, type in the FQDN domain name to be queried when looking for the po-
tential data specified in the field Flags.
13. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.
Adding an NS Record
The Name Server (NS) record is used to list all the DNS name servers that have authority over
a zone. NS records must be declared both in the parent and the child zones. In the parent zone,
they indicate the zone authoritative server, in the child zone where they constitute the point of
delegation.
The requirement is that at least two name servers are defined for each public domain, so there
is at least two NS records in each zone. The first NS record, named after the zone is created
automatically when you create zones from the GUI to indicate the authoritative server; all other
NS records must be added manually following the procedure below.
We strongly recommend that you create an A record for each NS server to provide detailed in-
formation to the domain name query. This process is called creating a glue record, that way once
your domain is queried, it can return its authoritative servers name and IP address.
Keep in mind that RFC 2181 stipulates that the NS record can point to other records but
never to a CNAME record as the query answer does not return an address with the NS record
and in some cases might make the query fail altogether.
641
Managing DNS Resource Records
5. In the field RR name, name your RR. The field Complete name auto-completes and displays
the RR full name as follows: RRname.zonename .
6. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
7. In the field DNS server, type in the DNS server hostname.
8. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.
642
Managing DNS Resource Records
8. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.
The PTR name is always displayed in the RR name column in reverse with the syntax
B4.B3.B2.B1.in-addr.arpa but it is treated like a name. Which is why it is possible to set IP ad-
dresses final section (B4) with a value that does not respect the IP protocol: a value greater than
255 in IPv4 and greater than ffff in IPv6. This lack of limitation in the interface provides an addi-
tional tool for specific configurations.
The PTR being used for reverse host name look ups, it does not make sense to name multiple
PTR records with the same name, i.e. same IP address. However, to provide reverse round-robin
configuration, you can set several IP addresses with different values. For more details, refer to
the section Load Balancing with Round-Robin.
All the addresses used to name your PTR records provide as many entries toward the host names
of your choice in your reverse master zones.
643
Managing DNS Resource Records
This record only allows one piece of information per field, so if for instance you want to configure
a set of ports for one service, you can create several SRV records each with the same information
in all fields except the port, priority and weight.
644
Managing DNS Resource Records
The greater the value is, the more the server is solicited. Basically, it gives priority to the
SRV RR with the greatest weight value. If you type in 0, there is no weighting.
9. In the field Port, type in the port number that delivers the service to the target.
10. In the field Target, type in the hostname of the server delivering the service.
11. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.
645
Managing DNS Resource Records
This record type is not obsolete, the SRV record can provide the same information.
646
Managing DNS Resource Records
From the list All RRs, you can differentiate the ones you can or cannot edit, refer to the image A
list of resource records above. For instance, the records of a physical server managed via a smart
architecture cannot be edited.
Note that SOA records cannot be edited like the other records: you can tick them to change their
TTL or value, but you cannot edit them individually from the page. For more details, refer to the
sections Editing Several Records at Once and Editing the SOA from the Zone Properties Page.
Keep in mind that if several records in a zone share the same name, editing the TTL on one
also edits the TTL on the records sharing that name.
5. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the page.
647
Managing DNS Resource Records
You can tick several records and edit their Value. The wizard allows to replace existing values,
you can specify whole values or part of a value, for instance a domain name stated in all the re-
cords. Note that the wizard returns an error if you specify a value that does not exist.
8. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the changes are visible in the list.
648
Managing DNS Resource Records
The SOA contains the zone's serial number, administrator email and configuration information
(refresh, retry, expiration...) all of which you can edit. Note that:
• You cannot rename an SOA, it is automatically named like the zone when you create it.
• The SOA also contains the name of the primary server, the DNS server that has authority over
the zone, but you cannot edit it.
To edit the TTL or Value of one or several SOA records, refer to the section Editing Several Re-
cords at Once.
6. Click on OK to complete the operation. The wizard closes. The page refreshes, the changes
are listed.
Note that the primary NS record of a zone is generated once the server is synchronized and in-
dicates the authoritative server of the zone.
Delegating a sub-domain simply consists of adding both an NS and an A (or AAAA) RR in the
parent zone pointing to the sub-domain:
• The NS record indicates which servers are authoritative for the zone. You can also create ad-
ditional NS records to delegate authority for the zone to other DNS servers.
649
Managing DNS Resource Records
• The A / AAAA record indicates the IP address of the server that has authority over the sub-
domain and therefore needs to be added in the RRs list of the parent zone.
Let's consider the zones efficientip.com and support.efficientip.com for the purpose of illustrating
the delegation configuration. The parent zone, efficientip.com, is managed through the server
ns1.efficientip.com and the child zone, support.efficientip.com, is managed through ns2.efficien-
tip.com . You need to add the relevant records in the parent zone. On the one hand, add the NS
record, name it support (it is then listed as support.efficientip.com as the RR name auto-completes
with the domain name at the end) and indicate the server that has authority over it in the adequate
field, in our case ns2.efficientip.com. On the other hand, add the A record named ns2 (once
again, its name auto-completes with the zone name and obtain the server actual name) and in-
dicate its IP address. That way, you should have two new records in the parent zone: an NS RR,
support.efficientip.com, pointing toward the delegated child zone and a glue A record, ns2.effi-
cientip.com.
650
Managing DNS Resource Records
Note that this option has nothing to do with the zones database replication of the DNS command
allow-transfer. Duplication and migration of a zone includes the records it manages.
To copy a record
1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. Tick the record(s) you want to duplicate.
3. In the menu, select Edit > Migrate. The wizard Copying/Moving RRs opens.
4. In the drop-down list Method, select Copy.
5. In the drop-down list Target server, select the server of your choice. The Target zone drop-
down list appears.
6. In the drop-down list Target zone, select the zone of your choice. If you created views in
your server, the zone is named zone (view).
7. In the drop-down list Existing records, choose if you want to overwrite RRs with the same
name. The wizard refreshes.
8. Click on OK to complete the operation. The report opens and closes. The page All RRs is
visible again and displays the migrated record. Note that the complete name of the RR(s)
in the column RR name is now RRname.newzonename.
To move a record
1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. Tick the record(s) you want to move.
3. In the menu, select Edit > Migrate. The wizard Copying/Moving RRs opens.
4. In the drop-down list Method, select Move.
5. In the drop-down list Target server, select the server of your choice. The Target zone drop-
down list appears.
6. In the drop-down list Target zone, select the zone of your choice. If you created views in
your server, the zone is named zone (view).
7. In the drop-down list Existing records, choose if you want to overwrite RRs with the same
name.
8. Click on OK to complete the operation. The report opens and closes. The page All RRs is
visible again and displays the migrated record. Note that the complete name of the RR(s)
in the column RR name is now RRname.newzonename.
651
Managing DNS Resource Records
3. In the menu, select Tools > Configuration registry database. The wizard Configuration
of registry database opens.
4. Click on NEXT . The last page of the wizard opens.
5. Tick the box Activated to allow the use of the underscore in the record naming convention.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and is visible again.
For example, if you have three www servers with network addresses of 10.0.0.1, 10.0.0.2 and
10.0.0.3, a set of A resource records means that clients connect to each machine one third of
the time. When a resolver queries for these records, BIND rotates them and respond to the query
with the records in a different order. In the example above, clients randomly receive records in
the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Once the query is answered a first time with 1, the next client
querying the same name receives a different answer: 2; and so forth. There is no configuration
needed, the balancing is automatically activated if three different servers resolve to the same
domain name (to follow the example: www.yourdomain.com).
Note that if you configured the DNS advanced properties Create PTR, a PTR record is created
only for the first A record you add.
SPF Record
Sender Policy Framework (SPF) is an email validation system designed to prevent email spam
by detecting email spoofing using the senders' IP address. SPF allows administrators to specify
which hosts are authorized, or not, to send emails from a given domain. Mail exchangers use
the DNS to verify that the host sending the email from a given domain is sanctioned by that do-
main's administrators. The SPF record is actually a single string of text found in the value of a
single TXT record.
In 2003, when SPF was first being developed, the requirements for assignment of a new DNS
RR type were considerably more stringent than they are now. In its review of the RFC 4408, the
IETF SPFbis working group concluded that its dual RR type transition model was fundamentally
flawed since it contained no common RR type that implementers were required to serve and re-
quired to check.
The Simple Mail Transfer Protocol allows any computer to send email claiming to be from any
source address. This is exploited by spammers who often use forged email addresses, making
it more difficult to trace a message back to its sender, and easy for spammers to hide their
identity in order to avoid responsibility. It is also used in phishing techniques, where users can
be duped into disclosing private information in response to an email purportedly sent by an or-
ganization such as a bank. SPF allows the owner of an Internet domain to specify which computers
are authorized to send mail with sender addresses in that domain. Receivers verifying the SPF
records may reject messages from unauthorized sources before receiving the body of the message.
The sender address is transmitted at the beginning of the SMTP dialog. If the server rejects the
sender, the unauthorized client should receive a rejection message, and if that client was a relaying
message transfer agent (MTA), a bounce message to the original sending address may be gen-
652
Managing DNS Resource Records
erated. If the server accepts the sender, and subsequently also accepts the recipients and the
body of the message, it should insert a field Return-Path in the message header in order to save
the sender address.While the address in the Return-Path often matches other originator addresses
in the mail header such as From or Sender, this is not necessarily the case, and SPF does not
prevent forgery of these other addresses.
This property must be set at server, view or zone level and propagated down to the records. For
more details, refer to the chapter Managing Advanced Properties in the section Configuring DNS
Advanced Properties.
An A, AAAA, CNAME or PTR record is added in the zone configured at network level. The new
record is named after the complete IP address name and zone name.
For more details, refer to the chapter Managing Advanced Properties in the sections Network
Advanced Properties and IP Address Advanced Properties.
Note that all DHCP to DNS properties rely on the IPAM and can only be configured if you set
IPAM to DNS and IPAM to DHCP advanced properties.
For more details, refer to the chapter Managing Advanced Properties in the section Configuring
DHCP Advanced Properties.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
653
Managing DNS Resource Records
654
Chapter 42. Implementing Dynamic
Update
Dynamic Domain Name Server (DDNS) is the system, detailed in RFC2136, through which IP
address assignment updates in the DHCP are immediately reflected in the DNS records for the
hosts. DDNS enables a DNS server to accept and receive an update every time a dynamic client
changes their IP address. Updating the DNS dynamically eliminates the need for an administrator
to manually set large numbers of records as authorized users can add, delete, and edit records
on the fly.
In the wrong hands, dynamic updates can open up your network to certain vulnerabilities as users
could update some or many of the records on a DNS server organization with incorrect information.
Which is why, within SOLIDserver, DDNS relies on the Transaction SIGnature (TSIG). Described
in RFC 2845, TSIG is based on the use of a symmetrical key, and we create one update key per
Efficient IP DNS server. That way, every transaction from DHCP servers to DNS servers is
automatically protected.
SOLIDserver supports both dynamic update via TSIG keys and secure dynamic update via
Generic Security Service Algorithm for Secret Key Transaction (GSS-TSIG) for DNS servers
serving Microsoft Active Directory clients.
You can configure your EfficientIP DNS server to authenticate your AD clients and grant or deny
them dynamic update rights on the master zone managing your AD server domain via the state-
ment update-policy. For more details, refer to the section Configuring Secure Dynamic Update.
For more details, refer to the section Authenticating the Zones Dynamic Update from the
Server.
3. Configure the statement allow-update of your master zones with the same TSIG key. For more
details, refer to the section Configuring DNS Update Authorizations on a Zone.
Note that if you edited the ACL admin of the server, the configuration is complete because,
by default, the ACL admin of the physical server is specified in the statement allow-update of
the master zones.
You can configure dynamic update on all DNS servers except Amazon Route 53 DNS servers.
655
Implementing Dynamic Update
Prerequisites
• SOLIDserver version 6.0.0.
• A Windows Active Directory server:
• Without DNS server, your DNS server is an EfficientIP DNS server.
• With at least one user with sufficient DNS rights, able to create GSS-TSIG keys. This user
must share the same name as your EfficientIP DNS server following the format my-ad-
user.my-ad-domain .
• With DES certificate enabled. For Windows Servers 2008 R2, it is disabled by default so you
must enable DES_CBC_MD5, AES128_HMAC_SHA1 and AES256_HMAC_SHA1 in the
Security Options of the Local Security Policy.
• At least one EfficientIP DNS server named after an AD user with sufficient DNS rights. The
server is named following the format my-ad-user.my-ad-domain .
The name of the DNS server can be set based on an existing user, or an AD user can be
named after the DNS server name. Either way, they must have the same name and that name
must include the full AD domain. To create a server, refer to the procedure To add an EfficientIP
DNS server.
• The EfficientIP DNS server must contain a master zone managing your AD domain, so it named
with a format similar to my-ad-domain.corp . This master zone must be configured with 9 key
records (1 SOA, 2 A and 6 SRV) linking your AD server, AD domain and DNS server. To create
the zone, refer to the procedure To add a master zone.
• SOLIDserver and your AD server must be set at the same time.You should configure the same
NTP server on SOLIDserver and your AD server.
Limitations
• Secure dynamic update can only configured for EfficientIP DNS and EfficientIP DNS Package
servers.
• For each physical DNS server there must be an AD user. Therefore, to configure secure dy-
namic update for a Multi-Master smart architecture, you need two AD users to generate the
GSS-TSIG key for the server named after them.
656
Implementing Dynamic Update
The zone configuration must contain the 9 records configured as detailed in the example below.
ad-domain.corp SOA TTL dns-server.ad-domain.corp X X X X X X dns-server.ad-domain.corp A TTL IP
ad-server.ad-domain.corp A TTL IP _kerberos._udp.ad-domain.corp SRV TTL 0 100 464
ad-server.ad-domain.corp _kerberos._udp.ad-domain.corp SRV TTL 0 100 88 ad-server.ad-domain.corp
_kerberos._tcp.ad-domain.corp SRV TTL 0 100 464 ad-server.ad-domain.corp _kerberos._tcp.ad-domain.corp
SRV TTL 0 100 88 ad-server.ad-domain.corp _ldap._tcp.pdc._msdcs.ad-domain.corp SRV TTL 0 100 389
ad-server.ad-domain.corp _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad-domain.corp SRV TTL
0 100 389 ad-server.ad-domain.corp
c. Add the missing key records to the DNS server using the command below.
nltest /server:<ad-server-name>.<full-ad-domain> /dsregdns
The missing records link your AD server, AD domain and DNS servers.
657
Implementing Dynamic Update
When the AD server, DNS server and master zone managing your AD domain are configured
properly, you can create a GSS-TSIG key and upload it to SOLIDserver.
You need to generate the key from the AD server and then upload it to SOLIDserver.
# <name> is the AD user sharing the same name as the DNS server.
# <domain> is the full AD domain: domain.TLD .
# <password> is the password of the AD user specified.
5. Copy the file in the directory of your choice for the upload.
Once you generated the key and saved it where you want, you must upload it to SOLIDserver.
This upload is done on the page All GSS-TSIG key.
On the page, the keys are listed using their Name, Encryption Type and Encryption number in
dedicated columns. You cannot edit the columns layout.
658
Implementing Dynamic Update
In the column Name, the uploaded key is displayed following the format declared during the
generation: DNS/<name>.<domain>@<domain> .
You can delete a GSS-TSIG key if you no longer use it on any server or zone. For more details,
refer to the section Disabling Secure Dynamic Update.
On the page All servers, the column Multi-Status indicates if the smart architecture has GSS-
TSIG enabled but there is no GSS-TSIG key configured on the physical server(s) it manages.
If you manage your physical server via a smart architecture, you must first enable GSS-TSIG on
the smart and then specify the .keytab file on the physical server.
To configure and specify the GSS-TSIG on a physical server managed via a smart
1. Enable GSS-TSIG on the smart server
a. In the sidebar, go to DNS > Servers. The page All servers opens.
b. At the end of the line of the smart server, click on . The properties page opens.
c. Open the panel GSS-TSIG using and click on EDIT . The wizard Edit GSS-TSIG prop-
erties opens.
d. Tick the box Use GSS-TSIG.
e. Click on OK to complete the operation. The report opens and closes. In the panel, the
GSS-TSIG status is now Enabled. Now you must specify the GSS-TSIG key on the
physical server.
2. Specify the GSS-TSIG key on the physical server
a. In the sidebar, go to DNS > Servers. The page All servers opens.
b. At the end of the line of the physical server managing your AD domain, click on . The
properties page opens.
c. Open the panel GSS-TSIG using and click on EDIT . The wizard Edit GSS-TSIG prop-
erties opens
d. The box Use GSS-TSIG is ticked.
e. In the drop-down list Select the key to use, select the .keytab file you uploaded.
f. Click on OK to complete the operation. The report opens and closes. In the panel, the
key details are displayed.
3. If you manage several physical servers via a Multi-Master architecture, you must repeat the
actions of the step 2 for each EfficientIP DNS server.
If you manage your physical server outside a smart server, you must enable GSS-TSIG and
specify the GSS-TSIG on the EfficientIP DNS server itself.
659
Implementing Dynamic Update
2. At the end of the line of the physical server managing your AD domain, click on . The
properties page opens.
3. Open the panel GSS-TSIG using and click on EDIT . The wizard Edit GSS-TSIG properties
opens.
4. Tick the box Use GSS-TSIG. A drop-down list appears.
5. In the drop-down list Select the key to use, select the .keytab file you uploaded. If there is
only one file on the page All GSS-TSIG keys, it is automatically selected.
6. Click on OK to complete the operation. The report opens and closes. In the panel, the key
details are displayed.
Once you selected a keytab file on a physical server, the AD users can be authenticated, when
they query the AD domain. Now you need to configure the AD users permissions and restrictions
on the zone managing the AD domain.
On the page All zones, the column GSS-TSIG indicates if the zones are configured with a GSS-
TSIG key. The column has three possible values:
If your zone is managed via a view, SOLIDserver automatically adds the following policy:
grant "<view-name>" wildcard "*" ANY;
• If they suit your needs, we recommend that you configure the following update-policy entries:
1. Allow the AD server to edit the master zone managing your domain. That way the AD server
can advertise any hostname or IP address changes directly to the DNS server without con-
figuring dynamic update again. The final policy should look as follows:
grant "<server-name>$@<full-domain>" wildcard "*" ANY;
# In the GUI, this configuration is set as follows:
# Permission=grant, Identity=<server-name>$@<full-domain>,
# Matchtype=wildcard, Tname=*, RR type=Any
2. Allow Windows computers registered in the AD domain to create their A and AAAA records
in the zone.
grant "<full-ad-domain>" ms-self "<full-ad-domain>" specific A AAAA;
# In the GUI, this configuration is set as follows:
# Permission=grant, Identity=<server-name>$@<full-domain>, Matchtype=ms-self,
# Tname=<full-domain>, RR type=Specific, Selected type(s)=A, AAAA
660
Implementing Dynamic Update
661
Implementing Dynamic Update
Once you configured the fields, click on ADD .Your update-policy entry is moved to the Update-
policy list. The page refreshes. Configure as many entries as you want.
To organize the list, use the buttons and . Each restriction or permission is reviewed
and processed following the order set in the list.
8. Click on OK to complete the operation. The report opens and closes. In the panel Access
control, the list Allow-update is now replaced by the list Update-policy.
Even if you do not configure any entry in the Update-policy list, once you click on OK ,
SOLIDserver automatically adds the entry grant "ipmadmin" wildcard "*" ANY; that allows it
to update your zone).
Each entry of the Update-policy list is listed on the page User tracking, in the column Description
as follows: DNS name: <name> Zone name: <name> Key: update-policy Value: <entry> .
Once you configured the update policy statement, all the AD users querying your DNS server
are authenticated by your AD server and only the allowed users can dynamically update the zone
managing your AD domain.
You should configure an NTP server on both SOLIDserver and the AD server. For more details
regarding NTP on SOLIDserver, refer to the section Configuring NTP Servers.
3. The .keytab file you are using is the correct one.
a. Go the page All GSS-TSIG keys to make sure you uploaded the proper .keytab file. If not,
upload it following the procedure in the section Creating and Uploading the GSS-TSIG key.
b. Go to the properties page of the physical server managing the zone dedicated to your AD
domain, in the panel GSS-TSIG the .keytab file is displayed. If the file is not the correct one,
edit it following the procedure To configure a physical server with GSS-TSIG.
4. The DNS server name is the same as the AD user declared in the .keytab file.
The AD user that generated it on the AD server and the physical DNS server managing your
AD domain have the same name. If not, you might need to generate the .keytab file again
following the section Creating and Uploading the GSS-TSIG key. Then complete the physical
server and zone configuration.
5. Your update-policy statement is properly configured. The order of the entries in the Update
policy list is important: each restriction or permission is reviewed following the order you set
in the list.
For more details, refer to the recommendations and procedure in the section Configuring your
Zone for Secure Dynamic Update.
662
Implementing Dynamic Update
Note that you cannot delete TSIG or GSS-TSIG keys if they are used. To delete them, you
must first disable dynamic update or secure dynamic update.
Keep in mind that if you delete all entries, the entry admin is automatically recreated at
the top of the ACL list. It matches the configuration set on the server, which is why you
must make sure that the ACL admin at server level suits your needs.
g. Click on OK to complete the operation. The report opens and closes. The parameters
are visible in the panel Access control, the list Allow-update is empty.
3. Check the server configuration:
a. In the breadcrumb, click on the zone's server name. The server properties page opens.
b. In the panel ACL, in the list DNS ACLs select admin.
c. Click on EDIT . The wizard ACL configuration Edit a DNS server opens.
d. Edit the ACL configuration according to your needs using the fields Type, Restriction
and ACL values.
Keep in mind that this ACL sets permissions and restrictions for all the zones of your
server. So you must make sure that its content matches your needs.
e. Click on OK to complete the operation. The report opens and closes. The properties
page is visible again.
Once you cleared the content of the statement allow-update and checked the ACL configuration
of the server, you can remove TSIG keys following the section Deleting TSIG and GSS-TSIG
Keys.
663
Implementing Dynamic Update
• Go the properties page of the relevant server, in the panel GSS-TSIG click on EDIT and disable
GSS-TSIG: untick the box Use GSS-TSIG and click on OK .
• From the same properties page, in the panel ACL: select admin and click on EDIT . Make
sure the configuration suits your needs, if not make edit and click on OK to complete the
operation.
Once you disabled dynamic update, you can delete the .keytab file following the procedure To
delete a GSS-TSIG key.
664
Chapter 43. DNS Firewall (RPZ)
A Response Policy Zone (RPZ) allows you to prevent DNS clients from accessing certain websites.
These zones allow to configure a DNS firewall on the server. When a client queries a domain,
subdomain or IP address listed in one of the RPZ zones, the server uses the configured response
policy to reply. This mechanism is similar to an email anti-spam blacklist.
An RPZ zone contains a set of resource records that associate domains, subdomains or IP ad-
dresses with specific response policies based on domain data feeds provided by an external
service or manually created by network administrators.
Dynamic policy
update
Alert Forbidden
request
Botnet attack
Malwares
Management Viruses
Appliance
RPZ allows setting up a granular approach as, instead of blocking an entire domain, you can set
exceptions or configure individual response rules for each subdomain.
At zone level, RPZ allows to decide which queries get a specific response and which ones are
answered normally. Each zone contains rules that identify specific domain names or IP addresses
and set up redirection, NODATA, NXDOMAIN or PASSTHRU policies.
Prerequisites
1. Managing an EfficientIP DNS server or a BIND DNS server. For more details, refer to the
sections Managing EfficientIP DNS Servers and Managing BIND DNS Servers.
2. Adding at least one RPZ zone, as detailed in the section Adding RPZ Zones.
3. Adding rules to the zone to implement specific policies based on the queries, as detailed
in the section Managing RPZ Rules.
Limitations
• You can only implement the RPZ on BIND servers.
665
DNS Firewall (RPZ)
Within the GUI, this implies remotely managing a BIND server or adding an EfficientIP DNS
server. For more details, refer to the section Managing EfficientIP DNS Servers or Managing
BIND DNS Servers.
• You cannot add more than 32 RPZ zones:
• In one view of a BIND server.
• On a BIND server that does not contain any views.
• You cannot set the order of the rules. Therefore the order of the zones is important.
The RPZ rules are applied one after the other respecting first the order of the views, then the
order of the zones within a view and finally the rule type. Once a queried record is matched in
one zone, it is ignored in the following rules of the zone. For more details regarding the order
of the rules within a zone, refer to the section Understanding the RPZ Rules Order.
DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE
RPZ zones are managed from the page All RPZ zones. Their content is managed from the page
All RPZ rules.
666
DNS Firewall (RPZ)
The column Order allows to display the position of the RPZ zone in the checking process,
0 being the first zone to be checked against the queried domain. As soon as a domain is
found in one of the zones, the corresponding RPZ policy is applied and the following zones
are ignored.
The page All RPZ rules lists all the records of RPZ zones. It even includes the SOA and NS
records of each RPZ zone.
Each zone configuration depends on the rules it contains. You can monitor the Status of each
one. For more details, refer to the section Understanding the RPZ Zone Statuses.
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
The column Status provides information regarding the zones you manage.
Delayed create The creation or update is delayed until the zone is created on the physical server(s)
of the smart architecture. The creation is automatically done after a maximum of 1
minute.
Delayed delete The deletion is delayed until the zone is deleted from the physical server(s) of the
smart architecture. The deletion is automatically done after a maximum of 1 minute.
Timeout The zone is not available.
Not authoritative The zone configuration is incorrect, in the SOA another server was set as authoritative.
Refused The DNS server refuses the transfer between the current zone and the management
platform, check the parameter allow-transfer on the zone or server properties page.
No RR Only for forward zones. There is no RR to transfer for the zone.
N/A Only for Amazon Route 53 servers. The zone is not a Master or does not have a
TLD.
667
DNS Firewall (RPZ)
Moreover, the column Multi-status provides you with emergency, warning, critical, error or inform-
ational messages regarding the compatibility with Hybrid. For more details, refer to the section
Understanding the Column Multi-Status.
For security reasons, we recommend that you avoid using an obvious RPZ zone name, such as
"RPZ-List", which could indicate that RPZ is implemented. Keep in mind that:
• You can only configure RPZ on Name zones: it does not work on reverse zones.
• You can only configure RPZ on Master zones or Slave zones. Any other type of zone is ir-
relevant to the RPZ configuration.
• You cannot use the name of an existing zone when you add an RPZ zone, otherwise the
domain name that you use can no longer be resolved using DNS.
• The zone name is returned in the DNS answer when you set NODATA and NXDOMAIN policies.
• You cannot add more than 32 RPZ zones in one view or in one server if the server does not
contain any views.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
8. In the list DNS zone type, select Master or Slave.
9. Click on NEXT . The next page opens.
1
10. In the field Name, name your zone following the syntax given in RFC1034 .
For security reasons, we recommend that you avoid using an obvious RPZ zone name, such
as "RPZ-List", which could indicate that RPZ is implemented.
11. The box DNS firewall (RPZ) is automatically ticked and displayed in gray.
12. In the drop-down list Overriding rule, Given is selected by default. For more details regarding
the overriding rules, refer to the section Overriding RPZ Rules.
13. Click on NEXT . The next page opens.
1
Available on IETF website at https://tools.ietf.org/html/rfc1034.
668
DNS Firewall (RPZ)
14. In the list RPZ zones order, the RPZ zones are sorted from the first one to be checked to
the last one. To order the entries, select them one by one and click on the arrows to move
them up or down .
15. If you are configuring a Master zone, go to the next step.
16. Click on OK to complete the operation. The report opens and closes. The RPZ zone is listed
and marked Delayed create before being marked OK.
You can now configure the rules it contains, as detailed in the section Managing RPZ Rules.
You can synchronize zones to force a retrieval of the latest changes and records.
669
DNS Firewall (RPZ)
You can also synchronize the entire content of a zone, rather than only the latest change. The
option Force full synchronization retrieves and uploads the complete content of a zone and resets
the serial number of the SOA of the zone.
Resetting the SOA serial ensures that the entire zone data is up to date. It can be useful if you
restored a server that you used to manage, as you might have a synchronization drift between
the data that SOLIDserver stored locally and all the changes that have been performed directly
on the server since you last managed it.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. The field Name and the box DNS firewall (RPZ) are grayed out. You cannot edit them.
6. In the drop-down list Overriding rule, select the value of your choice: Given, Disabled,
Passthru, Nxdomain, Nodata or CNAME. The page refreshes. For more details, refer to the
section Overriding RPZ Rules.
7. Click on NEXT . The next page opens.
8. In the list RPZ zones order, the RPZ zones are sorted from the first one to be checked to
the last one. To order the entries, select them one by one and click on the arrows to move
them up or down .
670
DNS Firewall (RPZ)
If you are configuring a Slave zone, click on NEXT . The last page opens.
To add a master zone, configure the Master IP address, Port and TSIG key as detailed in
the procedure To add an RPZ zone.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
10. Click on OK to complete the operation. The report opens and closes. The page All RPZ
zones is visible again. The selected overriding rule is visible in the panel Main properties of
the zone properties page.
Keep in mind that you can also edit an RPZ zone from its properties page panels:
• From Name servers, you can edit the Authoritative DNS servers. For more details, refer to
the section Configuring Delegation at Zone Level.
• From Notify, you can edit IP addresses that should be notified of any changes on the master
zone. For more details, refer to the section Configuring DNS Notify Messages at Zone Level.
• From Access control, you can set or edit allow-query, allow-transfer and allow-update options
on the zone. For more details, refer to the section Managing DNS Security.
You can order RPZ zones at any time. This allows, for instance, to set exceptions by placing
zones configured by hand before those automatically updated by a 3rd party provider.
In addition, rules within a same zone respect some precedence order. For more details, refer to
the section Understanding the RPZ Rules Order.
671
DNS Firewall (RPZ)
Note that converting a slave zone to master adds an apex NS record to the new master zone.
During the conversion, you can keep or delete all the apex NS records of the former slave zone.
When the records of a zone are edited, slave servers have to be notified of this change to ask
for a zone transfer. Notify messages can be sent to name servers and/or IP address(es).
SOLIDserver automatically triggers the notification when you are Configuring DNS Notify Messages
at Zone Level, but you can force the notification for RPZ Master and Slave zones at any time.
The option Force notify allows to send a notify, or also-notify, from the RPZ zone(s) you select.
Keep in mind that:
• The option uses the information of NS records named like the zone you select. Therefore, it
cannot work if the selected zone does not contain at least one NS record named after the zone
itself.
• The notify, and also-notify, can be inherited from the server or view. If the notify is disabled on
the zone, the option cannot be used.
672
DNS Firewall (RPZ)
When the records of an RPZ Master zone are edited, the option Force refresh allows to force the
related RPZ Slave zone(s) to retrieve the new values, or RPZ rules, immediately.
To also force the record creation, refer to the section Forcing RPZ Zones Retransfer.
When the records of a Master zone are edited and new records are added, you can force the
related Slave zone(s) to retrieve all the new values and records it now contains.
The option Force retransfer triggers the creation and update of the records, RPZ rules, present
in the RPZ Master zone(s), and their values, within the selected RPZ Slave zone(s). Note that:
• If your Slave zone contains more records than the Master zone, the option deletes the outdated
records.
• The option is taken into account immediately in the DNS database, but you need to synchronize
the zones to see them in the GUI.
To only update the values of the existing records of Slave zone(s), but not create new records,
refer to the section Forcing RPZ Zones Refresh.
673
DNS Firewall (RPZ)
From the page All RPZ zones, you can edit the zone Overriding rule to disable the policy of all
the rules it contains or to make them all respond to a specific policy different from the original
RPZ: <policy> they were created with.
You can set the Overriding rule when you add or edit RPZ zones. For more details, refer to the
section Overriding RPZ Rules.
On smart architectures, you can disable an RPZ zone at any time. Once disabled, a zone is no
longer available and therefore its rules are longer applied.
Disabling an RPZ zone allows to maintain or edit its content without impacting the physical
server that manages it, it can be helpful if you intend to move or repair its managing server(s).
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
674
DNS Firewall (RPZ)
You cannot edit existing RPZ rules. You can only delete them. For more details, refer to the
section Deleting Rules.
You can configure four different policies based either on the requested domain names (QNAME)
or on the requested IP addresses:
Redirection
The record RPZ: REDIRECT allows to define which domain or IP address should be redirected
toward a specific domain or IP address. You can set the following redirections:
• Domain > domain. The redirection source can be a domain name (QNAME) or a Name
Server Domain Name (NSDNAME).
• Domain > IP address.The redirection source can be a domain name (QNAME) or a Name
Server Domain Name (NSDNAME).
• IP address > domain.
• IP address > IP address.
NODATA
The record RPZ: NODATA allows to set a nodata response to a specific domain name
(QNAME), Name Server Domain Name (NSDNAME), IPv4 address, IPv6 address or Name
Server IP address (NSIP).
NXDOMAIN
The record RPZ: NXDOMAIN allows to set a denial of existence response to a specific domain
name (QNAME), Name Server Domain Name (NSDNAME), IPv4 address, IPv6 address or
Name Server IP address (NSIP).
PASSTHRU
The record RPZ: PASSTHRU allows to set an exception for a specific domain name (QNAME),
Name Server Domain Name (NSDNAME), IPv4 address, IPv6 address or Name Server IP
address (NSIP). The source you configure in the rule is identified to ensure it gets a DNS
answer that does not involve RPZ.
Note that:
• Upon addition, each RPZ rule has a TTL of 3600 seconds. Once the policy is applied, the TTL
automatically drops to 5 seconds, following BIND behavior.
• Adding an RPZ rule edits the server it belongs to. It adds the option response-policy to declare
that the server manages RPZ zones.
675
DNS Firewall (RPZ)
• You can monitor RPZ rules from the page Analytics via the RPZ data samples. For more details,
refer to the sections Monitoring DNS Servers from the Page Analytics.
DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE
By default, the page All RPZ rules lists at least the SOA and NS record of each zone.
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
Table 43.3. The default columns on the page All RPZ rules
Column Description
Partial RR name The partial name of the rule. It is defined automatically when you add it.
DNS RR type The type of the resource record.
RR value 1 The value of the resource record: either the target domain name or IP address for redirection
rules, * for NODATA responses, . for NXDOMAIN responses and rpz-passthru for passthru
exceptions.
Status The RPZ rule status, either OK, Delayed create, or Delayed delete.
The column Status returns information regarding the rules you manage and their content.
676
DNS Firewall (RPZ)
Status Description
Delayed create The creation or update is delayed until the rule is created on the physical server(s)
of the smart architecture. The creation is automatically done after a maximum of 1
minute.
Delayed delete The deletion is delayed until the rule is deleted from the physical server(s) of the
smart architecture. The deletion is automatically done after a maximum of 1 minute.
Within each server, all RPZ zones and rules respect the following order:
1. The RPZ zones ordering matters
When a user queries a server that manages several RPZ zones, all the zones are reviewed
one after the other in the order you set. The first matching rule is used and the other zones
and rules are ignored. For more details, refer to the section Ordering RPZ Zones.
2. Within a single RPZ zone:
a. Rules respect a specific precedence. They are checked in the following order:
• QNAME rules (i.e. domain name based rules)
• IP based rules
• NSDNAME rules (i.e. name server domain name rules)
• NSIP rules (i.e. name server IP address rules)
b. Among name based rules, rules follow a specific order: Among applicable QNAME or
NSDNAME rules, the rule with the smallest name is preferred.
c. Among IP based rules, rules follow a specific order:
• Among applicable IP or NSIP rules, the rule with the longest prefix length is preferred.
• Among IP or NSIP rules with the same prefix, the smallest IP address is preferred.
You can also add RPZ rules based on IP addresses or name servers. For more details, refer to
the section Configuring Rules Based on IP Addresses and Configuring Rules Based on Name
Servers.
You can configure RPZ rules to set redirections based on domain names. There are as many
domain redirections as there are records RPZ: REDIRECT configured.
You can either use a full domain name or specify some parts as variable, to include all the sub-
domains of a particular domain.
677
DNS Firewall (RPZ)
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select Domain.
5. In the field Domain, type in the domain name of your choice following the table below:
Table 43.5. Domain name possible syntax when configuring an RPZ rule
Value Description
domain.extension The DNS client requesting this domain is redirected toward a domain name
(refer to step 7) or toward an IP address (refer to step 8).
a
*.domain.extension The DNS client requesting any matching subdomain is redirected toward
a domain name (refer to step 7) or toward an IP address (refer to step 8).
<value>.domain.extension The DNS client requesting this specific name is redirected toward a domain
name (refer to step 7) or toward an IP address (refer to step 8).
a
The * (asterisk) is called the wildcard when used in front of a domain name.
6. In the drop-down list Policy, select Redirection. You can set a redirection toward a domain
name (refer to step 7) or toward an IP address (refer to step 8).
7. To set the redirection toward a domain name:
a. In the drop-down list Redirection target, select Domain. The page refreshes.
b. In the field Target domain, type in the target domain name of the redirection.
8. To set the redirection toward an IP address:
a. In the drop-down list Redirection target, select IPv4 or IPv6. The page refreshes.
b. In the field Target address, type in the target IP address of the redirection, respecting
the selected protocol version syntax.
9. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the source domain name. The column RR value 1 is
the target domain name or IP address depending on your configuration.
You can configure RPZ rules to set NODATA or NXDOMAIN response policies and PASSTHRU
exceptions based on domain names.There are as many response policies to domains and domain
exceptions as there are records RPZ: NODATA, RPZ: NXDOMAIN and RPZ: PASSTHRU.
You can either use a full domain name or specify some parts as variable, to include all the sub-
domains of a particular domain.
678
DNS Firewall (RPZ)
Table 43.6. Domain name possible syntax when configuring an RPZ rule
Value Description
domain.extension The DNS client requesting this domain gets a nodata or nxdomain response
or for a passthru, the DNS client gets a regular response.
*.domain.extension The DNS client requesting any matching subdomain gets a nodata or
nxdomain response or for a passthru, the DNS client gets a regular re-
sponse.
<value>.domain.extension The DNS client requesting this specific name gets a nodata or nxdomain
response or for a passthru, the DNS client gets a regular response.
The column Partial RR name displays the source domain name. The column RR value 1
displays * for Nodata, . for Nxdomain or rpz-passthru for Passthru.
You can also add RPZ rules based on domain names or name servers. For more details, refer
to the section Configuring Rules Based on Domain Names and Configuring Rules Based on
Name Servers.
The details of RPZ rules based on IP addresses are managed using reverse:
IPv4 display
On the page All RPZ rules, the rules based on IPv4 addresses are displayed as follows:
<prefixlength.B4.B3.B2.B1>.
In the zone file, the rules based on IPv4 addresses respect the syntax: <pre-
fixlength.B4.B3.B2.B1.rpz-ip>.
IPv6 display
On the page All RPZ rules, the rules based on IPv6 addresses are displayed as follows:
<prefixlength.W8.W7.W6.W5.W4.W3.W2.W1>.
In the zone file, the rules based on IPv6 addresses respect the syntax: <pre-
fixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip>.
On the page All RPZ rules, the column Partial RR name might contain .zz. for the rules configured
with IPv6 addresses. These letters assist the column filtering and represent the :: that you can
use when you add a rule to avoid specifying in full the omitted 0000: groups of the IPv6 addresses.
You can configure RPZ rules to set redirections based on a specific IPv4 or IPv6 address. There
are as many IP address redirections as there are records RPZ: REDIRECT configured.
You can set up a redirection from a specific IP address or a range of IP addresses, like a network.
However, the redirection target can only be a specific IP address or domain name.
679
DNS Firewall (RPZ)
The column Partial RR name displays the source IP address and prefix displayed in reverse
followed by the suffix rpz.ip. The column RR value 1 is the target domain name or IP address
depending on your configuration.
You can configure RPZ rules to set NODATA or NXDOMAIN response policies and PASSTHRU
exceptions based on a specific IPv4 or IPv6 address. There are as many IP based response
policies and exceptions as there are records RPZ: NODATA, RPZ: NXDOMAIN and RPZ:
PASSTHRU.
680
DNS Firewall (RPZ)
The column Partial RR name displays the source IP address and prefix displayed in reverse.
The column RR value 1 displays * for Nodata policies, . for Nxdomain or rpz-passthru for
Passthru.
These rules can either identify the Namer Server IP Address (NSIP) or the Name Server Domain
Name (NSDNAME). Like the other rules, they allow to configure a redirection, an NXDOMAIN
or NODATA response or a PASSTHRU exception to any query made to any zone managed by
the Name Server.
Keep in mind that the rules based on Name Servers are reviewed last within the RPZ zone
records. Therefore, if for instance your Name Server manages a domain name or IP address
used in any passthru exception, this rule is found and applied even before reviewing any existing
rule based on the Name server. For more details, refer to the section Understanding the RPZ
Rules Order.
You can also add RPZ rules based on domain names or IP addresses. For more details, refer
to the section Configuring Rules Based on Domain Names and Configuring Rules Based on IP
Addresses.
You can configure RPZ rules to set redirections based on a Name Server domain name or a
Name Server IP address.There are as many Name Server based redirections as there are records
RPZ: REDIRECT.
Keep in mind that the rules based on Name Servers are reviewed last within the RPZ zone records.
For more details, refer to the section Understanding the RPZ Rules Order.
681
DNS Firewall (RPZ)
The column Partial RR name displays the name server domain name followed by the suffix
rpz-nsdname. The column RR value 1 is the target domain name or IP address depending
on your configuration.
The column Partial RR name displays the source IP address and prefix in reverse followed
by the suffix rpz-ip. The column RR value 1 is the target domain name or IP address depend-
ing on your configuration.
You can configure RPZ rules to set NODATA or NXDOMAIN response policies and PASSTHRU
exceptions based on a Name Server domain name or a Name server IP address. There are as
many Name server based response and exceptions as there are records RPZ: NODATA, RPZ:
NXDOMAIN and RPZ: PASSTHRU.
Keep in mind that the rules based on Name Servers are reviewed last within the RPZ zone records.
For more details, refer to the section Understanding the RPZ Rules Order.
682
DNS Firewall (RPZ)
The column Partial RR name displays the name server domain name followed by the suffix
rpz-nsdname. The column RR value 1 displays * for Nodata, . for Nxdomain or rpz-passthru
for Passthru.
The column Partial RR name displays the source IP address and prefix in reverse followed
by the suffix rpz-ip. The column RR value 1 displays * for Nodata, . for Nxdomain or rpz-
passthru for Passthru.
Rules based on the source Other require to specify a partial record name that is automatically
completed with the zone name upon addition. The rule full name is displayed as follows: <partial-
rr-name>.<zonename>.
Keep in mind that there is no data consistency check for the advanced rules, so make sure the
rule you add is RPZ-compliant or set with the proper syntax.
The column Partial RR name displays the information you specified in the field Address of
the wizard.
683
DNS Firewall (RPZ)
You can override RPZ rules when you add or edit an RPZ zone. For more details regarding the
edition of RPZ zones, refer to the section Editing RPZ Zones.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the list DNS zone type, select Master or Slave.
7. Click on NEXT . The next page opens.
2
8. In the field Name, name your zone following the syntax given in RFC1034 .
9. The box DNS firewall (RPZ) is automatically ticked and displayed in gray.
10. In the drop-down list Overriding rule, select the value of your choice. The page refreshes.
2
For more details, refer to https://tools.ietf.org/html/rfc1034, on page 7.
684
DNS Firewall (RPZ)
Field Description
Nxdomain Applies an NXDOMAIN response to all the RPZ rules of the zone.
Nodata Applies a NODATA response to all the RPZ rules of the zone.
CNAME Applies a redirection to all the RPZ rules of the zone. Once selected, the field Domain appears:
type in the FQDN of your choice.
14. Click on OK to complete the operation. The report opens and closes. The page All RPZ
zones is visible again. The selected overriding rule is visible in the panel Main properties of
the zone properties page.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting Rules
At any time, you can delete an RPZ rule, in other words a record, from your RPZ zones.
685
DNS Firewall (RPZ)
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. Filter the list if need be.
4. Tick the RPZ record(s) you want to delete.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The record is marked
Delayed delete until it is no longer listed.
686
Chapter 44. Hybrid DNS Service
SOLIDserver provides a Hybrid DNS service that reduces corruption risks for BIND DNS engines.
Hybrid DNS incorporates an alternative DNS engine based on NLnet Labs Unbound and NSD
engines that can automatically switch from standard BIND service to Hybrid if their configuration
is compatible.
Depending on your configuration, authoritative engines switch to BIND/NSD hybrid and re-
cursive engines switch to BIND/Unbound hybrid. Note that you cannot decide to switch to
NSD or Unbound, the switch is automatic and entirely dependent on the engine configuration.
Once the switch is complete, the DNS engine footprint is more complex to analyze and less prone
to malicious attacks as the DNS mechanism is different, it avoids BIND security flaws altogether.
Therefore, in the event of an attack or important security issue, the switch to Hybrid ensures data
security and avoids its potential corruption.
Keep in mind that Hybrid engines have some limitations compared to BIND engines.
Before switching, you need to understand that you cannot decide if your physical server switches
to BIND/NSD or BIND/Unbound. As a general rule, if your server is compatible with Hybrid, the
following switch occurs:
• If the smart server recursion is set to yes, a Hybrid compliant server can switch to
BIND/Unbound.
• If the smart server recursion is set to no, a Hybrid compliant server can switch to BIND/NSD.
On the DNS All servers list, the Hybrid DNS compatibility and Forced Hybrid DNS compat-
ibility columns allow you to see if you can switch your BIND physical servers.
In addition, the Multi-status column at server, view, zone and RR level provides you with all the
potential incompatibilities with Hybrid. For more details, refer to the section Understanding the
687
Hybrid DNS Service
Column Multi-Status. For more details regarding how to change a page listing template, refer to
the section Customizing the List Layout.
This information is also provided on the smart architecture edition wizard: the Compatible with a
Hybrid DNS Engine field indicates the Hybrid compatibility of the physical servers managed.
You must change your configuration to match Hybrid requirements if you want to switch to Hybrid.
During the switch, SOLIDserver checks once more all the parameters to make sure that your
server is compatible once more.
If you want to have a complete list of all the parameters and options that need to be edited, refer
to the section Generating the Hybrid Incompatibilities Report below.
688
Hybrid DNS Service
7. If you chose to Schedule the report, configure the reports using these fields.
8. Click on OK to generate the report. The page Report opens and works for a while.
9. You can click on DOWNLOAD to save the report immediately.
When the report is generated, it is available on the page Reports. For more details, refer to
the procedure To list the reports.
Once you generated the report, all the parameters that are not compatible with Hybrid are listed
and you need to correct them all until your smart architecture is marked compatible. You can
generate as many reports as you want, every report is available on the page Reports of the
module Administration.
Once the physical server is Hybrid compliant, on the page All servers, the column Hybrid DNS
compatibility is marked Yes and, in the smart architecture edition wizard, the field Compatible
with a Hybrid DNS Engine is also marked Yes.
689
Hybrid DNS Service
The smart architecture can contain one or several BIND servers that you can all switch. Keep in
mind that, if you only switch one server, the other servers share the same limitations that the
Hybrid servers. So, before switching to Hybrid you should probably make sure that none of its
limitations prevent you from using your server with all the parameters you usually need. For more
details, refer to the section Hybrid DNS Engines Limitations.
In some rare cases, you might have a Hybrid server listed among your servers outside a smart
architecture. As you cannot manage a Hybrid server outside a smart architecture, you need to
switch it to BIND, add it to your smart architecture and then switch it again to Hybrid. For more
details, refer to the procedures To switch a physical server from Hybrid to BIND DNS and To
switch a physical server from BIND to Hybrid DNS.
Your server configuration switches to Unbound or NSD on its own, based on its configuration.
Once the switch is complete, the compatibility with Hybrid is forced: this implies that a set of
configurations can no longer be set. For more details regarding NSD or Unbound specificities
and limitations, refer to the sections The Server Switched to NSD and The Server Switched to
Unbound below. As for the Hybrid limitations in general, refer to the section Hybrid DNS Engines
Limitations.
To display the Hybrid engine the server switched to in the DNS module
1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the column Version, the engine and version are displayed.
Like any other server, you can check on a Hybrid server from the columns Status and Sync. For
instance, make sure that the smart architecture can push your configuration on the physical
server, if not the smart is marked Locked synchronization. For more details regarding this status,
refer to the section Handling the Status Locked Synchronization.
To display the Hybrid engine the server switched to in the Administration module
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
690
Hybrid DNS Service
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. Next to the DNS server, the engine that runs is indicated between brackets.
From the Services configuration page, you can enable, disable, stop and start the Hybrid DNS
server. For more details, refer to the section Handling Services.
In the same way, from this page you can download the NSD or Unbound configuration file de-
pending on which one is running. For more details, refer to the section Downloading a DNS or
DHCP Configuration File.
However, you should be aware of a set of NSD engines specificities and limitations that shape
the configuration that you can or cannot set from the GUI.
691
Hybrid DNS Service
692
Hybrid DNS Service
• Only the options compatible with BIND are supported: any hybrid vendor option that does not
have any counterpart in BIND cannot be set through SOLIDserver.
• The RNDC commands are not supported: you cannot perform the commands force-notify,
force-refresh, force-retransfer, querylog and flush cache on Hybrid compliant servers.
• The options inheritance is not supported per se. However, after switching to Hybrid, your
server configuration is directly set at zone level.
• SOLIDserver does not retrieve data from a Hybrid server. However, if you manage a Hybrid
server via a smart you can synchronize the architecture to push any changes made from the
GUI to the server (content or configuration file) from the smart to the physical server.
• Any change made to a Hybrid server restarts the service.
• Dynamic Update is not supported by Hybrid.
• ACL use is limited:
• All ACLs based on IP and network addresses are supported.
• The any, localhost and none ACL are supported in their IP address form.
• The localnet ACL is not supported.
• Views are not supported.
• RPZ zones are not supported.
• Signing zones with DNSSEC is only possible if the BIND/NSD Hybrid server is managed via
a smart architecture in which the BIND/NSD server is a slave which master is a BIND server.
Indeed, NSD servers cannot be signed in DNSSEC but as slave servers they can handle
DNSSEC records.
693
Hybrid DNS Service
7. Click on OK to complete the operation. The report opens and closes. The smart architecture
is marked Yes in the Forced Hybrid DNS compatibility.
Once you switched a Hybrid server engine to BIND, the option Force Hybrid DNS compatibility
is still enabled. To be able to configure the BIND server without the Hybrid limitations, you must
edit the smart architecture and untick the box.
694
Hybrid DNS Service
695
Chapter 45. DNSSEC
Domain Name System Security Extensions (DNSSEC) is used to strengthen DNS protocol security.
It controls the integrity of all DNS answers and ensures that client queries are answered by the
proper zone.
By providing origin authentication, it protects the DNS information exchanged between name
RRset
ZSK
DNSSEC ensures data protection from one signed zone to the other, whether the answer is
1
successful or not: RRset
3 ZSK
.com
51. DNS data in each zone is cryptographically signed with a couple of public and private Zone
KSK
DS of child zone
Signing Keys (ZSK) that validate the integrity of the data of each zone. As a result:
Signed
DNS Client DNS recursive zone
a. Every RRset
server used as of the
4 zone is assigned a new RRSIG record that includes its own signature.
DNSSEC resolver
b. The public key is then provided to the resolver or application that validates the integrity of
RRset
the received RR. The integrity is provided by a chain of trust starting with the public key of
.domain.com
ZSK
KSK
a trust anchor.
Signed
zone
2. NSEC3 records are generated for each RRset, thus creating an organized chain of all the
RRs of the zone that provides an authenticated denial of existence. If the data is supposed to
be located in an area of the zone where another RR is located, it means that it does not exist.
3. Delegated zones are part of a chain of trust that ensures that every zone is recognized as
legitimate by its parent zone. To implement the security of that relation, each delegated zone
ZSK is signed at the parent zone level thanks to a couple of cryptographic Key Signing Keys
(KSK) and a Delegation Signer (DS).
NS DS
hash
comparison
.domain.com .domain.com
SOA KSK DNSKEY
Keep in mind that DNSSEC does not protect whole servers, it only protects the data exchanged
between signed zones.
Once DNSSEC is configured, the DNS packages sent and received often exceed 512 bytes, so
we recommend configuring EDNS to extend the size of your DNS messages. For more details,
refer to the section Configuring EDNS Options at Server Level.
Note that even signed zones can be exported from the page All zones. For more details, refer to
the chapter Exporting Data.
696
domain.com
DNSSEC
DNSKEY #
Is the KSK
valid?
The response ismatch
verified
RRset
Hash algorythm
Verified? The
and hash values
the KSK is valid
DNSKEY of the KSK #
match?
#
The hash values do not match
The response is not verified
On authoritative servers, implementing DNSSEC means signing at least one of its zones. During
the zone signature, a set of signing keys and records are generated:
DNSSEC signing keys
• Two Zone Signing Keys (ZSK), to protect the zone data. Every time a signed zone is
queried, the ZSK validation process is the following:
RRSIG
Is the
DS DS RRset
valid ?
The response is verified
KSK hash of domain.com
Public key
of the KSK
Verified?
and
The hash values match
the DS RRset is valid
The hash
response isdonot verified
#
match?
domain.com # The
and/or thevalues
DS RRsetnot
is match
not valid
hash value
Figure
DNSKEY of the45.2.
KSKThe ZSK validation process
Hash and Public key
comparison
One ZSK is active right away and the other is created to replace the first one when it expires
domain.com
or in case of problem.
• One Key Signing Key (KSK), to protect the
ZSK DNSKEY
ZSKs. It is active right away. The KSK validation
KSK Validation
process is the following: The
The response is v
Hash algorythm
DNSKEY of the KSK
#
verified?
and hash values
the KSK is vam
#
same
o
is the DS
hash?
RRset valid?
The hash values d
The response is not verified
same "Ob
hash?
Public key
of the KSK
KSK DNSKEY
Once generated, you can manage these keys. For more details, refer to the section Managing
.com
DNSSEC Signing Keys. is the DS
RRset valid?
DNSSEC records
DS
The response is
• The DNSKEY or Domain Name System# KEY. This recordverified?
the zone and is used to generate the zone same
contains the public key
The hash valuesdata
697
DNSSEC
If you did not sign zones from SOLIDserver, you might need to add DNSKEY records, for
more details refer to the section Adding a DNSKEY Record.
In case of unexpected KSK change, you might want to manually add CDNSKEY records
to inform the parent zone of these changes. For more details, refer to the DNSSEC records
configuration fields in appendix.
• The RRSIG or Resource Record SIGnature.This record stores the digital private signatures,
it signs each set of RR of a zone. It does not sign individual records.
The RRSIG guarantees secure DNS operations, its hash is compared with the hash of the
DNSKEY to ensure that the RRset has not been changed.
• The NSEC, NSEC3 and NSEC3PARAM records. These records significantly extend zone
files.
NSEC or Next SECure. This record provides authenticated denial of existence for the re-
cords as it points to the next valid host name in the zone for each record. If the requested
name is not returned, it does not exist.
NSEC3 or NSEC version 3. This record was designed because NSEC records can help
map out the content of the zone. It hashes each label to prevent enumeration.
NSEC3PARAM or Next Secure 3 Parameter. This record assists the authoritative server
handling client requests. Thanks to it, they can calculate hashed owner names and choose
which set of NSEC3 records are included in the negative responses.
• The DS, or Delegation Signer. This record is used to secure delegations between a zone
and a subzone. In a parent zone, the DS stores the key tag, algorithm number and a digest
of the DNSKEY of its child zone. Both records allow DNSSEC resolvers to authenticate
the validity of a subzone. Therefore, once you signed a subzone, you must publish the DS
information in the parent zone to make sure it is integrated to the Chain of trust. For more
domain.com
details, refer to the section Publishing the Delegation Signer in the Parent Zone.
RR (domain.com, A...)
RRset
#
Is the ZSK
valid?
The response is verified
Verified? The hash values match
Hash algorythm and the ZSK is valid
DNSKEY of the ZSK #
match?
The response is not verified
In case of unexpected KSK change, you might want to manually add CDS records to inform
#
hash value
comparison
The hash values do not match
and/or the ZSK is not valid
the parent zone of these changes. For more details, refer to the DNSSEC records config-
# Ciphered RR hash
RRset RRSIG
RRSIG
Public key
of the ZSK
domain.com
698ZSK Validation
RR (A, ...)
The
The response is
Hash algorythm
DNSKEY of the ZSK
verified?
and hash values
the ZSK is va
# same origina
Hash algorithm Private ZSK
of the ZSK
RRSIG of RRset
RR (domain.com, NS...) # # Ciphered RR hash
RRset
SOA
domain.com
SOA RRSIG
Unsigned A
NS RRSIG
A
A RRSIG
Signing a Zone
You can sign zones from the page All zones. It automatically generates the relevant signing keys
and records.
Private
ZSK
Hashing Encoding
RR A RR A
RRSIG
"Objec
ZSK DNSKEY
ZSK DNSKEY KSK DNSKEY
KSK DNSKEY
Hashing Encoding RRSIG
Private
KSK
ZSK DNSKEY
699
ZSK DNSKEY KSK DNSKEY
KSK DNSKEY
Hashing Encoding RRSIG
DNSSEC
Once you sign a zone that contains records matching any application FQDN, the zone can no
longer properly answer signed queries. For more details, refer to the part Application.
• These records are automatically generated once the zone is signed and DNSSEC-compliant,
the zone orders the records automatically. They are listed on the page All RRs, your cannot
edit them.
To sign a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) you want to sign.
3. In the menu, select Tools > DNSSEC > Sign zones. The wizard Signing zones opens.
4. Configure the ZSK, either use existing keys or generate a new one.
a. To use existing keys, tick the box Use existing ZSK(s). Two lists appear.
5. Configure the KSK, either use existing keys or generate a new one.
a. To use existing keys, tick the box Use existing KSK(s). Two lists appear.
b. To generate a new KSK, configure the fields according to your needs. Keep in mind
that your KSK value is probably set by your parent zone.
700
DNSSEC
b. To set up an SNMP Trap, tick the box. The related fields appear. All the fields are com-
pulsory, except the last one.
8. Click on OK to complete the operation. The report wizard opens and closes.
701
DNSSEC
On the page All zones, in the column DNSSEC, the zone is marked yes.
On the page All DNSSEC keys, in the column Status, the keys generated for the zone(s)
are marked Enabled. In the column Life span you can see which keys are active.
When the zone is signed, it contains DNSSEC records that hold the information of the Trust anchor
of the root zone ".". Therefore, your zone can be included in the chain of trust.
If you signed a subzone, you need to publish the DS record as detailed in the section below.
Without the DS pointing to the right subzone, DNSSEC resolvers cannot authenticate the subzone
as part of the chain of trust and clients cannot access it.
zone .com
security point of entry
zone domain.com
All the zones signed with SOLIDserver use the information of the trust anchor of the zone root
".". Therefore, you need to publish the DS of a subzone if its parent zone was signed, and
only in this case.
Note that if you created a trust anchor for a delegation of private zones, you also need to publish
your DS in the signed parent zone. For more details, refer to the section Adding a Trust Anchor.
If you do not manage the parent zone of the subzone you signed, copy the entire line of the
int of entry
DS record that suits your needs, paste it in the appropriate file and send it.
domain.com IN DNSKEY r5e4d...7785dd5 (KSK)
domain.com IN DNSKEY t457uc7...4ss362552 (ZSK)
domain.com IN RRSIG DNSKEY KSK eip.com ...
domain.com IN RRSIG DNSKEY ZSK eip.com ...
support.domain.com IN DS KSK sd6zf8q...8ze5d
support.domain.com IN RRSIG DS .... ZSK eip.com ...
domain.com zone
702
Note that:
• You cannot add a DS record in a parent zone if the subzone you are delegating does not
contain a DS and a NS record named like the subzone. For more details, refer to the section
Adding an NS Record.
• If your parent zone supports it, you can also add a CDS record to let the parent zone retrieve
information and be informed of any changes. For more details, refer to the DNSSEC records
configuration fields in appendix.
In the image above, the values needed for the zone mycorp.com are the Key Tag
(62946), the Key Algorithm (7), the Digest Type (2) and the Digest
(3A23EE213657A556A98137DC2EC011C33882FDA715D50FF6FF7F1740CC084604).
3. Publish the DS information of the subzone in a signed parent zone
If you do not manage the parent zone of the subzone you signed, copy the entire line of the
DS record that suits your needs, paste it in the appropriate file and send it.
If you manage the parent zone of the subzone you signed, you need to create a DS record
in the parent zone using the child zone DS information:
a. In the sidebar, go to DNS > Zones. The page All zones opens.
b. Click on the Name of the signed parent zone of your choice. The page All RRs opens.
c. In the menu, click on Add. The wizard Add a DNS RR opens.
d. In the drop-down list RR type, select DS.
703
DNSSEC
Once the parent zone contains a DS record for each child zone, the chain of trust includes both
the zone and all its delegated subzones.
Two Zone Signing Keys (ZSK) are generated every time you sign a zone to protect it, one is
active right away and the other is ready to replace the first one. You can use existing ZSKs to
sign other zones. You can revoke, disable, enable, delete and clean expired ZSKs.
One Key Signing Key (KSK) is generated every time you sign a zone to protect the ZSKs. You
can use existing KSKs to sign other zones. You can generate, revoke, disable, enable, delete
and clean expired KSKs.
For both key types, you must monitor and execute the key rollover whenever necessary. It
ensures the security of your DNSSEC zones.
• The ZSK rollover is automatic and relies on the two keys generated when you sign a zone.
If you suspect a ZSK is compromised you can force an earlier check and generate a new key
if relevant. For more details, refer to the section Executing a ZSK Rollover.
• The KSK rollover is manual. Only one key is generated when you sign a zone, so you must
generate a new one to replace the one protecting the ZSKs of a zone when it expires or if you
suspect it is compromised. For more details, refer to the section Executing a KSK Rollover.
All the ZSKs, KSKs and trust anchors are listed on the page All DNSSEC keys.
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
In addition to the keys Name, you can display their Encryption type, Key Type or even Key tag.
704
DNSSEC
The key rollover ensures the security of your DNSSEC system as it makes sure that signed zones
are protected by valid keys. The rollover option refreshes the key and generates a new one ready
to replace the current one if necessary.
Zone signing
ZSK 0
published and active inactive key deletion
It is deleted The inactive ZSK is deleted from the
from the GUI DNS after one third of its lifespan
but remains
in the DNS
All keys are listed on the page All DNSSEC keys. Inactive ZSKs are automatically deleted from
the GUI, but remain in the DNS for one third of their lifespan before being deleted from the DNS
as well. These inactive keys are kept in the DNS because that information has been cached by
other servers. Therefore, the information of the inactive ZSK is still used to secure the records,
unless you edited them after the activation of the new ZSK. Once the ZSK is deleted from the
DNS, all the records are automatically signed again using the currently active ZSK.
Even if the ZSK rollover is automatic on signed zones, you can force an earlier check if you
suspect they are compromised.
The option Force automatic ZSK rollover allows to make sure that the selected ZSK is not com-
promised or soon to expire. If it is the case, a new one is generated to replace it.
705
DNSSEC
If a key is compromised you must revoke it, for more details refer to the section Revoking a ZSK.
The key rollover ensures the security of your DNSSEC system as it makes sure that signed zones
are protected by valid keys. The rollover option refreshes the key and generates a new one ready
to replace the current one if necessary.
The KSK rollover is manual, so the option KSK rollover is all the more useful.
KSK
KSK t+1
1 2 3 4 5 6 7 8 9 10 11 12 13 14
months
If a KSK is compromised, you must revoke it. For more details, refer to the section Revoking a
KSK.
Some time before the KSK expires, you are notified via email alert and/or an SNMP trap depending
on what you configured when you signed the zone.You may also need a new KSK to safely revoke
or disable the current one.
To properly enable the rollover of the KSK and protect the ZSKs of your zone you must:
706
DNSSEC
We strongly recommend setting an alert to be notified when the KSK you generate is about to
expire, using the column Time left for instance. For more details, refer to the section Managing
Alerts.
If you manage the zone on several servers, you may need to sign the zone on these servers
using the generated KSK. For more details, refer to the section Signing a Zone With an Additional
KSK.
d. Click on OK to complete the operation. The report wizard opens and closes.
3. Publish the DS of the new KSK in the parent zone
a. In the breadcrumb on the right of All zones, click on to display additional pages.
b. Click on All DNSSEC keys. The page opens.
c. At the end of the line of the new KSK, click on . The properties page opens.
d. In the panel DS, copy the content of the list DS.
e. Transmit the DS to the parent zone. For more details, refer to the precedure To publish
the DS information of a subzone in its parent zone.
Some parent zones may also require the DNSKEY record of the new KSK.
Revoking a KSK
If a KSK is compromised you should revoke it. Revoking a KSK invalidates its corresponding
DNSKEY record for the zone and can protect it from attacks.
707
DNSSEC
1. Generate a new KSK and notify the parent zone to make sure you do not invalidate the whole
zone by revoking the compromised key. For more details, refer to the section Generating a
New KSK.
2. Revoke the compromised KSK.
Note that you cannot revoke a KSK if it is the only one protecting the ZSKs of a zone, it
would break the chain of trust and prevent from successfully querying your zone records, the
zone would be invalidated.
To revoke a KSK
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. Generate a new KSK
a. Make sure that you have another KSK, a valid one, protecting the zone and that you
notified the parent zone.
b. If you do not have two KSKs attached to the zone listed on the page or if you have not
notified the parent zone of the new KSK generation, refer to section Generating a New
KSK.
5. Revoke the compromised KSK
a. Tick the KSK of your choice.
b. In the menu, select Edit > Revoke KSK Keys. The wizard Revoking Key Signing
Keys opens.
c. Click on OK to complete the operation. In the column Type, the KSK is now marked
KSK (invalidated) but its Status is still Enabled.
Revoking a ZSK
If a ZSK is compromised, you must revoke it. As there are two ZSKs protecting a signed zone,
revoking a ZSK triggers the following behaviors:
• If the active ZSK is revoked
1. The revoked ZSK is deleted from the GUI and the DNS database.
2. The published ZSK is activated to replace it. The new ZSK lasts longer that the initial time
configured when you signed the zone: it lasts for the remaining time of the revoked key plus
it own lifespan.
3. Another ZSK is generated and published. It lasts as long as the active ZSK. When the active
ZSK expires, it replaces it, this time it lasts for the initial period configured when you signed
the zone.
708
DNSSEC
ZSK revocation
ZSK n
published Immediate deletion
and active The ZSK is deleted from
the GUI and the DNS
ZSK n+1
published active key deletion
The published ZSK is activated. It stays
active for the remaining lifetime of
the revoked ZSK and its own lifespan.
Figure 45.10. The mechanism when you revoke the active ZSK
ZSK n
published and active key deletion
ZSK revocation
ZSK n+1
published Immediate deletion
The ZSK is deleted from
the GUI and the DNS
Figure 45.11. The mechanism when you revoke the published ZSK
To revoke a ZSK
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. Tick the ZSK(s) of your choice.
5. In the menu, select Edit > Revoke ZSKs. The wizard Revoking ZSKs opens.
6. Click on OK to complete the operation. The wizard closes and the page refreshes.
If your revoked an inactive key, it is replaced by a new key with a different Key tag and the
same Start and End dates.
709
DNSSEC
If you revoked an active key, it is replaced by the inactive key and a new one is generated
to replace it when it expires.
You can disable ZSKs and KSKs, this may be useful if you need to complete your DNSSEC
configuration and then push it again on the server.
By default the generated ZSKs and KSKs are enabled, this does not mean that they are currently
used to protect the zone. In the column Life span, you can see that the KSK and one ZSK is
active, inactive keys are marked Not started yet.
To avoid breaking the chain of trust before disabling a KSK or ZSK you should:
• Make sure the key is inactive, and not currently used to sign any zone.
• Make sure another key is ready to protect the zone. Two ZSKs are generated when you
sign a zone, however you might need to generate a new KSK for the zone(s), before disabling
a KSK. For more details, refer to the section Generating a New KSK.
This operation should only be performed by administrators with good knowledge of DNSSEC
mechanisms.
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
710
DNSSEC
You can enable again a disabled ZSK or KSK. Keep in mind that:
• Enabling a key recreates the corresponding DNSKEY and RRSIG records in the relevant zone.
• Enabling a key again is not instantaneous. Until the cache of all the servers that queried the
zone expires, the new key information, including its life span, is not up-to-date and the change
is not taken into account.
• If the key you disabled was active, enabling it again allows to use it to protect the zone. Inactive
keys enabled again only change status, they are used when the active key expires.
• If the zone was Broken, enabling again the proper keys changes its DNSSEC status to yes on
the page All zones.
• Enabled keys are available again in the list of existing keys of the zone signature wizard.
You can only delete a KSK or ZSK if it has expired (Unused), is Disabled or was generated for
a zone that was unsigned.
711
DNSSEC
By default, all expired ZSKs and KSKs are automatically deleted from the page All DNSSEC keys
every night. However, at any point you can look for expired signing keys in all relevant zone and
delete them if need be.
After generating a KSK for a zone, the additional KSK automatically signs the zone.You can sign
the zone on all other servers with this additional KSK. Keep in mind that:
• You can only protect a signed zone with a KSK generated for a zone with the same name.
• You can select several zones if they have the same name.
To remove a key from the list Selected KSK(s), select it and click on . The key is moved
back to the list Available KSK(s).
5. Click on OK to complete the operation. The report wizard opens and closes.
On the page All DNSSEC keys, in the column Status, the keys generated for the zone(s)
are marked Enabled. In the column Life span you can see which keys are active.
Unsigning a Zone
You can unsign zones to stop using DNSSEC to secure your DNS organization.
Unsigning a zone disables DNSSEC for a zone. Note that disabling DNSSEC on a zone is different
than disabling the signing keys of a zone. For more details, refer to the section Disabling Signing
Keys.
712
DNSSEC
• Unsigning a zone disables its signing keys and purges all the DNSSEC records generated
during the signature. The zone is no longer considered secure by other signed zones.
• Unsigning a parent zone breaks the chain of trust set with its child zone(s). As only the records
generated automatically are purged, the DS record you published for any child zone is still part
of the parent zone.
You must delete the DS record published in the parent zone for each child zone to ensure it
cannot compromise it. Once the parent zone is unsigned, its DS records are no longer authen-
ticated or secure.
• Unsigning a zone signed using HSM must be unsigned using the HSM as well. The server
managing the zone(s) must have the box Enable HSM ticked when you unsign the zones to
ensure that both SOLIDserver and the HSM module are notified that one zone is no longer
part of the DNSSEC delegation. For more details, refer to the chapter HSM.
Once a zone is unsigned, its signing keys are still listed on the page All DNSSEC keys and can
be used to sign the zone again.
On the page All zones, in the column DNSSEC, the zone is marked no.
On the page All DNSSEC keys, in the column Status, the keys are marked Unused, if they
were only used with the zone you unsigned.
5. If you unsigned a parent zone, you must delete the DS record of each of its signed zones
as it is no longer signed, secure and authenticated. For more details, refer to the section
Deleting Resource Records.
Within SOLIDserver, you can enable DNSSEC validation, manage the trust anchors and disable
the validation.
You can set Efficient DNS servers and smart architectures as DNSSEC resolvers and as-
sociate them with a trust anchor.
The chain of trust ensures that clients are directed to valid zones. All queries and answers are
signed and compared at every DNS lookup node to authenticate the exchange and make sure
that both sides can be trusted. That way, at all relevant levels, a verified encrypted signature
provides validating resolvers with the correct path to secured zones and prevents directing clients
toward bogus IP addresses. This validation can be set all the way up to the TLD.
713
DNSSEC
The starting point of the chain of trust is the trust anchor. Once configured on a validating resolver,
it allows the resolver to validate the integrity of the records sent by DNS clients and ensure the
chain of trust between a zone and its parent. Therefore, a zone or subzone has to be secured
before being linked to the secured zone it is a delegated from. The trusted anchor of the parent
zone then covers the secured child zones that are delegated from it.
.com zone
security point of entry
.domain.com zone
domain.com zone
DNSSEC
.domain.com
KSK DNSKEY
The box is not available for servers managed via a smart architecture, in this case to tick
the box you must edit the smart architecture.
4. Tick the box Use DNS as DNSSEC resolver. The wizard refreshes.
5. In the list Available Trust Anchor, select a trust anchor and click on . The trust anchor is
moved to the list Configured Trust Anchors.
To remove a trust anchor from the list, select it and click on . It is moved back to the list
Available Trust Anchor.
6. Click on OK to complete the operation.The wizard closes. In the panel DNSSEC, the DNSSEC
resolution is now Enabled and the list Trust Anchors contains the chosen trust anchor(s).
On the page All servers, in the column DNSSEC the server is now marked Yes.
On the properties page of the trust anchor, in the panel DNS servers using this trust anchor,
the server is listed.
Once DNSSEC is configured, the DNS packages sent and received often exceed 512 bytes, so
we recommend configuring EDNS to extend the size of your DNS messages. For more details,
refer to the section Configuring EDNS Options at Server Level.
You can add trust anchors, use one trust anchor on several resolvers and delete them.
715
DNSSEC
4. At the end of the line of the key of your choice, click on . The properties page opens.
.com
All trustDS
anchors have a unique Name on the page All DNSSEC keys. By default, ICANN trust
Is the
DS RRset
anchorsofare
hash domain.com
available on the page. and Verified? The hash values match
the DS RRset is valid
The hash
response isdonot verified
#
match?
domain.com The
and/or thevalues
#
DS RRsetnot
is match
not valid
Adding aDNSKEY
Trust Anchor
Hash and Public key
of the KSK
hash value
comparison
If you want to set up your own chain of trust from one of your signed zones, you can add a trust
anchor.
If a local trust anchor is available, it is used to verify the zone without comparing the KSK protecting
the zone against all its signed parent zone.
is the DS
DS RRset valid? "Ob
verified?
same
hash?
KSK DNSKEY
716
DNSSEC
b. In the panel Trust anchor, copy the content of the list Key.
c. In the breadcrumb, click on DNSSEC Key to go back to the page All DNSSEC keys.
5. Add the trust anchor
a. In the menu, click on Add. The wizard Add trust anchor opens.
b. In the field Key, paste the trust anchor information you just retrieved.
c. Click on OK to complete the operation. The trust anchor is now listed on the page All
DNSSEC keys. In the column Zone, the name of the zone it was retrieved from is listed.
6. Now you must add the trust anchor to the resolver managing your zones as detailed in the
procedure To enable DNSSEC validation.
You can use one trust anchor on several resolvers, provided that they support it.
To stop using a trust anchor on a particular server, select it in the list Selected and click on
. It is moved back to the DNS server list.
7. Click on OK to complete the operation. The servers are now listed in the panel DNS servers
using this Trust Anchor.
You can only delete a trust anchor no longer used by any DNSSEC resolver.
717
DNSSEC
Once the validation is disabled, the server is no longer part of the chain of trust of the trust anchor.
Both the server and the trust anchor information are updated.
The box is not available for servers managed via a smart architecture, in this case to untick
the box you must edit the smart architecture.
5. Click on OK to complete the operation.The wizard closes. In the panel DNSSEC, the DNSSEC
resolution is now Disabled and the list Trust Anchors is empty.
On the page All servers, in the column DNSSEC the server is now marked No.
On the properties page of the trust anchor, in the panel DNS servers using this trust anchor
no longer lists the server.
718
Chapter 46. HSM
The goal of this chapter is to detail the procedures to sign Master zones with DNSSEC using a
Hardware Security Module (HSM). This operation is only possible with an EfficientIP DNS server,
either managed by a smart architecture or not.
DNSSEC is an extension to DNS that provides a way to authenticate DNS responses, thus pre-
venting DNS traffic interference such as man in the middle attacks. For DNSSEC to function
1
properly, it is essential for the private keys, ZSK and KSK, to be protected . With HSM, the private
keys never leave the module thus preventing any exposition to potential attacks, on the network
or host computer. SOLIDserver is compatible with the Thales nShield 500 HSM.
To ensure a secure communication with a DNS server, the HSM relies on:
• The Security World (SW), a closed architecture that describes the global cryptographic
environment
The SW is used to encrypt recovery data and authorize the creation of Operator Card Sets
(OCS) that can be required for the module to function. For redundancy, it can manage several
HSM servers, i.e. modules, but is supervised using a unique Administrator Card Set (ACS).
You can create your own SW or integrate your SOLIDserver appliance to an existing one.
• The Remote File System (RFS) that contains the keys and configuration data
Every key is generated on the RFS, sent to the module for encryption and sent back to the
RFS for storage. Any time the server needs a key, the encrypted key is transmitted by the RFS
to the module(s) for decryption and sent straight to the server.
There should be one RFS by Security World stored either locally on your SOLIDserver appliance
or, if you want to integrate your SOLIDserver appliance to an existing SW, on an external
2
server .
Prerequisites
• Only users of the group admin can perform the operations detailed in this chapter.
• Only the Thales nShield Connect 500 HSM is supported.
• Your license must be valid and include the DNS module.
• Your SOLIDserver appliance should be added to the HSM authorized client list using the
proper ACS. For more details, refer to the documentation of your HSM.
• Master zones to be signed with the HSM must be managed by an EfficientIP DNS server,
whether in a smart architecture or not. This feature is not compatible with other types of DNS
servers.
• To properly secure appliances in High Availability, it is strongly advised to set up the HSM on
each of them before enrolling the Hot Standby.
1
For more details, refer to the chapter DNSSEC.
2
The RFS storage being remote in essence, you need to choose a server that offers enough data security to store the RFS outside of
the HSM.
719
HSM
Limitations
• The HSM slot is common to all the HSM queries. You cannot set it per DNS server.
• Deleting private keys from SOLIDserver does not trigger automatic deletion on the RFS. For
more details regarding how to delete them from the RFS, refer to the documentation of your
HSM.
• A card from the OCS needs to be inserted in the HSM for encryption to work. Softcards, i.e.
virtual security tokens, are not supported.
• K/N quorum is not supported, only 1/N is. This means you cannot require more than one card
to use a module.
• When the HSM feature is enabled on an EfficientIP DNS server, all the zones you sign with it
are signed using the HSM, i.e. you cannot sign some zones with the module and others without
it.
• All the Master zones signed using the HSM must also be unsigned using the HSM.
720
HSM
HSM Protection
On the page Services configuration, in the column Name, the service HSM Protection is followed
either by OCS, if the module is configured to function only when a physical smart card is inserted,
or Module if no card is required.
If a PIN code has been specified for the OCS, the column Configuration displays the mention
PIN code:****.
RFS Server
On the page Services configuration, the column Configuration of the service RFS server indic-
ates the IP address of the server on which the RFS is stored. If the RFS is stored locally on the
SOLIDserver appliance, the column displays the mention Local instead.
HSM Servers
For redundancy, you can manage several modules, also referred as HSM servers in SOLIDserver,
within the same Security World. They are listed under the service HSM servers on the page
Services configuration:
• The column Name indicates the name and IP address of the module(s) enrolled by SOLIDserver.
• The column Configuration displays the electronic serial number (ESN) and hash of the KNETI
key (KNETI HASH) in use for each module.
• The column Status provides information regarding the modules - or HSM servers - you manage.
Missing RFS The RFS is missing and the HSM server is not operational.
Not identified The HSM module is not identified and therefore not operational.
Not enrolled The HSM module is not enrolled and therefore not operational.
In case a module fails, whether you are managing only one or several modules, there is
no visual indication on the GUI.
However, the logs in the file named.log indicate that SOLIDserver has switched back from the
service DNS server (HSM) to DNS server (named) to sign zones with DNSSEC. For more details
regarding how to display logs, refer to the section Syslog.
In both cases, it is necessary to stop the service DNS server (HSM) and restart it before you can
use it again to sign zones. For more details regarding how to restart a service, refer to the section
Starting or Stopping a Service.
721
HSM
You can however set up your HSM on appliances already in HA and force the synchronization
within a minute. For more details, refer to the section Enable HSM on Appliances Already in
High Availability.
4. Enable HSM on the servers managing zones that you want to sign using HSM. For more details,
refer to the section Signing Zones Using HSM and DNSSEC.
If you want to specify a communication slot different from the default ones, follow the procedure
in the section Adding a Custom Communication Slot below. Otherwise, go straight to the section
Enabling the Service nFast Hardserver.
To communicate with the Thales nShield Connect 500 HSM, SOLIDserver uses the preconfigured
slots 492971158 for OCS protection and 492971157 for Module protection.
If you want to specify a different slot than the default ones, you need to add a new item in the
Registry database. Otherwise, go straight to the section Enabling the Service nFast Hardserver.
722
HSM
To properly enroll a module with SOLIDserver, you need to enable the service nFast Hardserver
before configuring it.
If you plan on using HSM with High Availability, make sure to set up and enable the service nFast
Hardserver on both the future Master and the Hot Standby before configuring the association.
The service nFast Hardserver allows to enroll one or several modules. To configure the service,
you can:
• Either specify an existing Security World by declaring the IP address of its Remote File System,
• Or use your SOLIDserver as the local RFS, in which case, it would contain the Security World
needed to authenticate your data exchanges.
723
HSM
Field Description
OCS PIN code Type in a password for the OCS, it should be the same for every card of a given set. If you
want to integrate SOLIDserver to an existing Security World, use the related PIN code.
8. Click on ADD to commit your addition. The page refreshes and the server is moved to the
list HSM servers.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
12. If you specified a client with write access, click on ADD to commit your addition. The page
refreshes and the client is moved to the list Allowed clients.
724
HSM
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
To grant another client write access to the RFS, repeat steps 11 and 12.
13. Click on OK to complete the operation. The report opens and closes. The page Services
configuration is visible again. The enrolled modules are listed under the line HSM servers
along with their ESN and KNETI-HASH.The statuses of the nFast Hardserver and module(s)
should be OK . For more details, refer to the section Browsing HSM Servers.
These instances cannot be running at the same time. To stop using the HSM, refer to the section
Best Practices to Stop Using the HSM.
Note that, if you enable the service DNS server (HSM) before adding any HSM server, the service
Status should be ! No HSM found. In this case, you need to add the HSM server and restart
the service DNS server (HSM).
725
HSM
d. Click on OK to complete the operation. The report opens and closes. The page Services
configuration is visible again and the service is marked Enabled.
When the service DNS server (HSM) is enabled, you can start signing zones through EfficientIP
DNS servers.
726
HSM
You cannot sign some zones with the HSM and others without it.
• All the Master zones signed using the HSM must also be unsigned using the HSM.
When you unsign the zones, you must make sure that the box Enable HSM is still ticked.
727
HSM
3. In the column Name, click on the service nFast Hardserver (deprecated). The wizard HSM
server configuration opens.
4. Click on NEXT . The next page opens.
5. In the list HSM servers, click on the module you want to delete. The page refreshes and the
fields display the module's details.
6. Click on DELETE . The page refreshes, the fields are emptied out and the server is no longer
listed.
7. Repeat steps 5 and 6 for as many servers as needed.
8. Click on NEXT . The next page opens.
9. Click on OK to complete the operation. The report opens and closes. The page Services
configuration is visible again and the HSM server is no longer listed.
728
HSM
c. In the menu, select Tools > Apply configuration. The wizard Commit the system
configuration changes opens.
d. Click on OK to complete the operation. The report opens and closes. The page Services
configuration is visible again and the service is marked Disabled.
5. In the column Name, find the service DNS server (named).
6. Enable the service DNS server (named):
a. In the column Enabled, click on Disabled to enable the service. The wizard Enable a
service opens.
b. Click on OK to complete the operation. The report opens and closes. The service starts
automatically but is listed in red because the configuration is still pending.
c. In the menu, select Tools > Apply configuration. The wizard Commit the system
configuration changes opens.
d. Click on OK to complete the operation. The report opens and closes. The page Services
configuration is visible again and the service is marked Enabled.
729
Chapter 47. Monitoring and Reporting
DNS Data
SOLIDserver provides a set of tools to monitor DNS servers and generate reports.
• The alerts that you can set on the DNS pages allow to customize your monitoring. For more
details, refer to the chapter Managing Alerts.
• A set of statistics are available in dedicated panels of the properties page of DNS servers, as
detailed in the section Monitoring DNS Servers from their Properties Page.
• A set of data sampling analytics are available on the page Analytics, as detailed in the section
Monitoring DNS Servers from the Page Analytics.
• A couple of tools allow to monitor a DNS server querylog and answerlog, as detailed in the
section Monitoring DNS Queries and Answers.
• A number of reports on servers, views and zones are available, as detailed in the section
Generating DNS Reports.
A chart returning the number of answers found in the cache (Success) and the number of
answers that were not cached (Recursion), in queries per second.
DNS - Failed queries - <server-name>
A chart returning all failed queries answers (Failure, NXRRSET, NXDOMAIN, Referral, Du-
plicate or Dropped), in queries per second.
DNS - Authoritative vs recursive queries - <server-name>
A chart returning all Authoritative and Recursive answers, in queries per second.
DNS - RPZ queries - <server-name>
A chart returning answers matching an RPZ rule configured on the server, in queries per
second. For more details regarding Response Policy Zone, refer to the chapter DNS Firewall
(RPZ).
State log
All the latest changes performed on the server by the user logged in.
Note that you might have additional panels called Guardian - <data> on the properties page, if
you have enabled DNS Guardian on your appliance. For more details, refer to the part Guardian.
730
Monitoring and Reporting DNS Data
• You can zoom in and out or decide the period and data to display in the charts. For more details,
refer to the section Charts.
• The panels can be displayed on any dashboard, like the other gadgets. For more details, refer
to the section Assigning a Chart on a Properties Page as Gadget.
By default, on a smart architecture properties page, statistics panels are displayed for maximum
ten physical servers. For more details, refer to the section Setting the number of DNS server
statistics panels to display.
The Date and time it occurred, the Service used, the user and the User performing the oper-
ation and the server basic information: DNS name, DNS type and Architecture if relevant.
By default, it lists the changes carried out by the user logged in, but if they belong to a group
with access to the changes from all users, the panel displays all the operations ever per-
formed. For more details, refer to the section Allowing Users to Display All the Operations
Performed.
731
Monitoring and Reporting DNS Data
To set the number of server statistics panels to display on the properties page of
a smart
Limitations
• The analytics are only available for EfficientIP DNS physical servers and Hybrid DNS servers.
• The analytics data is only retrieved based on UDP traffic.
• Only the first 50 entries matching the selected metrics are listed. Therefore, if on the selected
period of time, 100 pieces of information are identical, the GUI only displays the first 50.
• You might slow your appliance down if you edit the purge mechanism to include more lines or
keep data longer than the default 30 days.
Each sample compares data retrieved over a specific periodicity, a limited period of time, that is
set by default to a sample time of 5 minutes. You can edit the sampling period following the pro-
cedure in the section Configuring the Periodicity.
Note that the page might display DNSTOP, RPZ and Guardian analytics. If you display the ana-
lytics of a specific server, either DNS and RPZ data or Guardian data is displayed. For more
details on DNS Guardian data, refer to the section Monitoring Guardian Statistics.
732
Monitoring and Reporting DNS Data
4. To only display the analytics of a specific physical server, in the column Server, click on the
name of your choice. The server name is displayed in the breadcrumb and only its data is
returned.
All the columns displayed on the page depend on the DNSTOP or RPZ data selected. Keep in
mind that each column provides and compares data over the specified sample time.
For the DNSTOP - Top 50 Domains / source IP and DNSTOP - Top 50 TLDs / source IP,
the number of hits is based on the value of the columns Source IP and End date. For in-
stance, the number of times an A record was queried by the IP address <1.2.3.4> during
a 5-minute period.
Ratio The percentage of Number of hits compared with the Total queries for the selected period.
This column is displayed for all analytics.
For instance, the percentage that represents the A records queried to find the IP address
of <example.com> compared with all the messages on the traffic for a period of 5 minutes.
733
Monitoring and Reporting DNS Data
For instance, the percentage that represents the A records queried to find the IP address
of <example.com> compared with all the messages on the traffic for a period of 5 minutes.
If the drop-down list only contains data named Guardian - <sample>, refer to the section
Displaying Guardian Analytics Tops.
734
Monitoring and Reporting DNS Data
6. Under the drop-down list, you can tick the box Automatic refresh to automatically refresh
the data listed every minute. To edit the page refresh frequency, refer to the section Editing
the Automatic Refresh Frequency.
You can edit the sample time following the procedure in the section Configuring the Periodicity.
In the following table, RPZ rule refers to a combination of source, pattern and policy configured
in rules that matched DNS client queries.
735
Monitoring and Reporting DNS Data
All DNS retrieval settings affect both DNS and RPZ analytics.
On the page Analytics, the box Automatic refresh allows to automatically refresh the page display
every 60 seconds. You can edit this frequency via a registry database key.
By default, the data sampling compare the DNS traffic over a sample periodicity of 5 minutes.
On the page Analytics, the sample time is specified in the column Period.
You can configure a shorter or larger periodicity on each physical server individually.
Note that no matter the periodicity, the data is available on the page at a frequency specified
through the rule 380. To edit that rule, refer to the section Configuring the DNS Analytics Retrieval
Frequency.
The frequency to which the analytics are displayed in the GUI is set by the rule 380, DNS Analytics.
By default, every 5 minutes it displays the data comparison results for messages sampled during
1, 5, 10 or 15 minutes, depending on the configured periodicity.
736
Monitoring and Reporting DNS Data
No matter the periodicity you set on the physical server, the data is available in the GUI depending
on the rule configuration.
To edit the rule 380 that sets the DNS analytics data retrieval
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 380 and hit Enter. The rule is the only one listed.
4. At the end of the line, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. This field is required.
7. In the field Comment, you can insert, edit or delete the rule comment. This field is optional.
8. Click on NEXT . The page Rule filters opens.
9. Edit the drop-down lists according to your needs.
10. Click on OK to complete the operation. The page refreshes, the properties is visible again.
You can configure the purge mechanism of the analytics retrieval. By default, it is based on:
• The data age. The rule 382, Purge DNS Analytics, deletes data older than 30 days. You can
set it to delete data earlier or later.
• A lines count. A registry key deletes data if the analytics database exceeds 100,000 lines, each
analytic can reach that many lines. You can set a lower or higher threshold.
As both thresholds work together, once the number of days or the number of lines is met, the
unwanted data the deleted.
No matter the way you want to purge your database, keep in mind that if you set very high
thresholds, you may slow down your appliance because the database contains too much
information.
737
Monitoring and Reporting DNS Data
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
738
Monitoring and Reporting DNS Data
6. Click on OK to complete the operation. The page refreshes, the properties is visible again.
In the panel, the field Enable analytics collection is marked no.
Querylog is a toggle command that provides an overview of all the DNS queries in IPv4 and IPv6.
The logs structure is as follows:
a. The requesting client IP address and port number, the query name, class and type.
b. The recursion detailed, + or -. The Recursion Desired flag: + is set (the query was recursive),
- is not set (the query was iterative).
c. DNS options details if relevant: whether the query is signed (S), whether EDNS was used (E),
whether TCP was used (T), whether DO - DNSSEC OK - was set (D), whether CD - Checking
Disabled - was used (C).
d. The IP address the information was sent to.
Keep in mind that all the logs can be displayed in the page Syslog in real time. They can slow
this page down consistently as the querylog command can generate a substantial volume of data
very quickly.
The first logs are received control channel command 'querylog' and query logging is
now on; all the logs are listed below.
739
Monitoring and Reporting DNS Data
Answerlog is a toggle command that provides an overview of all the DNS answers in IPv4 and
IPv6. It uses the same information structure as querylog, each log contains: client information,
recursion details, DNS options when relevant... For more details, refer to the log structure in the
section Monitoring DNS Queries.
When answerlog is on, it displays two lines: first the initial query, second the answer received by
the client followed by the return code of the answer: NOERROR, SERVFAIL, NXDOMAIN...
740
Monitoring and Reporting DNS Data
For more details regarding the reports and their generation, refer to the section Managing Reports.
741
Part VIII. Global Policies
Global policies are options that allow to set specific behaviors within a module or between modules. They
are available in the modules IPAM, DHCP, DNS and Device Manager.
• Inheritance and Propagation allows to use meta-data, advanced properties and class parameters across
the hierarchy of most modules. You can set, inherit, propagate or restrict an object's property from one
level to the other.
• Managing Advanced Properties allows to configure advanced properties that define interactions between
and/or within the modules IPAM, DHCP, DNS, Device Manager and VLAN Manager.
Table of Contents
48. Inheritance and Propagation ..................................................................................... 744
Prerequisites ........................................................................................................ 745
Limitations ............................................................................................................ 746
Configuring the Inheritance of a Parameter Value .................................................... 746
Configuring the Propagation of a Parameter Value ................................................... 748
Setting Class Parameters ...................................................................................... 749
Reconciling Class Parameters ............................................................................... 750
49. Managing Advanced Properties ................................................................................ 752
Prerequisites ........................................................................................................ 753
Browsing Advanced Properties .............................................................................. 753
Configuring IPAM Advanced Properties .................................................................. 754
Configuring DHCP Advanced Properties ................................................................. 776
Configuring DNS Advanced Properties ................................................................... 779
Setting Advanced Properties .................................................................................. 780
743
Chapter 48. Inheritance and Propagation
Two mechanisms allow to inherit and propagate meta-data, advanced properties and class
parameters within all modules. Both mechanisms are available by default in the addition/edition
wizard of the resources that can be configured with it.
For each meta-data, advanced property and class parameter, you can configure the Inheritance
property to Set or Inherit and/or the Propagation property to Propagate or Restrict via a dedic-
ated icon and layer in the wizard.
Keep in mind that the default configuration of both properties does automatically Propagate the
parameter value you specify on an object to all its child objects if their Inheritance property is In-
herit. Like in the example below, at the space level, a DNS server is Set. All the objects the space
contains down to its IP addresses Inherit this DNS server.
NETWORK
BLOCK Domain name = lab.mycorp.com
POOL
ADDRESS
Figure 48.1. Example of the inheritance and propagation of some advanced properties in the IPAM
In the wizard, the dedicated configuration icon is located next to all the fields for which you can
configure either the inheritance or the propagation property. It indicates the current configuration
of the meta-data, advanced property or class parameter. Here below are the possible combinations.
You can use the internal hierarchy of a module to inherit and propagate a parameter with the
values that suit your needs. In the example below, the advanced property DNS server has one
value from space to block-type network and different one from subnet-type network down to IP
address level.
744
Inheritance and Propagation
POOL
ADDRESS
Figure 48.2. Example of an advanced property set and propagated at network level
Prerequisites
Before configuring the inheritance property and/or the propagation property on advanced proper-
ties, meta-data and class parameters, keep in mind that:
• Advanced Properties can be configured for the IPAM, DNS and/or DHCP. At all levels of
these modules, you can define the inheritance and/or the propagation property of your advanced
properties. For more details regarding advanced properties, refer to the chapter Managing
Advanced Properties.
• Meta-data is by default configured for class global of all resources within SOLIDserver. Note
that a few resources of the modules IPAM, DNS and Device Manager provide meta-data for
which you can define inheritance and propagation, without editing the class.
For more details regarding meta-data, refer to the chapter Configuring Classes.
• Class Parameters belong to the customized classes you create from the page Class Studio.
Once enabled, you can define the inheritance and propagation property of all the class objects
that define your classes. Once displayed in the addition/edition wizard of the resource it applies
to, the class objects are considered as class parameters. For more details regarding customized
classes, refer to the chapter Configuring Classes.
745
Inheritance and Propagation
Limitations
• Configuring the Inheritance and/or Propagation property does not trigger any creation.
Configuring the inheritance and propagation properties on objects managing other objects
propagates the parameter and its value to the objects it contains but does not trigger any creation
behavior. So if you configure the advanced property Create DHCP static on a terminal network,
the property value is propagated down to its assigned IP addresses but these addresses are
not created in the DHCP.
To trigger the creation behavior on existing objects at lower level, you must tick them and in
the menu select Tools > Expert > Initialize rules.
• The Inheritance property cannot be configured at some levels:
• At the highest level of any module, you cannot switch the property to Inherit, it is forced to
Set.
1
• You cannot inherit a parameter on: IPAM spaces , DHCP servers, DNS servers, NetChange
devices, Workflow requests, Device Manager devices, VLAN domains and groups of users.
• The Propagation property cannot be configured at some levels:
• At the lowest level of any module, you cannot set the property to Propagate, it is forced to
Restrict.
• You cannot propagate parameters on: IP addresses (IPv4 and IPv6), DHCP groups (IPv4
and IPv6), DHCP ranges (IPv4 and IPv6), DHCP statics (IPv4 and IPv6), DNS zones, Device
Manager interfaces and ports, NetChange ports and VLAN Manager VLANs. All these objects
can however inherit parameters.
• Some operations are impossible. You cannot:
• Configure the Inheritance property and Propagation property to Inherit/Restrict in template
mode in the IPAM. An inherited parameter value must be propagated.
• Delete a class parameter from a parent object if its Inheritance property is Inherit.
• Restrict the propagation of a parameter that has already been propagated.
• Reconciling class parameter must follow a specific order.
If you plan on reconciling the meta-data, advanced properties and/or class parameters of all
the objects of a module, you must start from the lowest level of the hierarchy up to the highest
one.
1
If you have a space-based VLSM organization, you cannot inherit parameters on the top level space. You can inherit parameters from
the first level down.
746
Inheritance and Propagation
ADDRESS
No Domain name
Figure 48.3. Example of an advanced property set and restricted at pool level
Once configured on a parent object, the value is used on all the objects it contains if their
inheritance property is set to Inherit. In the example above, the value of the advanced property
Domain name follows this logic: it is configured to Set/Propagate from the space down to the
pool, every level in between is configured to Inherit/Propagate. At pool level the parameter is
configured to Set/Restrict with a different value, so the IP addresses are not configured with the
property.
In the following procedure the icon is used to provide an example of configuration, it matches
the default value of the inheritance and propagation properties. Depending on your configuration,
it could be any of the icons detailed in the previous paragraph.
The inheritance property has to be configured directly in the addition/edition wizard of an object.
In this section, configuring includes defining the inheritance property for the first time or editing
its value.
Keep in mind that you cannot configure the inheritance property on the highest level of a
module.
7. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The inheritance/propagation property icon details the object configuration on its properties
page.
747
Inheritance and Propagation
Note that deleting some objects of the IPAM and DNS hierarchy triggers the automatic
inheritance:
• When you delete a non-terminal subnet-type network, an IPAM pool or a DNS view that contains
other objects at lower levels, the child objects are automatically moved higher in the hierarchy.
• If the child objects inherited class parameters from the deleted container, for each class para-
meter:
• The Inheritance property is forced to Inherit or Set to match the configuration of the deleted
parent object. This way, the value and the source of the value remain the same.
• The Propagation property remains the same.
POOL
ADDRESS
No DHCP cluster
Figure 48.4. Example of an advanced property inherited and restricted at network level
Once configured on a parent object, the value is used on all the objects it contains if their
propagation property is set to Inherit. In the example above, the value of the advanced property
DHCP cluster follows this logic: it is configured to Set/Propagate from the space down to the
subnet-type network, every level in between is configured to Inherit/Propagate. At network level
the parameter is configured to Inherit/Restrict, so the pools and IP addresses are not configured
with the property.
In the following procedure the icon is used to provide an example of configuration, it matches
the default value of the inheritance and propagation properties. Depending on your configuration,
it could be any of the icons detailed in the previous paragraph.
748
Inheritance and Propagation
The propagation property has to be configured directly in the addition/edition wizard of an object.
In this section, configuring includes defining the propagation property for the first time or editing
its value.
Keep in mind that you cannot configure the propagation property on the lowest level of a
module.
7. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The inheritance/propagation property icon details the object configuration on its properties
page.
If you only want to set advanced properties on several objects at once, we recommend that you
use the option Set advanced properties because the wizard already contains all the available
values and allows to choose them in dedicated drop-down lists rather than specifying them in
fields. For more details, refer to the section Setting Advanced Properties.
Using the option Set class parameters allows, as long as you are aware of the Limitations, to:
• Set any parameter on an object: either a class parameter or meta-data.
• Overwrite any parameter configured or not.
• Overwrite the value of the Inheritance property and/or Propagation property of a parameter.
• Propagate a configured parameter to child objects if their Inheritance property is Inherit.
• Restrict a parameter at the level of your choice.
Note that, in the wizard, the drop-down lists Inheritance property and Propagation property are
only displayed if they are relevant to the object you selected.
749
Inheritance and Propagation
4. In the drop-down list Parameter, select the class parameter or meta-data of your choice.
The page refreshes and the drop-down list Value appears.
5. In the drop-down list Inheritance property, configure the inheritance behavior:
a. Select Set to set the parameter the value or overwrite the current value on the object.
This value is selected by default.
b. Select Inherit to inherit the advanced property from a parent object. Selecting this value
hides the field Value.
6. If you selected Set, in the field Value, type in the parameter value.
7. In the drop-down list Propagation property, configure the propagation behavior:
a. Select Propagate to propagate the parameter value on the child objects.The propagation
is only possible if the child objects Inheritance property is Inherit. This value is selected
by default.
b. Select Restrict to only configure the parameter on the object(s) selected and prevent
its propagation to the child objects.
8. Click on ADD to move your parameter configuration to the Parameters list.
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
9. Repeat the steps 5 to 8 for as many parameters as you need.
10. Click on OK to complete the operation. The report opens and closes. Any parameter value
and configuration previously set for the selected object(s) is overwritten.
For instance, after a migration of your database, from a version prior to 6.0.0, with parameters
configured that are all Set with the same value at all levels, you can use the option to make sure
they respect the internal module hierarchy and make the lower levels Inherit the top level para-
meter value. If you configured or edited classes, your objects are configured at each level but
the inheritance between each level is not implemented yet. Running this option allows comparing
all the properties and parameters set on the parent, for the selected child objects. If they are
configured on both levels and their values match, the inheritance property of the child objects is
forced to Inherit to set up the inheritance.
The option allows to force the Inheritance property of a parameter based on the value of the
parameter in the parent object. Therefore:
• The parameter value is forced to Set if it is not configured on the parent object.
• The parameter value is forced to Set if it is configured on the parent object with the Propagation
property set to Restrict.
• The parameter value is forced to Set if it has a different value on the parent object.
• The parameter value is forced to Inherit if on the parent object: the parameter is configured,
has the same value and has the Propagation property set to Propagate.
Keep in mind that the option is only available on pages managing objects that can inherit data.
Some class parameters might not be reconciled, for more details refer to the section Limitations.
750
Inheritance and Propagation
If you plan on reconciling meta-data, advanced properties and class parameters on all the
objects of a module, you must start from the lowest level and execute the option on all levels
up to the highest one.
2. Tick the object(s) for which you want to reconcile the class parameters inheritance property
with their parent object.
3. In the menu, select Tools > Expert > Reconcile the class parameters. The wizard Recon-
cile the class parameters opens.
4. Click on OK to complete the operation. The report opens and works for a while. The report
opens.
751
Chapter 49. Managing Advanced
Properties
Advanced properties are specific class parameters that allow administrators to grant access to
replication behaviors between the modules IPAM, DHCP, DNS, Device Manager and VLAN
Manager.
NETWORK
SUBNET
New York
10.6.0.0/24
POOL
Manhattan
10.6.0.1-10.6.0.50
Figure 49.1. Replication from the DHCP to the DNS via the IPAM
752
Managing Advanced Properties
Keep in mind that once configured at high level, the value of advanced properties is inherited by
all the objects at lower level, unless you configure them otherwise. Which is why, you can configure
on a space properties that apply to IP addresses and you can configure on a server properties
that apply to leases or records.
All the advanced properties are represented in the appendix Advanced Properties.
You can edit the advanced properties inheritance and propagation of several objects at a time.
For more details, refer to the section Setting Advanced Properties.
Prerequisites
• Defining the Internal module setup to select the modules IPAM, DNS and DHCP. It is accessible
from the page Main dashboard and Admin Home. For more details, refer to the section Defining
the Internal Module Setup.
• Configuring or being granted access to the proper rights:
• Users of the group admin can select the properties to display in the addition/edition wizard
and configure them all, whether they are displayed by default or not.
• Users of other groups can select the properties to display in the addition/edition wizard if
they are granted the right Edit: the wizard Advanced properties customization, however they
can only configure the properties that are displayed by Default.
That panel displays all the advanced properties configured on the object. If any property is inher-
ited, it is followed, between brackets, by the level it was inherited from.
753
Managing Advanced Properties
2. Open the panel Advanced properties, using . The panel displays the advanced properties
configuration of the object.
The IPAM can be the reference point of all addressing decisions involving DHCP and DNS. Indeed,
if the IPAM can update the DHCP and the DNS, and vice versa ; the DHCP can only update the
DNS if the information is first sent to the IPAM. To have an overview of all the advanced properties
that can originate from the IPAM, refer to the images in the appendix Advanced Properties.
From the IPAM you can also impact Device Manager and VLAN Manager. Indeed, you can add
devices or link them using their ports and interfaces, or allow two subnet-type networks to com-
municate through a specific VLAN.
Within the IPAM, you can configure dedicated properties. To set up the transition from IPv4 to
IPv6, refer to the section Configuring the Transition from IPv4 to IPv6.
Each property can be inherited at lower levels to automate the replication from the IPAM.
IPAM DHCP
DHCP cluster: DHCP
SPACE SERVER
failover-dhcp1.mycorp.com
America dhcp1.mycorp.com
NETWORK
BLOCK
USA
10.6.0.0/15
NEW NEW
NETWORK SCOPE
SUBNET
Figure 49.3. IPAM to DHCP replication at network level inherited from the space
You must first select the advanced properties to display and then configure them.
754
Managing Advanced Properties
4. Select the interaction properties you want to display or enable in the addition/edition wizard.
By default, all the properties are ticked.You must untick the ones you do not want to configure.
a. To configure the properties within the IPAM, you can tick the box:
• Display the IPv4 to IPv6 transition fields. For more details, refer to the section Config-
uring the Transition from IPv4 to IPv6.
b. To configure the IPAM to DHCP properties, you can tick the boxes:
• Select the DHCP failover cluster where the configuration will be applied.
• Display the box "Create DHCP static".
c. To configure the IPAM to DNS properties, you can tick the boxes:
• Display the selection field "DNS server".
• Display the selection field "DNS view".
• Display the selection fields "Domains list".
• Display the selection field "Default domain".
• Create a DNS reverse zone for every terminal network created. The zone is added
in the specified DNS server for reverse zone and DNS view for reverse zone. This
field is not displayed in the addition/edition wizard.
• Display the selection field "DNS sever for reverse zone".
• Display the selection field "DNS view for reverse zone".
• Display the box "Update DNS". If you do not tick this box, it is impossible to save any
DNS configuration in the addition/edition wizard.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
755
Managing Advanced Properties
In IPv6, the DHCP cluster set at space level is not inherited, you
must set it at network level.
Create DHCP static Unticked Tick this box to reserve a DHCP static for every assigned IP address.
If you ticked the box, the field Use IPAM name instead of DHCP
client name appears. The static addition is only possible if you se-
lected a DHCP cluster.
Use IPAM name instead of Unticked Tick this box to name the static added in the DHCP like the IPv4
DHCP client name address you assign in the IPAM. This static is automatically con-
figured with IP address Shortname used as value of the option host-
name. If you selected a Default domain, the static is also configured
with your Default domain used as value of the option domain-name.
If you do not tick it, the IP address you assign does not have a name
and it is named after the next DHCP client that connects to the
network.
756
Managing Advanced Properties
You can configure properties for block-type networks and/or subnet-type networks.
Adding networks in the IPAM can automatically add zones in the DNS.
IPAM DNS
Update DNS: yes DNS
SPACE SERVER
America ns1.mycorp.com
Create a DNS reverse zone for every
terminal network created: yes
NETWORK VIEW
BLOCK DNS server for reverse zone:
USA ns1.mycorp.com intranet
10.6.0.0/15 DNS view for reverse zone: intranet
NEW NEW
NETWORK REVERSE
SUBNET ZONE
In the same way, adding a terminal network can automatically add a scope in the DHCP cluster
of your choice. As the properties are inherited, the Gateway address of the terminal network
configures the option routers of that scope.
757
Managing Advanced Properties
IPAM DHCP
DHCP cluster: DHCP
SPACE SERVER
failover-dhcp1.mycorp.com
America dhcp1.mycorp.com
NETWORK
BLOCK
USA
10.6.0.0/15
NETWORK Gateway offset: -1
SUBNET
New York
10.6.0.0/24
SCOPE
New York
NEW IP 10.6.0.0/24
ADDRESS NEW DHCP OPTION
Name: Gateway routers: 10.6.0.254
Address: 10.6.0.254
DHCP advanced properties
DHCP cluster: failover-dhcp1.mycorp.com
IPAM advanced properties
Gateway offset: -1
You can also link terminal or non-terminal subnet-type networks to a common VLAN to make
them communicate. From that point on, no matter what network they belong to or IP addresses
they manage, they can send and receive each other's packets.
NETWORK
BLOCK
USA
12.3.0.0/16
NEW
NETWORK Display the field "Create a VLAN": yes NEW VLAN
SUBNET
ID: 1
New York Name: domestic
12.3.0.0/24 Associated with New York
NEW
NETWORK Display the VLAN association fields: yes EDITED
SUBNET VLAN
ID: 1
Los Angeles Name: domestic
12.3.15.0/24
Advanced properties The VLAN domestic is now
VLAN domain: sales associated with New York
VLAN ID: 1 and Los Angeles
Note that editing an existing non-terminal subnet-type network that contains terminal networks
to link it to a VLAN does not link the networks it contains to the VLAN.
You must first select the advanced properties to display and then configure them.
758
Managing Advanced Properties
2. In the sidebar, go to IPAM > Networks. The page All networks opens.
3. In the menu, select Extra options > Wizard customization. The wizard Advanced prop-
erties customization opens.
Ancienne taille de la page
4. Select the interaction properties you want to display or enable in the addition/edition wizard.
a. To configure the properties within the IPAM, you can fill in the field and/or tick the
boxes:
• Gateway offset. A way to automatically calculate and add a gateway when adding
terminal networks. By default, the offset value is set to -1, the penultimate address of
the network is used as gateway. You can specify a positive value to calculate the
gateway from the start address of the network, or a negative value to calculate it from
the end address of the network. You cannot specify 0 in the field, to disable the
gateway calculation and add terminal networks without gateway, you need to leave
the field empty.
• Display the field "Gateway". If you disabled the Gateway addition, the field Gateway
is not displayed in the addition/edition wizard even if this box is ticked.
• Display the IPv4 to IPv6 transition fields. For more details, refer to the section Config-
uring the Transition from IPv4 to IPv6.
• Ask the number of pools to create. This property allows to add the Number of pools
of the Size and Type of your choice, during the addition of terminal networks. It can
only be configured if pool classes are enabled.
b. To configure the IPAM to DHCP properties, you can tick the boxes:
• Select the DHCP failover cluster where the configuration will be applied.
• Ask if this network must be configured as a DHCP shared network. The box is only
displayed if the box Select the DHCP failover cluster where the configuration will be
applied is ticked.
• Display the box "Create DHCP static".
c. To configure the IPAM to DNS properties, you can tick the boxes:
• Display the selection field "DNS server".
• Display the selection field "DNS view".
• Display the selection field "Default domain".
• Display the selection fields "Domains list".
• Create a DNS reverse zone for every terminal network created. The zone is added
in the specified DNS server for reverse zone and DNS view for reverse zone. This
field is not displayed in the addition/edition wizard.
• Display the selection field "DNS sever for reverse zone".
• Display the selection field "DNS view for reverse zone".
• Display the box "Update DNS".
d. To configure the IPAM / VLAN Manager interaction properties, you can tick the boxes:
• Display the VLAN association fields. The association is only possible for subnet-type
networks and existing VLANs via the fields VLAN domain, VLAN range and VLAN
ID.
• Display the field "Create a VLAN". Adding or editing subnet-type network can add
VLANs, in the VLAN domain and VLAN range of your choice. You can set their VLAN
Name and VLAN ID. The box is only displayed if the box Display the VLAN association
fields is ticked.
759
Managing Advanced Properties
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
All the properties detailed in the procedure below are based on a configuration that was not in-
herited. Most fields are already filled with the value set on the container of the resource. For more
details, refer to the chapter Inheritance and Propagation.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The existing networks are not impacted, to configure them like their container refer to the section
Setting Advanced Properties. You cannot use this option on VLAN Manager properties.
760
Managing Advanced Properties
In IPv4, the new scope is automatically set with the option routers,
its value is the network gateway address. If an existing scope already
manages the same addresses as the terminal network, the option
routers is set or updated.
Create DHCP static Unticked Tick this box to reserve a DHCP static for every assigned IP address.
If you ticked the box, the field Use IPAM name instead of DHCP
client name appears. The static addition is only possible if you se-
lected a DHCP cluster.
Use IPAM name instead of Unticked Tick this box to name the static added in the DHCP like the IPv4
DHCP client name address you assign in the IPAM. This static is automatically con-
figured with IP address Shortname used as value of the option host-
name. If you selected a Default domain, the static is also configured
with your Default domain used as value of the option domain-name.
If you do not tick it, the IP address you assign does not have a name
and it is named after the next DHCP client that connects to the
network.
Only for subnet-type networks
Use Address and Prefix as Ticked Tick this box to use the Address and Prefix of the IPv4 network you
shared network are adding as a shared network. This action adds a new scope in
the DHCP servers of the selected cluster. This box is only visible
when the DHCP cluster is Set and a value is specified.
761
Managing Advanced Properties
Create a VLAN Unticked Tick this box to add a VLAN in the specified VLAN domain and
VLAN range, if relevant. The field VLAN name appears. Note that
this property is not available in Template Mode, for more details
refer to the chapter Managing IPAM Templates.
VLAN name None Name the VLAN. This field is only available if the box Create a VLAN
is ticked.
VLAN ID None The ID of the VLAN associated with the subnet-type network.
762
Managing Advanced Properties
Adding pools in the IPAM can automatically add ranges in the DHCP.
IPAM DHCP
DHCP cluster: DHCP
SPACE SERVER
failover-dhcp1.mycorp.com
America dhcp1.mycorp.com
NETWORK
BLOCK
USA
10.6.0.0/15 SCOPE
You must first select the advanced properties to display and then configure them.
4. To configure the IPAM to DHCP properties, you can tick the boxes:
• Display the field "Create a DHCP range".
• Display the field "Create DHCP static". This field is only available in IPv4.
By default, all the properties are ticked.You must untick the ones you do not want to configure.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
763
Managing Advanced Properties
All the properties detailed in the procedure below are based on a configuration that was not in-
herited. Most fields are already filled with the value set on the container of the resource. For more
details, refer to the chapter Inheritance and Propagation.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The existing pools are not impacted, to configure them like their container refer to the section
Setting Advanced Properties.
If you do not tick it, the IP address you assign does not have a name
and it is named after the next DHCP client that connects to the
network.
Enabling the advanced properties allows to automatically add a DHCP static when you add an
IP address.
764
Managing Advanced Properties
IPAM DHCP
DHCP cluster: DHCP
SPACE SERVER
failover-dhcp1.mycorp.com
America dhcp1.mycorp.com
NETWORK
BLOCK
USA
10.6.0.0/15 SCOPE
NEW IP NEW
ADDRESS Create DHCP static STATIC
You can automatically add a DNS record when you add an IP address.
IPAM DNS
DNS server: ns1.mycorp.com DNS
SPACE SERVER
Update DNS: yes
America ns1.mycorp.com
You can associate IP addresses with existing interfaces as illustrated below. Note that this link
can also be set without the advanced properties, for more details refer to the chapter Managing
IP Addresses.
765
Managing Advanced Properties
NETWORK
BLOCK
USA
12.3.0.0/16
NETWORK
SUBNET
Texas
12.3.1.0/24
You can also associate an IP address with a port even if it is already associated with an interface,
this changes the device topology.
NETWORK
BLOCK
USA
12.3.0.0/16
NETWORK
SUBNET
Texas
12.3.1.0/24
Finally, you can add a device and an interface when adding or editing an IP address.
766
Managing Advanced Properties
NETWORK
BLOCK
USA
12.3.0.0/16
NETWORK
SUBNET
Texas
12.3.1.0/24
You must first select the advanced properties to display and then configure them.
4. Select the interaction properties you want to display or enable in the addition/edition wizard.
a. To configure the properties within the IPAM, you can tick the boxes:
• IPv4 addresses transition to IPv6 policy. This field is a drop-down list. For more details,
refer to the procedure Configuring the Transition at IP address Level.
• Enable the automatic construction of the IP address hostname: shortname.domain.
b. To configure the IPAM to DHCP properties, you can tick the boxes:
• Display the box "Create DHCP static".
c. To configure the IPAM to DNS properties, you can tick the boxes:
• Make the Domain selection mandatory for the hostname construction of the IP address
and its aliases. The box is only displayed if the box Enable the automatic construction
is ticked.
• Display the selection field "DNS server".
• Display the selection field "DNS view".
• Display the selection fields "Domains list".
• Display the box "Update DNS".
d. To configure the IPAM / Device Manager interaction properties, you can tick the
boxes:
767
Managing Advanced Properties
• Enable to create devices from the IPAM. It displays the fields Create a device, Device
name and Interface name in the addition/edition wizard.
• Enable to link IP address with existing devices. It displays the fields Device name and
Interface name.
• Enable to edit the devices topology from the IPAM. It displays the fields Link with
device, and Link with port in the addition/edition wizard.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
All the properties detailed in the procedure below are based on a configuration that was not in-
herited. Most fields are already filled with the value set on the container of the resource. For more
details, refer to the chapter Inheritance and Propagation.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The existing addresses are not impacted, to configure them like their container refer to the section
Setting Advanced Properties. You cannot use this option on Device Manager properties.
768
Managing Advanced Properties
If you do not tick it, the IP address you assign does not have a name
and it is named after the next DHCP client that connects to the
network.
769
Managing Advanced Properties
On the page All addresses, the columns Device manager name and Device manager interface
allow to display the interactions. For more details regarding columns display, refer to the section
Customizing the List Layout.
On the page Ports & Interfaces, any changes made from the IPAM change the content of the
column Manually linked to. For more details, refer to the section Tracking Changes on the Page
All ports & interfaces.
IPv4 IPv6
SPACE
America
Figure 49.13. Transition from IPv4 to IPv6 of a terminal network and an IP address
Transition Specificities
The transition options are configured at space or network level and inherited at lower levels where
you can apply them.
• For block-type networks, if the transition options are configured:
770
Managing Advanced Properties
• The transition to IPv6 can be set when adding or editing IPv4 networks.
• The transition can only be set with existing IPv6 block-type networks.
• For subnet-type networks, if the transition options are configured:
• The transition to IPv6 requires the address of an existing block-type network, you either
specify it or inherit it from a configured parent network.
• The transition to IPv6 automatically adds the appropriate IPv6 subnet-type network within
the specified block-type network when you add or edit an IPv4 subnet-type network.
• The IPv6 subnet-type network added is named after its IPv4 counterpart.
• For IP addresses, if the transition options are configured:
• The transition is only possible if it was set at network level.
• You can choose the IPv6 address addition behavior.
• Adding or editing an IPv4 address adds the corresponding IPv6. The IPv6 address is named
after the IPv4 address, has the same MAC address, device and class parameters.
If you edit an IPv4 subnet-type network already configured with a VLAN to set the transition to
IPv6, the IPv6 corresponding network inherits the IPAM/VLAN interaction properties, both networks
then belong to the VLAN.
Limitations
• The transition can only be set within one space: you cannot add IPv4 subnet-type networks in
one space and expect to link them with IPv6 subnet-type networks in another space.
• If you set the transition parameters on an existing organization, they are not inherited and have
to be set one object at a time. For more details, refer to the section Setting Advanced Properties.
• For block-type networks, the transition can only be configured and activated with existing IPv6
block-type networks. The transition options do not add block-type networks in IPv6 but only
link IPv4 blocks with existing IPv6 blocks.
• The advanced properties set in IPv4 are not inherited by the corresponding IPv6 objects.
• At pool level, the transition options are not available.
• If you add an object in IPv4 and their IPv6 counterpart overlaps existing objects, only the IPv4
object is added.
• Deleting an IPv4 object linked to an IPv6 object does not delete the corresponding IPv6 object.
We recommend configuring the transition options at space level to propagate them down to the
IP addresses.
You must first select the advanced properties to display and then configure them.
4. Tick the box Display the IPv4 to IPv6 transition fields. It displays the fields Activate the IPv4
to IPv6 transition and IPv6 network (block) in the addition/edition wizard.
771
Managing Advanced Properties
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The options you set at this level are inherited by the IPv4 blocks you add in your space. The
property can be inherited at lower levels.
Once the options are configured, the IPv4 networks it contains inherit them. You can untick the
box Activate the IPv4 to IPv6 transition if you do not want to set a transition for the objects at
lower levels.
Now that you have a space set with transition options, the block-type network and subnet-type
networks it contains inherit the properties.
You must first select the advanced properties to display and then configure them.
772
Managing Advanced Properties
5. Tick the box Display the IPv4 to IPv6 transition fields. It displays the fields Activate the IPv4
to IPv6 transition, IPv6 network (block) and IPv6 network (subnet) in the addition/edition
wizard.
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
8. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
Once the option is configured, the IPv4 networks you add within the block-type network inherit
it.You can untick the box Activate the IPv4 to IPv6 transition if you do not want to set a transition
for some of the objects at lower levels.
Once you have added the block-type network, you can add a subnet-type network.
773
Managing Advanced Properties
5. On the last page of the wizard, In the section IPAM properties, the box Activate the IPv4 to
IPv6 transition is ticked.
6. The field IPv6 network (block) displays the value set at space level. If you want to edit it,
you must Set the Inheritance property to be able to edit the value in the field. The bytes
entered must correspond to an existing IPv6 block-type network and look as follows 8765:4321
without consecutive semi-colons.
7. The field IPv6 network (subnet) displays the start address and prefix of the IPv6 subnet-type
network added for the IPv4 network you are adding.
8. In the drop-down list Advanced properties, Default is selected.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
9. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The existing networks are not impacted, to configure them like their container refer to the section
Setting Advanced Properties.
Once the options are configured, the IPv4 terminal networks and addresses you add within your
subnet-type network inherit them. You can untick the box Activate the IPv4 to IPv6 transition if
you do not want to set a transition for some of the objects at lower levels.
At IP address level, all the configurations set at higher levels are inherited. Therefore, within a
terminal network configured with the transition options, the IP address addition wizard automat-
ically displays the transition dedicated field.
You must first select the transition policy and then configure it.
5. In the drop-down list IPv4 addresses transition to IPv6 policy, select the IP address addition
policy to implement in the networks configured with the transition:
• Offset allows to take into account the position of the address you are assigning within the
IPv4 terminal network and reuse it when assigning the corresponding IPv6 address. The
100th address of the IPv4 subnet-type network adds the 100th address of the related IPv6
subnet-type network.
774
Managing Advanced Properties
• Injection allows to convert in hexadecimal the IPv4 address you are assigning and use
the whole address in its hexadecimal from as the last two bytes of the corresponding IPv6
address.
• First IP address available allows to assign the first available IP address in the IPv6 ter-
minal network when you assign an address in the IPv4 terminal network.
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
8. Click on NEXT . The last page opens.
9. Click on OK to complete the operation. The report opens and closes. The page is visible
again. In IPv6, the address is added as well, it has the same name and MAC address.
The existing addresses are not impacted, to configure them like their container refer to the section
Setting Advanced Properties.
775
Managing Advanced Properties
For instance, you could add an IP address every time you allocate a DHCP lease.
DHCP IPAM
DHCP Push leases to IPAM: yes SPACE
SERVER
dhcp1.mycorp.com America
NETWORK
BLOCK
SCOPE Use client name USA
(FQDN): yes 10.6.0.0/15
New York
10.6.0.0/24 NETWORK
SUBNET
New York
RANGE 10.6.0.0/24
10.6.0.1 POOL
-10.6.0.50
Manhattan
10.6.0.1-10.6.0.50
NEW NEW IP
LEASE ADDRESS
On EfficientIP DHCP servers, the static reservations cannot update the DNS until the client
connects to the network and is allocated a lease. For more details, refer to the image The
replication of DHCP statics in the DNS for EfficientIP DHCP servers.
• You can protect the name of your DHCP objects.
As updating the DNS database relies on names, you can protect DHCP names. If you add an
IP address in a network configured with IPAM to DNS properties but without IPAM to DHCP
properties, the new IP address and its name are sent to the DNS. From that point on, the record
is used as reference. Therefore, even if any lease matches said name, that name is not sent
to the IPAM and does not update the DNS. The name you configured directly in the IPAM is,
and remains, only referenced in the IPAM.
You must first select the advanced properties to display and then configure them.
776
Managing Advanced Properties
4. Select the interaction properties you want to display or enable in the addition/edition wizard.
a. To configure the DHCP to IPAM properties, you can tick the boxes:
• Display the box "Push leases to IPAM".
• Display the drop-down list "Lease name".
• Display the box "Use client name (FQDN)".
b. To configure the DHCP to DNS interaction, you can tick the box:
• Display the box "Update DNS".
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
All the properties detailed in the procedure below are based on a configuration that was not in-
herited. Most fields are already filled with the value set on the container of the resource. For more
details, refer to the chapter Inheritance and Propagation.
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
6. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The existing scopes and ranges are not impacted, to configure them like their container refer to
the section Setting Advanced Properties.
777
Managing Advanced Properties
Table 49.13. DHCP to IPAM properties at server, scope and range level
Field Default value Description
Push leases to IPAM Unticked Tick this box to assign an IP address in the IPAM for each allocated
lease, using the client name and MAC address. If you set a space
for the scope, the IP address is assigned or edited in that space. If
you did not set any space for the scope, the IPAM update applies
to any matching IP address in the smallest terminal network possible.
Once you ticked this box, the fields Lease name, Use client name
(FQDN) and Update DNS appear.
Lease name Only one client In case of hostname conflict between the DHCP and the IPAM, you
can update the must decide which name you want to send to the IPAM. Keep in
IPAM mind that, if the IPAM to DNS properties are set, your decision also
affects the DNS as only the information of the IPAM updates the
DNS, with what you chose to send from the DHCP.
Only the first client updates / If multiple clients with the same name obtain a lease, only the first
the IPAM client sends their name to the IPAM. The following clients with the
same name, only send their IP and MAC addresses to the IPAM.
If the IPAM to DNS properties are set, only the first client updates
the DNS.
Only one client can update / This option is designed for mobile clients. If multiple clients with the
the IPAM same name and different MAC addresses obtain a lease, the first
client sends their name to the IPAM, the next client only sends their
IP and MAC addresses. That way, if the IPAM to DNS properties
are set, only one client updates the DNS, the first who obtained the
lease. Note that if a client with a known name and known MAC ad-
dress obtains a lease, their name, MAC address and IP address
are sent to the IPAM, and therefore may update the DNS.
Clients always update the / The most permissive mode, every DHCP client sends their lease
IPAM information to the IPAM, no matter their name, IP or MAC address.
The information of each lease is sent to the IPAM even if it already
contains entries of the same name. If the IPAM to DNS properties
are set, the latest lease information sent to the IPAM updates the
DNS, any existing record with same name, previously added from
a lease, is deleted.
Use client name (FQDN) Unticked Tick this box to push the lease client name in the IPAM, instead of
the lease name. If you tick the box Update DNS as well, the zone
matching the FQDN of the client name is updated.
Table 49.14. DHCP to DNS properties at server, scope and range level
Field Default value Description
Update DNS Unticked Tick this box to update the DNS records database with the lease
information. DHCP data can only update the DNS if it is sent to the
IPAM first. For this reason, the DNS server(s) configured for the
IPAM to DNS replication are the ones updated by the changes in
the DHCP.
778
Managing Advanced Properties
Adding a record in the DNS can automatically add an IP address in the IPAM.
DNS IPAM
DNS Update IPAM: yes
SERVER SPACE
ns1.mycorp.com America
NETWORK
BLOCK
USA
ZONE 10.6.0.0/15
mycorp.com NETWORK
SUBNET
New York
10.6.0.0/24
NEW NEW IP
RECORD ADDRESS
Keep in mind that on servers managed via a smart architecture, the advanced properties must
be configured on the smart architecture itself. The addition/edition wizard of the physical server
and the scopes and ranges it contains do not display the advanced properties fields.
You must first select the advanced properties to display and then configure them.
4. Tick the DNS to IPAM properties you want to display in the addition/edition wizard:
• Display the box "Update IPAM".
• Display the box "Create PTR".
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
In the addition/edition wizard, all the selected properties are now configurable, they are part
of the Default display.
All the properties detailed in the procedure below are based on a configuration that was not in-
herited. Most fields are already filled with the value set on the container of the resource. For more
details, refer to the chapter Inheritance and Propagation.
779
Managing Advanced Properties
Next to each advanced property, click on to define its Inheritance property and/or
Propagation property. For more details, refer to the chapter Inheritance and Propagation.
If some fields are not visible, users with sufficient rights can select All. The remaining fields
appear, they are not in the default order. For non-administrative users, the new fields are
grayed out as only users of the group admin can configure or edit properties that are not
displayed by Default.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
The existing views and zones are not impacted, to configure them like their container refer to the
section Setting Advanced Properties.
You cannot use this option on VLAN and Device Manager advanced properties.
780
Managing Advanced Properties
Note that, in the wizard, the drop-down lists Inheritance property and Propagation property are
only displayed if they are relevant to the object you selected.
781
Part IX. Application
The module Application allows to maintain an application inventory, tailor application traffic on your network
and optimize user experience.
Every application you add is registered with a Fully Qualified Domain Name (FQDN) and configured with a
set of pools and nodes that define its infrastructure. The application infrastructure allows to define a traffic
policy.
Each traffic policy can be enforced on your network thanks to an existing DNS infrastructure. After enabling
Global Server Load Balancing (GSLB) on compatible SOLIDserver appliances, you can associate application
traffic policies with one or more GSLB servers and deploy the traffic policy on your network.
The way you configure your traffic policies can therefore maximize application availability and optimize the
way users access your applications.
Once an application is deployed, your application traffic policy takes over the DNS resolution if and only if
the query matches the FQDN of the application. If it does, the query is routed to the appropriate pool, the
load balancing configuration of that pool determines which node is the most suited to answer the query and
the node IP address is sent out to the querying client if its last health check was successful. Even if an ex-
isting record could have answered the query it does not, whether the server cached it or has authority over
it, the standard DNS answer is ignored.
When traffic policy deployments are complete, the GSLB server only handles queries if they match a registered
FQDN and if at least one application node is operational. In any other case, the DNS server answers the
queries.
192.168.2.1
192.168.2.2
192.168.2.2
192.168.2.3
Figure 221. How a deployed application takes over the DNS resolution
Before managing the Application objects you must configure the module as detailed in the chapter
Configuring Application.
Table of Contents
50. Configuring Application ............................................................................................ 784
Prerequisites ........................................................................................................ 784
Limitations ............................................................................................................ 784
Configuring and Enabling the Service GSLB Server ................................................ 785
51. Managing Applications ............................................................................................. 787
Browsing Applications ........................................................................................... 787
Adding and Deploying Applications ......................................................................... 788
Adding and Deploying Applications and Traffic Policies ............................................ 789
Editing Applications ............................................................................................... 792
Deleting Applications ............................................................................................. 792
52. Managing Pools ....................................................................................................... 794
Browsing Pools ..................................................................................................... 794
Adding Pools ........................................................................................................ 795
Editing Pools ......................................................................................................... 797
Deleting Pools ....................................................................................................... 797
53. Managing Nodes ..................................................................................................... 798
Browsing Nodes .................................................................................................... 798
Adding Nodes ....................................................................................................... 800
Editing Nodes ....................................................................................................... 803
Managing or Unmanaging Nodes ........................................................................... 804
Deleting Nodes ..................................................................................................... 804
783
Chapter 50. Configuring Application
To configure the module Application and use it to the fullest you must:
• Meet the prerequisites.
• Take into account the limitations.
• Configure and enable the service GSLB Server.
Prerequisites
• A SOLIDserver appliance in version 7.1 or higher.
• An appliance with at least 8 GB of RAM:
• Either one of our hardware appliance models, except SOLIDserver-260 and SOLIDserver-
3300.
• Or a virtual appliances must be configured with an intel network card (em*, ig*, igb*, ix*, ixg*,
ixv* or ixl*) or a VMware VMXNET network card (vmx*).
• The license DNS GSLB:
• Without it you cannot associate applications with GSLB servers, and therefore you cannot
deploy traffic policies on your network.
• It must be activated on every SOLIDserver appliance meant to load balance application
traffic.
• An appliance properly configured:
• The communication between a GSLB enabled SOLIDserver and its clients has to be over
UDP and/or TCP.
• Both DNS and GSLB dedicated services must be running to ensure service continuity. Make
sure that either the services GSLB Server and DNS server (named) or the services GSLB
Server and DNS server (unbound) are both enabled and started.
• Any FQDN registered for an application must be resolvable to be properly deployed. Either
the GSLB server manages an A or AAAA record matching the FQDN or it can cache the
initial FQDN answer.
• Make sure traffic policies can actually take over the resolution. You must adapt the TTL of
the resource records matching the FQDNs you register for any application. The new TTL
must take into account your traffic policy details, the pool session duration you may configure
and the configuration of your nodes health check.
• The appropriate rights and resources configured for end users.
• To be able to see the module Application and its content, users must belong to a group
granted the right Display: applications list, allowed by default.
• To be able to manage all objects, users must belong to a group granted access to all the
module Application rights.
• To be able to configure an application with a GSLB server, users must belong to a group
that is granted the right Display: DNS servers list and has the server among its resources.
Limitations
• One DNS server cannot be used for DNSSEC and GSLB.
If you associate an application with a GSLB server used as DNSSEC resolver and/or that has
signed zones, its resolution and/or answers are no longer DNSSEC compliant.
• DNS round-robin is not supported by the Application nodes.
784
Configuring Application
If a node does not answer, the server associated with the application answers the query.
However, any round-robin configuration in the DNS is ignored, only one record is used to answer
the query, the rest of the records configured are ignored.
• When you deploy an application on a GSLB server from the GUI, a comparison between the
GSLB objects in the GUI and the ones already on the GSLB server is done. The objects that
are on the GSLB server and also in the GUI are kept. The objects that are only present on the
GSLB server are deleted and the objects only in the GUI are added on the GSLB server.
When restoring a backup, whether you created, edited or deleted objects since the backup
was saved, all changes are lost and may not even be visible in the GUI. Before restoring a
backup, make sure you saved it when the Application database was up-to-date.
• You can only configure and apply classes at application level. For more details regarding
classes, refer to the chapter Configuring Classes.
• The module Dashboards does not include a page dedicated to the module Application.
The DNS must be running as well. Make sure the services GSLB server and DNS server
(named / nsd / unbound) are both enabled and started.
Note that if your license includes both DNS Guardian and DNS GSLB, you must configure the
line DNS Guardian / GSLB server as both features rely on the same service.
To configure the listening interfaces of GSLB server and enable the service
To remove an interface from the list Selected interfaces, select it and click on . The
interface is moved back to the list Available interfaces.
f. Click on OK to complete the operation. The report opens and closes.
2. Enable the service GSLB server
a. In the column Name, look for GSLB server or DNS Guardian / GSLB server.
785
Configuring Application
b. In the column Enabled, click on the link Disabled to enable the service. The wizard
opens.
c. Click on OK to complete the operation. The wizard closes. The page is visible again.
3. Apply your configuration
a. Right now your configuration is pending. In the menu, select Tools > Apply config-
uration to save your changes. The wizard Commit the system configuration changes
opens.
b. Click on OK to complete the operation. The page refreshes.
If the service is marked ! Warning, it might mean that the system has not enough
memory installed, that a configuration file is corrupt or that the license is not valid.
Once the service is enabled, on the page All servers all compatible DNS servers are marked
Enabled in the column Guardian/GSLB.
To stop or disable the service GSLB server, refer to the section Handling Services in the chapter
Configuring the Services.
786
Chapter 51. Managing Applications
From the page All applications you can manage applications and set up entire traffic policies.
Each application must be configured with a Fully Qualified Domain Name (FQDN) that can be
resolved.
To deploy an application or traffic policy on your network you must associate it with one or more
GSLB enabled servers able to resolve the application FQDN:
• On recursive servers, the initial query of the FQDN is cached in order to answer all the following
queries.
• On authoritative server, the FQDN must be declared as A or AAAA record in one of its zones.
Once an application is deployed on at least one GSLB server, when a client queries a domain:
1. The application handles the query if it is configured with the relevant FQDN.
2. It directs the query to the relevant pool and node.
You can either create an application and then create the pools and nodes it contains, or you can
create the application and its traffic policy from the page All applications. For more details, refer
to the section Adding and Deploying Applications and Traffic Policies.
Browsing Applications
The application is the highest level of the Application hierarchy.
NODE
APPLICATION POOL
NODE
If there are deployed applications, they are preceded by the icon and listed under the
parent application name as many times as there are GSLB servers associated with the ap-
plication.
787
Managing Applications
2. At the end of the line of the application of your choice, deployed or not, click on . The ap-
plication properties page opens.
! Warning The Operational status of at least one of the nodes of the application is Inactive.
Down The Operational status of all the nodes of the application is Inactive.
Delayed delete The content of the application is being deleted from the physical servers it is deployed on.
GSLB Invalid cre- The SSL credentials of the GSLB server associated with the application are invalid or this
dentials server is already managed by another appliance and you need to specify your credentials
again. For more details, refer to the section Editing DNS Servers.
GSLB Stopped The service GSLB server is not running.
788
Managing Applications
Several applications can share the same name if they manage different FQDNs. In the same
way, several applications can manage the same FQDN if they have different names.
• The FQDN of an application must be resolvable.
• To deploy an application and its content on your network, you must associate it with at least
one GSLB server.
• A GSLB server can only be associated once with one FQDN.
Once associated with an application, a GSLB server cannot be associated with another applic-
ation managing the same FQDN.
• Any FQDN registered for an application must be resolvable to be properly deployed. Either the
GSLB server manages an A or AAAA record matching the FQDN or it can cache the initial
FQDN answer.
To add an application
1. In the sidebar, go to Application > Applications. The page All applications opens.
2. In the menu, select Add > Application. The wizard Add an application opens.
3. If you or your administrator created application classes, in the list Application class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the field Name, type in the name of the application.
5. In the field FQDN, type in the Fully Qualified Domain Name of the application.
6. In the list Available GSLB servers, you can select a server and click on . The server is
moved to the list Selected GSLB servers.
Only GSLB enabled physical servers are listed, whether they are managed by a smart archi-
tecture or not.
To remove a server from the Selected GSLB servers, select it and click on . The server is
moved back to the list Available GSLB servers.
7. Repeat the operation for as many as servers as needed.
8. Click on OK to complete the operation. The report opens and closes. The application is listed.
If you associated the application with one or more GSLB servers, click on on the right-
end side of the menu. Several lines appear under the application itself, there is a line for
each of the server(s) the application is deployed on.
Once added, you can edit the GSLB server association of an application. For more details, refer
to the section Editing Applications.
789
Managing Applications
Before adding an application and its traffic policy keep in mind that:
• An application must have a unique name and FQDN.
Several applications can share the same name if they manage different FQDNs. In the same
way, several applications can manage the same FQDN if they have different names.
• To deploy an application and its traffic policy on your network, you must associate it with at
least one GSLB server.
• Any FQDN registered for an application must be resolvable to be properly deployed. Either the
GSLB server manages an A or AAAA record matching the FQDN or it can cache the initial
FQDN answer.
• A GSLB server can only be associated once with one FQDN.
Once associated with an application, a GSLB server cannot be associated with another applic-
ation managing the same FQDN.
• After adding an application and traffic policies, the application, pool and node(s) it contains are
managed individually. To edit any, you must refer to the edition section of each object.
To add an application
1. In the sidebar, go to Application > Applications. The page All applications opens.
2. In the menu, select Add > Application and traffic policy. The wizard opens.
3. If you or your administrator created application classes, in the list Application class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the field Name, type in the name of the application.
5. In the field FQDN, type in the Fully Qualified Domain Name of the application.
6. In the list Available GSLB servers, you can select a server and click on . The server is
moved to the list Selected GSLB servers.
Only GSLB enabled physical servers are listed, whether they are managed by a smart archi-
tecture or not.
To remove a server from the Selected GSLB servers, select it and click on . The server is
moved back to the list Available GSLB servers.
7. Repeat the operation for as many as servers as needed.
8. Click on NEXT . The page Add a pool opens.
9. Configure the pool:
Field Description
Name The name of the pool. This field is required.
Protocol The version of the IP protocol of pool and its nodes: IPv4 or IPv6. This field is required.
Load balancing The mode of the pool: Round-robin, Latency or Weighted. This field is required.
mode
Round-robin The traffic is evenly directed to all active nodes. This mode is selected by default.
Latency The traffic is directed to the active nodes with the best latency. If you select this mode,
the field Max. preferred nodes appears.
790
Managing Applications
Field Description
Max. preferred nodes: The number of active nodes with the best latency that must
answer queries.
Weighted The traffic is directed to the active nodes depending on their weight.
Enable session affin- Tick the box if you want to set a period of time during which all traffic is directed to the
ity nodes. If you tick the box, the field Session duration appears.
Session duration Specify the period of your choice, in seconds. By default, it is set to 300. This field is
required.
Field Description
Name The name of the node. Each node name must be unique.
IP address Type in the IPv4 or IPv6 address of the node, depending on the selected Pool
protocol. Each node IP address must be unique.
Mode The mode of the node, either Active or Backup. If the pool is configured with the
load balancing mode Latency, the field is in read-only and the node is Active by
default.
Health Check type Select None, HTTP(S), Ok, Ping or TCP. None is selected by default.
None There is no health check configured for the node, whether the node is answering
queries or not, its Status is always OK.
HTTP(S) The health check of the node is performed via HTTPS.
Ok The health check of the node always marks the node Operational status as OK.
Ping The health check of the node is performed using ping commands.
TCP The health check of the node is performed via TCP.
b. Click on ADD . The node is moved to the Node list and listed as follows: <node-name>
- <IP-address> - <health-check-type> (<mode>).
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
If you associated the application with one or more GSLB servers, click on on the right-
end side of the menu. Several lines appear under the application itself, there is a line for
each of the server(s) the application is deployed on.
If you associated the application with a GSLB server and configured it with a resolvable FQDN,
the application and the traffic policies are deployed right away.
Once added, you cannot edit a traffic policy. However you can individually edit the application,
pool and node(s) that compose it. For more details, refer to the sections Editing Applications,
Editing Pools and Editing Nodes.
791
Managing Applications
Editing Applications
At any time you can edit applications, whether they were created via the addition menu Application
or Application and traffic policy.
To edit an application
1. In the sidebar, go to Application > Applications. The page All applications opens.
2. Filter the list if need be.
3. At the end of the line of the application of your choice, deployed or not, click on . The ap-
plication properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit an application opens.
5. If you or your administrator created application classes, in the list Application class select
a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. The Name and FQDN are displayed in a read-only gray field. You cannot edit them.
7. Edit the list Selected GSLB servers according to your needs. Only GSLB enabled physical
servers are listed, whether they are managed by a smart architecture or not.
Select a server in the list Available GSLB servers and click on to add it the list Selected
GSLB servers. Select a server in the list Selected GSLB servers and click on to remove
it move it back to the list Available GSLB servers.
8. Repeat the operation for as many as servers as needed.
9. Click on OK to complete the operation. The report opens and closes. The application prop-
erties are updated.
Deleting Applications
At any time you can delete an application. Note that:
• Deleting an application also deletes the pools and nodes it contains.
• You cannot delete a deployed application.
You must either delete the application itself or dissociate the relevant GSLB server from the
application, the dedicated deployment line is no longer listed. For more details, refer to the
section Editing Applications.
792
Managing Applications
To delete an application
1. In the sidebar, go to Application > Applications. The page All applications opens.
2. Filter the list if need be.
3. Tick the application(s) you want to delete.
4. In the menu, click on . The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The application is no
longer listed, the deployed application lines are deleted as well.
793
Chapter 52. Managing Pools
From the page All pools you can manage IPv4 and IPv6 pools. Pools belong to applications and
manage nodes.
If the application they belong to is associated with a GSLB enabled server, the pools are deployed
on your network.
When an application is deployed on at least one GSLB server, when a client queries a domain:
1. The application handles the query if it is configured with the relevant FQDN.
2. It directs the query to the appropriate pool.
3. The pool load balancing configuration determines towards which node the query is directed.
Browsing Pools
The pool is the second level of the Application hierarchy.
NODE
APPLICATION POOL
NODE
The same node name can be listed multiple times. In the column Application name, each
application is listed once, preceded by and, if it is deployed, its name is preceded by
and is listed as many times as their are GSLB servers associated with it.
4. To display the pools of a specific application, in the column Application Name, click on the
name of the application of your choice. The page refreshes.
794
Managing Pools
Down The Operational status of all the nodes of the pool is Inactive.
Adding Pools
From the page All pools you can add IPv4 and IPv6 pools in your applications, they allow to
manage nodes.
The page may list pools created from the page All applications via the menu Application and
traffic policy. For more details, refer to the section Adding and Deploying Applications and Traffic
Policies.
795
Managing Pools
To add a pool
1. In the sidebar, go to Application > Pools. The page All pools opens.
2. In the menu, select Add. The wizard Add a pool opens.
3. If you or your administrator created application classes, in the list Application class select
one class, All or No class.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the list Application name, select the application of your choice. If some application classes
are enabled, only the applications matching the selected Application class are displayed.
Mode Description
Round-robin The traffic is evenly directed to all active nodes. Within the pool, all active nodes weight
1 and backup nodes weight 0. This mode is selected by default.
Latency The traffic is directed to the active nodes with the best latency. If you select this mode,
the field Max. preferred nodes appears.
Max. preferred nodes: Specify the maximum number of nodes with the lowest latency
that must answer the queries made to the application FQDN. Only the active nodes
of the pool answer the queries. By default, it is set to 1.
Weighed The redirection of traffic depends on the weight you set for the active nodes, the nodes
set with the greater weight answer first. All backup nodes weight 0 .
8. You can tick the box Enable session affinity to set a period of time during which the pool
sends out the same answer to a given client, no matter how many times they query the same
information. If you tick the box, the field Session duration appears.
9. In the field Session duration, specify the duration of the session affinity, in seconds. By de-
fault, it is set to 300.
10. Click on OK to complete the operation. The report opens and closes. The pool is listed.
If the application it belongs to is associated with one or more GSLB servers, click on on
the right-end side of the menu. Several lines appear under the pool itself, there is a line for
each of the server(s) the application is deployed on.
796
Managing Pools
Editing Pools
At any time you can edit pools, whether they were created from the page All pools or the page
All applications via the menu Application and traffic policy.
To edit a pool
1. In the sidebar, go to Application > Pools. The page All pools opens.
2. Filter the list if need be.
3. At the end of the line of the pool of your choice, whether it belongs to a deployed application
or not, click on . The pool properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a pool opens.
5. If you or your administrator created application classes, in the list Application class select
one class, All or No class.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Edit the pool Name, Load balancing mode and/or Enable session affinity configuration ac-
cording to your needs.
7. Click on OK to complete the operation. The report opens and closes. The pool properties
are updated.
Deleting Pools
At any time you can delete a pool. Note that:
• Deleting a pool also deletes the nodes it contains.
• You cannot delete a deployed pool. In the column Application name, a deployed pool belongs
to a deployed application.
You must either delete the pool itself or dissociate the relevant GSLB server from the parent
application. Once the GSLB server is dissociated from the application, the dedicated pool de-
ployment line is no longer listed. For more details, refer to the section Editing Applications.
To delete a pool
1. In the sidebar, go to Application > Pools. The page All pools opens.
2. Filter the list if need be.
3. Tick the pool(s) you want to delete.
4. In the menu, click on . The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The pool is no longer
listed, the deployed pool lines are deleted as well.
797
Chapter 53. Managing Nodes
From the page All nodes you can manage IPv4 and IPv6 nodes. As nodes belong to pools they
are configured with either an IPv4 or IPv6 address.
If the application they belong to is associated with a GSLB enabled server, the nodes are deployed
on your network.
A node is the endpoint of a query. Each node must be configured with a unique IP address and
can be configured with a heath check that verifies its status and allows it to answer queries.
When a traffic policy is set and deployed on at least one GSLB server, when a client queries a
domain:
1. The application handles the query if it is configured with the relevant FQDN.
2. It directs the query to the appropriate pool.
3. All the node health checks are executed within the pool. If the health checks succeed and the
node status is cleared, the IP address of one or all the nodes can be sent out to the client.
4. Depending on the pool load balancing mode and configuration, it determines which node is
best suited to answer the query.
You can monitor initial health check failures and node status changes on the page Syslog. For
more details, refer to the section Managing the Logs.
Browsing Nodes
The node is the lowest level of the Application hierarchy.
NODE
APPLICATION POOL
NODE
The same node name can be listed multiple times. In the column Application name, each
application is listed once, preceded by and, if it is deployed, its name is preceded by
and is listed as many times as their are GSLB servers associated with it.
798
Managing Nodes
4. To display the nodes of a specific application, in the column Application Name, click on the
name of the application of your choice. The page refreshes.
5. To display the nodes of a specific pool, in the column Pool Name, click on the name of the
pool of your choice. The page refreshes.
Note that for IPv6 addresses, you can compress or uncompress the display via the button or
display IPv6 labels above parts of the addresses listed via the button . For more details, refer
to the chapter Managing IPv6 Labels.
Extra columns, dedicated to health checks are available. They display the Expert mode configur-
ation details or N/A.
799
Managing Nodes
Column Description
HC Failover threshold The number of times, between 1 and 10, the health check should return the same result
before setting the node Operational status to Inactive.
HC Frequency The number of seconds between health checks, either 10, 30, 60 or 500. The total number
of health checks performed depend on the HC Failback threshold and HC Failover
threshold.
HC Timeout The health check timeout, between 1 and 10 seconds. Beyond this period, the health check
times out if the node is not responding.
Active The health check configured for the node determined that the node is up.
Unknown The operating status of the node at first, it changes after the initial health check.
N/A The operating status is not applicable. The column only displays values for deployed
nodes.
Adding Nodes
From the page All nodes you can add nodes to IPv4 and IPv6 pools.
The page may list nodes created from the page All applications via the menu Application and
traffic policy. For more details, refer to the section Adding and Deploying Applications and Traffic
Policies.
800
Managing Nodes
Note that you can display labels on IPV6 nodes, for more details refer to the chapter Managing
IPv6 Labels.
To add a node
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. In the menu, select Add. The wizard Add a node opens.
3. If you or your administrator created application classes, in the list Application class select
one class, All or No class.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the list Application name, select the application of your choice, each application is followed
by its FQDN. If application classes are enabled, only the application(s) matching the selected
Application class are displayed.
This field is not displayed if you selected a pool with the load balancing mode Latency, as
all nodes are active by default.
9. In the field Weight, specify the value of your choice. It must be an integer between 0 and
255. Within the pool, the active nodes with the greater weight are queried first.
This field is only displayed for Active nodes belonging to a pool set with the load balancing
mode Weighted. All Backup nodes have a weight of 0.
10. In the drop-down list Health Check type, select one of the following types.The page refreshes.
For all types, except None, one or more fields appear.
801
Managing Nodes
If the application it belongs to is associated with one or more GSLB servers, click on on
the right-end side of the menu. Several lines appear under the node itself, there is a line for
each of the server(s) the application is deployed on.
802
Managing Nodes
Field Description
to retrieved as follows: <http-or-https>://<http-host>:<http-port>/<URL-to-retrieve>.
If you leave the field empty, / is used to complete the URL.
Use HTTPS Select Yes or No. Either the protocol HTTP or HTTPS precedes the full URL of the
health check. If this field is set to Yes, the field Check HTTPS certificate is displayed.
By default, it is set to Yes. This field is required.
Check HTTPS certificate Select Yes or No. If set to Yes, it verifies the validity of the SSL certificate of the
specified HTTP host, if it is not valid the health check fails. By default, it is set to No.
This field is only displayed if Use HTTPS is set to Yes. This field is required.
Expected HTTP status You can specify one or more HTTP status codes to match in answer, if any other
code is returned the health check fails. The field accepts an integer composed of up
to 3 digits between 1 and 999, or a range of codes using x, e.g. 3xx matches any
code between 300 and 399. If you leave the field empty, the HTTP code returned is
ignored during the health check.
Response string to match You can specify a string to match in the body of the answer. If the string specified is
not matched at least partially in the body of the answer, the health check fails. If you
leave the field empty, the body of the answer is ignored during the health check.
HTTP authentication cre- You can specify the authentication credentials used to perform the health check fol-
dentials lowing the format <login>:<password> .
Extra field for the Health Check type TCP
Expert mode You can tick this box to configure the TCP health check details. The field TCP port
appears.
TCP port Specify the port to use during the health check. It must be an integer greater than
0. If you do not specify any port, the port 80 is used.
Editing Nodes
At any time you can edit nodes, whether they were created from the page All nodes or the page
All applications via the menu Application and traffic policy.
To edit a node
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. Filter the list if need be.
3. At the end of the line of the node of your choice, whether it belongs to a deployed application
or not, click on . The node properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a node opens.
5. If you or your administrator created application classes, in the list Application class select
one class, All or No class.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
803
Managing Nodes
6. Edit the node Name, Mode, Health Check type and/or Expert mode configuration according
to your needs. For more details regarding the types and expert configuration, refer to the
table above.
7. Click on OK to complete the operation. The report opens and closes. The pool properties
are updated.
By default, all nodes are managed when you create them. Unmanaging a node allows to make
sure that queries are never redirected toward the node you chose.
Keep in mind that you cannot unmanage a deployed node. In the column Application name, a
deployed node belongs to a deployed application.
To manage/unmanage a node
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. Filter the list if need be.
3. Tick the node(s) of your choice.
4. In the menu, select Edit > Manage > Yes or No. The wizard opens.
5. Click on OK to complete the operation. The report opens and closes. In the column Status,
the selected nodes are marked OK or Unmanaged.
Deleting Nodes
At any time you can delete a node. Note that:
• Instead of deleting a node, you may need to unmanage it. For more details, refer to the section
Managing or Unmanaging Nodes.
• You cannot delete a deployed node. In the column Application name, a deployed node belongs
to a deployed application.
You must either delete the node itself, delete the pool it belongs to, or dissociate the relevant
GSLB server from the parent application. Once the GSLB server is dissociated from the applic-
ation, the dedicated node deployment line is no longer listed. For more details, refer to the
section Editing Applications.
To delete a node
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. Filter the list if need be.
3. Tick the node(s) you want to delete.
4. In the menu, click on . The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The node is no longer
listed, the deployed node lines are deleted as well.
804
Part X. Guardian
Guardian offers adaptive security to DNS cache and recursive services by detecting threats and activating
adapted counter measures to ensure DNS services continuity and attack mitigation.
Guardian operates in a secured framework, with the cache separated from the recursive DNS engines. It
performs a continuous real-time analysis of the inbound and outbound traffic and therefore offers complete
DNS Transactions Inspection (DTI).
This analysis is especially reliable if a large number of queries is cached. By default, Guardian caches all
the answers to clients' queries. The answers not cached yet, are sent to the DNS resolver and transmitted
to Guardian, that caches them and sends them back to the client. That way, Guardian has an ever-growing
number of queries to refine its analysis of the network and avoid potential threats.
Internet
Guardian is managed from the graphical user interface and via command-line interface:
1. From the GUI, you can enable and disable the service, configure its listening interface(s), set Guardian
parameters, manually flush clients and cache, manage and configure policies and triggers and monitor
dedicated charts and analytics.
2. Via CLI, you can connect to Guardian using SSH to display its configuration, monitor its cache and client
statistics.
This part details the steps to configure Guardian and manage the functionalities it offers:
• Configuring Guardian: comply with the prerequisites and take the limitations into account before configuring
the service.
• Managing Guardian Configuration: set Guardian parameters to meet your needs.
• Managing Guardian Cache: once Guardian is configured, manage its cache.
• Managing Guardian Statistics: monitor Guardian server and client statistics.
• Managing Guardian Protection: manage the actions to be triggered to protect Guardian server.
Table of Contents
54. Configuring Guardian ............................................................................................... 807
Prerequisites ........................................................................................................ 807
Limitations ............................................................................................................ 807
service DNS Guardian ........................................................................................... 808
55. Managing Guardian Configuration ............................................................................. 810
Browsing Guardian Configuration ........................................................................... 810
Editing Guardian Configuration .............................................................................. 814
Configuring Guardian on Recursive and Authoritative Server ................................... 814
Capturing Guardian Traffic ..................................................................................... 815
56. Managing Guardian Cache ....................................................................................... 816
Displaying Guardian Cache Content ....................................................................... 816
Resetting Guardian Cache ..................................................................................... 818
Saving Guardian Cache ......................................................................................... 819
Restoring Guardian Cache .................................................................................... 819
Forcing Cache Entries as Expired .......................................................................... 820
Clearing Guardian Cache Manually ........................................................................ 820
Clearing Guardian Cache Automatically .................................................................. 821
Sharing the Cache between Several Guardian servers ............................................ 823
57. Managing Guardian Statistics ................................................................................... 826
Managing Guardian Server Statistics ...................................................................... 826
Managing Guardian Client Statistics ....................................................................... 835
Monitoring Guardian from the GUI .......................................................................... 841
58. Managing Guardian Protection ................................................................................. 853
Enabling Guardian Protection ................................................................................ 853
Managing Guardian Rescue Mode ......................................................................... 854
Managing Guardian Lists ....................................................................................... 857
Managing Guardian Views ..................................................................................... 862
Managing Guardian Policies .................................................................................. 869
Managing Guardian Triggers .................................................................................. 872
Disabling Guardian Protection ................................................................................ 885
806
Chapter 54. Configuring Guardian
To configure the module Guardian and use it to its fullest, you must:
• Meet the prerequisites.
• Take into account the limitations.
• Configure and enabling the service DNS Guardian.
Prerequisites
• A SOLIDserver appliance fully dedicated to DNS resolution in version 7.1 or higher.
• An appliance with at least 8 GB of RAM:
• Either a Blast-series hardware appliance, or any hardware model, except SOLIDserver-260
and SOLIDserver-3300, with a license including the option Guardian.
• Or a virtual appliance with a license including the option Guardian. It must be configured
with an intel network card (em*, ig*, igb*, ix*, ixg*, ixv* or ixl*) or a VMware VMXNET network
card (vmx*).
Note that Guardian is designed to express its full potential when combined with SOLIDserver
Blast series hardware appliances, whose recursive service can manage up to 17 million QPS.
Limitations
• Guardian servers in version lower than 7.1 can only be configured and managed through CLI.
If the server is in a lower version, you will not be able to manage it from the GUI.
• DNS Guardian does not allow managing more than 8 views.
• DNS Guardian does not allow capturing the network traffic answered by the service.
• On servers both recursive and authoritative, DNS Guardian does not answer queries on author-
itative records, the resolver answers. For more details, refer to the section Configuring DNS
Guardian on Authoritative and Recursive Server.
1
As in VMware environments: https://kb.vmware.com/s/article/1010789
807
Configuring Guardian
Note that if your license includes both DNS Guardian and DNS GSLB, you must configure the
line DNS Guardian / GSLB server as both features rely on the same service.
To remove an interface from the list Selected interfaces, select it and click on . The
interface is moved back to the list Available interfaces.
f. Click on OK to complete the operation. The report opens and closes.
2. Enable the service DNS Guardian
a. In the column Name, look for DNS Guardian or DNS Guardian / GSLB server.
b. In the column Enabled, click on the link Disabled to enable the service. The wizard
opens.
c. Click on OK to complete the operation. The wizard closes. The page is visible again.
3. Apply your configuration
a. Right now your configuration is pending. In the menu, select Tools > Apply config-
uration to save your changes. The wizard Commit the system configuration changes
opens.
b. Click on OK to complete the operation. The page refreshes.
If the service is marked ! Warning, it might mean that the system has not enough
memory installed, that a configuration file is corrupt or that the license is not valid.
Once the service is enabled, on the page All servers, your local EfficientIP DNS server is
marked Enabled in the column Guardian/GSLB.
808
Configuring Guardian
When the configuration is set, all the cached queries are saved in the file /data1/dns-
blast_cache.dump which is used to answer clients queries. This file matches the server configur-
ation and contains:
• Each cached query.
• All the ACLs configured on the server; they are listed as a set of IP addresses/network addresses
that are granted or denied access.
• For BIND servers, the views match-clients and match-destinations configurations are saved
as well.
You can fully disable DNS Guardian from the GUI like any other service. Keep in mind that when
you disable the service:
• DNS Guardian cache is saved automatically, as disabling a service also stops it.
• Enabling the service again will starts it as well, which will restore the latest version of the cache.
• In the GUI:
• The Guardian statistics panels on the properties page are no longer displayed.
• The analytics Guardian are no longer available on the page Analytics, instead the DNSTOP
data is available.
Note that if you stop the service, but do not disable it, all the analytics and statistics dedicated
panels and list are still available but the information is outdated and therefore no longer reliable.
You can disable the Guardian protection to keep filling the cache without arming any trigger or
switching to Rescue mode. For more details, refer to the section Enabling Guardian Protection.
To stop or disable the service DNS Guardian, refer to the section Enabling or Disabling a Service
in the chapter Configuring the services.
809
Chapter 55. Managing Guardian
Configuration
Once you configured the service as detailed in the chapter Configuring Guardian, you can manage
its configuration.
From the GUI, you can edit, display and save Guardian configuration. By default, the Rescue
mode is enabled and configured. To set your own values, refer to the section Configuring
Guardian Rescue Mode in the chapter Managing Guardian Protection.
In the panel Options, the section Advanced options contains the parameters with values
different from the default values. The status of the parameter is displayed.
For more details, refer to the sections Understanding Guardian Parameters and Understanding
Guardian parameter Statuses.
810
Managing Guardian Configuration
811
Managing Guardian Configuration
812
Managing Guardian Configuration
813
Managing Guardian Configuration
Note that you can define Guardian parameters on a smart architecture so that the servers in the
smart inherit them. At server level, you can override the inherited values.
If you set a parameter via CLI, after a couple of minutes, it appears in the GUI.
Note that if you change the filter in the drop-down list Display option(s), and if you have
changed the value of a parameter that is not displayed anymore, it is not saved.
7. Click on OK . The report works for a while and closes.
In the panel Options, the parameters with a value different from the default one are displayed.
In order to always give an accurate answer, the authoritative queries are always sent to the re-
solver even if an answer to this query was cached previously. Therefore, an authoritative query
always results in a cache miss, which has an impact on the analytics, the statistics and the triggers
detection.
To lower this impact on the triggers detection you can create a list containing the domain names
for which the server is authoritative and update the trigger for the cache_miss. For more details,
refer to the sections Adding Triggers Relying on Lists Metrics and Editing Triggers.
Note that you have a smart architecture that manages other authoritative servers and a Guardian
server, it is recommended to configure the Guardian server to be used on recursive an authorit-
ative server.
814
Managing Guardian Configuration
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is dis-
played.
6. In the field Recursive, select both (2).
7. Click on OK to complete the operation. The wizard closes.
When the capture is done, you can disable the parameter pcap. Note that you can also enable
and disable this parameter from the GUI, for more details refer to the section Editing Guardian
Configuration.
You can complete the command and specify the UDP port number of your choice.
5. You can disable the parameter pcap via the following command:
set pcap=0
815
Chapter 56. Managing Guardian Cache
Once you configured the service as detailed in the chapter Configuring Guardian, you can manage
its cache:
• Via SSH, you can connect to Guardian to display the cache content, reset it, save it, restore
it, clear it and share it with other Guardian servers - incrementally or as a whole.
• From the GUI, you can clear Guardian cache.
The cache data is then used at the server and client levels to generate statistics that you can
manage via CLI and visualize from the GUI. For more details, refer to the chapter Managing
Guardian Statistics.
RCODE RETURNED:
RCODE | Total | Percent
NOERROR | 62362 | ( 81.61%)
SERVFAIL | 1481 | ( 1.94%)
NXDOMAIN | 12576 | ( 16.46%)
RR TYPE:
Type | Total | Percent
A | 67047 | ( 87.74%)
NS | 34 | ( 0.04%)
CNAME | 10 | ( 0.01%)
SOA | 76 | ( 0.10%)
PTR | 1815 | ( 2.38%)
MX | 26 | ( 0.03%)
TXT | 555 | ( 0.73%)
AAAA | 6739 | ( 8.82%)
SRV | 80 | ( 0.10%)
NAPTR | 3 | ( 0.00%)
DS | 2 | ( 0.00%)
SSHFP | 12 | ( 0.02%)
DNSKEY | 3 | ( 0.00%)
ANY | 16 | ( 0.02%)
ORIGIN:
Origin | Total | Percent
816
Managing Guardian Cache
L | 76419 | (100.00%)
817
Managing Guardian Cache
6. To sort the entries by the type of data returned, described in the table Guardian cache stat-
istics, type in the following command. By default, the command displays 50 entries, in partic-
ular, the 50 most queried domains.
show cache order=<data-type>
7. To display specific cache entries, use the following command with one or several of the filters
from the table below. You can combine the order and limit parameters with one or several
filters in one command.
show cache <filter>
818
Managing Guardian Cache
4. To completely reset the current version of Guardian cache, use the following command:
reset cache
5. To reset only a part of Guardian cache, use the filters detailed in the table Available filters
for Guardian cache statistics and the following command:
reset cache <filter>
Keep in mind that every time you stop or restart DNS Guardian, the cache is automatically saved
or restored.
The cache is saved in the file /data1/dnsblast_cache.dump . Note that you cannot browse the
content of this file, it can only be used for restoration purposes.
The file /data1/dnsblast_cache.dump contains the latest version of the cache and is automatically
used when you restore the Guardian server cache.
819
Managing Guardian Cache
4. To restore the last saved version of Guardian cache, use the following command:
load cache
5. To set only a part of Guardian cache as expired, use the filters detailed in the table Available
filters for Guardian cache statistics and the following command:
expire cache <filter>
You can execute it with a regex filter, like in the example below.
DNS Blast> clear cache (mit.edu|ietf)
32 entries flushed
done
820
Managing Guardian Cache
Note that you can also set parameters to automatically clear the cache to keep Guardian perform-
ances at best. For more details, refer to the section Clearing Guardian Cache Automatically.
4. To clear the cache records content, entirely or partly, use the following command:
clear cache
5. To clear only a part of the cache records content, use the filters detailed in the table Available
filters for Guardian cache statistics and the following command:
clear cache <filter>
The wizard allows to specify a regex filter and only clear specific entries.
Keep in mind that to use special characters like the dot "." as a literal in a regex, it must be
escaped with a backslach "\".
6. Click on OK to complete the operation. The wizard closes.
Three parameters allow to define a maximum number of entries in the cache, the threshold to
be reached to start the automatic clearing of the cache and the maximum number of remaining
entries after the clearing. When the maximum percentage of entries is reached, the clearing
commands are automatically executed in ascending order until the number of remaining queries
equals or is lower than the minimum percentage of entries. You can configure up to 10 clearing
commands matching the filters of your choice.
821
Managing Guardian Cache
• Max cache entries sets the maximum of entries that you want to store in the cache. Its default
value depends on the memory of each appliance:
• Max clean cache percent sets the percentage of Max cache entries that is to be reached to
launch the execution of the clearing commands Clean cache<0-9>.cmd.
• Min clean cache percent sets the percentage of Max cache entries to keep in the cache after
executing the clearing commands Clean cache<0-9>.cmd.
Once Max clean cache percent is reached, the cleaning command Clean cache0.cmd is ex-
ecuted. If the cache still contains more entries than the value set with Min clean cache percent,
the command Clean cache1.cmd is executed. All the commands Clean cache<0-9>.cmd are
executed in order until the percentage of entries remaining in the cache is equal or lower than
the value set with Min clean cache percent.
• Clean cache<0-9>.cmd parameters set 10 different clearing commands that respect the
clearing filters of your choice.
Note that you can also clear some or all the cache entries manually. For more details, refer to
the section Clearing Guardian Cache Manually.
822
Managing Guardian Cache
To set the cache sharing between Guardian servers, on each of them you must:
• Specify a common multicast IP address.
• Specify a common multicast port.
• Specify a common sharing key.
• Enable the sharing service.
• Set the TTL of the IP packets sent. By default, it is set to 1.
4. Set the multicast IP address for the sharing using the following command:
set shared_cache_mcast_addr=<multicast-IP-address>
5. Set the multicast port used for the cache sharing using the following command:
set shared_cache_mcast_port=<multicast-port>
823
Managing Guardian Cache
shared_cache_mcast_ttl=<TTL>
9. Repeat the steps 3 to 7 using the exact same IP address, port and key on all the Guardian
servers that should send and receive the new entries in their cache.
The entries on the local Guardian are marked origin: L while they are marked origin: S on the
receiving one. For more details, refer to the section Displaying Guardian Cache Content.
824
Managing Guardian Cache
sudo -s
4. Make sure that cache sharing is configured and enabled. For more details, refer to the section
Sharing the Cache of Several Guardian servers.
5. To send the entire content of your cache, use the following command:
share cache <target-DNS-Guardian-server-IP-address>
6. If you do not want to incrementally update the cache of both servers with the new records,
you need to disable the cache sharing parameters once the target Guardian has received
the cache entries.
The entries are marked origin: L on the local DNS Guardian and origin: S on the receiving one.
825
Chapter 57. Managing Guardian
Statistics
Once you configured the service as detailed in the chapter Configuring Guardian, you can fully
manage Guardian statistics via CLI and monitor some data from the GUI.
Via CLI
DNS Guardian statistics gather all the metrics related to the client-server interactions and
can be fully managed:
• You can display, monitor or reset all server statistics, as detailed in the section Managing
Guardian Server Statistics.
• You can display, reset and clear client statistics, as detailed in the section Managing
Guardian Client Statistics.
From the GUI
Guardian cache, client and request data help you monitor suspicious traffic:
• You can monitor cache statistics in dedicated charts. For more details, refer to the section
Monitoring Guardian from the GUI.
• You can monitor client and request data from the page Analytics. For more details, refer
to the section Monitoring Guardian from the GUI.
Note that you can also monitor Guardian data yourself via SNMP. For more details, refer to the
section Monitoring Using SNMP in the chapter Monitoring.
Server statistics can be reset at any time. For more details, refer to the section Resetting
Guardian server Statistics.
826
Managing Guardian Statistics
827
Managing Guardian Statistics
Metrics Description
Cache missed in quarantine mode Number of that cannot be answered by the cache to clients in
quarantine mode.
Cache missed but exists (expired) in quarant- Number of queries that cannot be answered by the cache to clients
ine mode in quarantine mode because the cache entry expired.
Cache missed, never queried in quarantine Number of queries that cannot be answered by the cache to clients
mode in quarantine mode because the entry queried does not exist.
Cache missed in quarantine_redirect mode Number of queries that cannot be answered by the cache and are
redirected to the IP address configured in the quarantine_redirect
mode.
Cache hit in rescue mode Number of queries answered by the cache in rescue mode.
Cache missed in rescue mode Number of queries that cannot be answered by the cache in rescue
mode.
Cache missed but exists (expired) in rescue Number of queries that cannot be answered by the cache in rescue
mode mode because the records expired.
Cache missed, never queried in rescue mode Number of queries that cannot be answered by the cache in rescue
mode because the entry queried does not exist.
Blocked queries Number of queries that are blocked, once the action Block has been
configured and triggered for specific clients.
Ratelimited queries Number of queries that dropped because source clients reached
the configured query limit rate of 100 queries per second.
Cache size Total number of entries in the cache.
Client size Total number of clients (unique IP addresses) for which statistics
are maintained. For more details, refer to the section Managing
Guardian Client Statistics.
Sent DNS answers Number of answers sent out by Guardian.
Sent DNS answers (bytes) Total size of the packets sent out by Guardian.
Received DNS queries Number of queries received by Guardian.
Received DNS queries (bytes) Total size of the packets received by Guardian.
Queries sent to the local recursive server Number of queries not already cached by Guardian that were sent
to the local DNS recursive server.
Queries sent to the local recursive server Total size of the packets not already cached by Guardian that were
(bytes) sent to the local DNS recursive server.
Answers sent by the local recursive server Number of queries not already cached by Guardian that were
answered by the local DNS recursive server.
Answers sent by the local recursive server Total size of the packets not already cached by Guardian that were
(bytes) answered by the local DNS recursive server.
Sent DNS answers in quarantine mode Number of answers sent out to clients in quarantine mode.
Sent DNS answers in quarantine mode Total size of the packets sent out to clients in quarantine mode.
(bytes)
Sent DNS answers in quarantine_redirect Number of answers redirected to the IP address configured in the
mode quarantine_redirect mode.
Sent DNS answers in quarantine_redirect Total size of the packets redirected to the IP address configured in
mode (bytes) the quarantine_redirect mode.
Sent DNS answers in rescue mode Number of queries received by Guardian once it switched to rescue
mode.
Sent DNS answers in rescue mode (bytes) Total size of the packets received by Guardian once it switched to
rescue mode.
Received Invalid DNS queries Number of invalid queries received by Guardian.
Received Invalid DNS queries (bytes) Total size of the invalid queries packets received by Guardian.
828
Managing Guardian Statistics
Metrics Description
Received SERVFAIL from local recursive Number of SERVFAIL error messages received by Guardian from
server (rcode changed) the local recursive server that previously returned a different rcode
for the same query. To stop taking into account these results, refer
to the section Ignoring the SERVFAIL Error Message Differences.
RPZ matched queries Number of queries that matched an RPZ entry.
Discarded outgoing DNS packets Number of DNS packets received and discarded by Guardian.
Discarded outgoing DNS packets from local Number of DNS packets sent to the local DNS recursive server and
recursive server transmitted to the client.
Discarded incoming packets Number of incoming packets that were discarded.
Discarded DNS queries (sent to local recurs- Number of packets sent to the local DNS recursive server that were
ive server) discarded.
Recursive queries with latency < 10ms Number of recursive queries which answering time is lower than 10
milliseconds.
Recursive queries with latency >= 10ms and Number of recursive queries which answering time is equal to 10
< 100ms or lower than 100 milliseconds.
Recursive queries with latency >= 100ms Number of recursive queries which answering time is equal to 100
and < 500ms or lower than 500 milliseconds.
Recursive queries with latency >= 500ms Number of recursive queries which answering time is equal to 500
and < 800ms or lower than 800 milliseconds.
Recursive queries with latency >= 800ms Number of recursive queries which answering time is equal to 800
and < 1600ms or lower than 1600 milliseconds.
Recursive queries with latency >= 1600ms Number of recursive queries which answering time is equal to or
higher than 1600 milliseconds.
Sent NOERROR rcode Number of NOERROR error messages sent by Guardian.
Sent FORMERR rcode Number of FORMERR error messages sent by Guardian.
Sent SERVFAIL rcode Number of SERVFAIL error messages sent by Guardian.
Sent NXDOMAIN rcode Number of NXDOMAIN error messages sent by Guardian.
Sent NOTIMP rcode Number of NOTIMP error messages sent by Guardian.
Sent REFUSED rcode Number of REFUSED error messages sent by Guardian.
Sent YXDOMAIN rcode Number of YXDOMAIN error messages sent by Guardian.
Sent YXRRSET rcode Number of YXRRSET error messages sent by Guardian.
Sent NXRRSET rcode Number of NXRRSET error messages sent by Guardian.
Sent NOTAUTH rcode Number of NOTAUTH error messages sent by Guardian.
Sent NOTZONE rcode Number of NOTZONE error messages sent by Guardian.
Received NOERROR rcode from local recurs- Number of NOERROR error messages received by Guardian from
ive server the local recursive server.
Received FORMERR rcode from local recurs- Number of FORMERR error messages received by Guardian from
ive server the local recursive server.
Received SERVFAIL rcode from local recurs- Number of SERVFAIL error messages received by Guardian from
ive server the local recursive server.
Received NXDOMAIN rcode from local re- Number of NXDOMAIN error messages received by Guardian from
cursive server the local recursive server.
Received NOTIMP rcode from local recursive Number of NOTIMP error messages received by Guardian from the
server local recursive server.
Received REFUSED rcode from local recurs- Number of REFUSED error messages received by Guardian from
ive server the local recursive server.
Received YXDOMAIN rcode from local re- Number of YXDOMAIN error messages received by Guardian from
cursive server the local recursive server.
829
Managing Guardian Statistics
Metrics Description
Received YXRRSET rcode from local recurs- Number of YXRRSET error messages received by Guardian from
ive server the local recursive server.
Received NXRRSET rcode from local recurs- Number of NXRRSET error messages received by Guardian from
ive server the local recursive server.
Received NOTAUTH rcode from local recurs- Number of NOTAUTH error messages received by Guardian from
ive server the local recursive server.
Received NOTZONE rcode from local recurs- Number of NOTZONE error messages received by Guardian from
ive server the local recursive server.
Note that:
• Some of the server statistics are used to generate charts available in the GUI, for more details
refer to the section Monitoring Guardian Statistics.
• You can filter the server statistics by view.
• You can also monitor the server or view statistics to display more information, refreshed every
second. For more details, refer to the section Monitoring Guardian Server Statistics in Real-
Time.
5. To display Guardian server statistics of a specific view, use the following command:
show stats view=#
where # is an integer between 0 and 7 that corresponds to the order set for the local recursive
server views.
830
Managing Guardian Statistics
2 ( 0 ) Cache missed
2 ( 0 ) Cache missed but exists (expired)
0 ( 0 ) Cache missed, never queried
0 ( 0 ) Cache hit in quarantine mode
0 ( 0 ) Cache missed in quarantine mode
0 ( 0 ) Cache missed but exists (expired) in quarantine mode
0 ( 0 ) Cache missed, never queried in quarantine mode
0 ( 0 ) Cache missed in quarantine_redirect mode
0 ( 0 ) Cache hit in rescue mode
0 ( 0 ) Cache missed in rescue mode
0 ( 0 ) Cache missed but exists (expired) in rescue mode
0 ( 0 ) Cache missed, never queried in rescue mode
0 ( 0 ) Blocked queries
0 ( 0 ) Ratelimited queries
1003 ( 0 ) Cache size
0 ( 0 ) Client size
0 ( 0 ) Client added
0 ( 0 ) Client deleted
0 ( 0 ) Server size
15690M ( 17080k ) Sent DNS answers
1403GB ( 1564MB ) Sent DNS answers (bytes)
15690M ( 17080k ) Received DNS queries
1169GB ( 1303MB ) Received DNS queries (bytes)
2 ( 0 ) Queries sent to the local recursive server
166B ( 0B ) Queries sent to the local recursive server (bytes)
2 ( 0 ) Answers sent by the local recursive server
284B ( 0B ) Answers sent by the local recursive server (bytes)
0 ( 0 ) Sent DNS answers in quarantine mode
0B ( 0B ) Sent DNS answers in quarantine mode (bytes)
0 ( 0 ) Sent DNS answers in quarantine_redirect mode
0B ( 0B ) Sent DNS answers in quarantine_redirect mode (bytes)
0 ( 0 ) Sent DNS answers in rescue mode
0B ( 0B ) Sent DNS answers in rescue mode (bytes)
0 ( 0 ) Received Invalid DNS queries
0B ( 0B ) Received Invalid DNS queries (bytes)
0 ( 0 ) Received SERVFAIL from local recursive server (rcode changed)
0 ( 0 ) List matched queries
0 ( 0 ) Discarded outgoing DNS packets
0 ( 0 ) Discarded outgoing DNS packets (received by local recursive server)
0 ( 0 ) Discarded incoming packets
0 ( 0 ) Discarded DNS queries (sent to local recursive server)
2 ( 0 ) Recursive queries with latency < 10ms
0 ( 0 ) Recursive queries with latency >= 10ms and < 100ms
0 ( 0 ) Recursive queries with latency >= 100ms and < 500ms
0 ( 0 ) Recursive queries with latency >= 500ms and < 800ms
0 ( 0 ) Recursive queries with latency >= 800ms and < 1600ms
0 ( 0 ) Recursive queries with latency >= 1600ms
15690M ( 17080k ) Sent NOERROR rcode
0 ( 0 ) Sent FORMERR rcode
0 ( 0 ) Sent SERVFAIL rcode
4 ( 0 ) Sent NXDOMAIN rcode
0 ( 0 ) Sent NOTIMP rcode
0 ( 0 ) Sent REFUSED rcode
0 ( 0 ) Sent YXDOMAIN rcode
0 ( 0 ) Sent YXRRSET rcode
0 ( 0 ) Sent NXRRSET rcode
0 ( 0 ) Sent NOTAUTH rcode
0 ( 0 ) Sent NOTZONE rcode
15 ( 0 ) Received NOERROR rcode from local recursive server
0 ( 0 ) Received FORMERR rcode from local recursive server
4 ( 0 ) Received SERVFAIL rcode from local recursive server
3 ( 0 ) Received NXDOMAIN rcode from local recursive server
0 ( 0 ) Received NOTIMP rcode from local recursive server
0 ( 0 ) Received REFUSED rcode from local recursive server
0 ( 0 ) Received YXDOMAIN rcode from local recursive server
0 ( 0 ) Received YXRRSET rcode from local recursive server
0 ( 0 ) Received NXRRSET rcode from local recursive server
0 ( 0 ) Received NOTAUTH rcode from local recursive server
0 ( 0 ) Received NOTZONE rcode from local recursive server
The result of the command starts with statistics on the current measurement rates, as described
in the table below:
831
Managing Guardian Statistics
All the others statistics are described in the table Guardian Server statistics.
5. To focus the monitoring on specific statistics, described in the table Guardian Server statistics,
use the following command:
monitor <filter>
The available filters are described below, you can combine them when you execute the
command.
832
Managing Guardian Statistics
4. To monitor all the triggers statistics at once, use the following command:
monitor show-trigger
833
Managing Guardian Statistics
4. To monitor the cache sharing statistics of the server, use the following command:
monitor show-cache-sharing
834
Managing Guardian Statistics
This information is listed on the line Received SERVFAIL from local recursive server (rcode
changed) when you execute the command show stats. For more details, refer to the section
Displaying Guardian Server Statistics.
Note that Guardian provides you with two Guardian tops dedicated to queries and clients returning
SERVFAIL error message: Top clients receiving SERVFAIL rcodes and Top queries returning
SERVFAIL rcodes. For more details, refer to the section Monitoring Guardian Analytics.
In addition, you can configure Guardian switch to Rescue Mode based on the number of SERVFAIL
error messages received by local recursive servers. For more details, refer to the section Config-
uring Guardian Rescue Mode.
If on the Guardian server properties page, in the panel Options, the parameter Client stats is
listed, it means that it is not set with the default value and you need to enable it.
835
Managing Guardian Statistics
RCODE RETURNED:
RCODE | Total | Percent
NOERROR | 569609 | ( 63.87%)
SERVFAIL | 6673 | ( 0.75%)
NXDOMAIN | 308101 | ( 34.55%)
RCODE RETURNED:
RCODE | Total | Percent
NOERROR | 2 | (100.00%)
836
Managing Guardian Statistics
Note that some of the client data is used to generate analytics available in the GUI. For more
details, refer to the section Displaying Guardian Analytics Tops.
837
Managing Guardian Statistics
/usr/local/nessy2/bin/blastcli
4. Make sure the client data retrieval is enabled. For more details, refer to the section Making
Sure Guardian Client Statistics Are Enabled.
5. To display Guardian client statistics, type in the following command:
show clients
6. By default, the command displays 50 clients, in particular, the ones with the highest number
of queries.
7. To sort the entries by the type of data returned, described in the table Guardian client stat-
istics, type in the following command:
show clients order=<data-type>
8. To display specific client statistics, as described in the table Guardian client statistics, use
the following command with one or several of the filters from the table below:
show clients <filter>
You can use, at the same time, the order and limit parameters with one or several filters.
For more details regarding trigger actions, refer to the section Managing Guardian Triggers.
838
Managing Guardian Statistics
You can select the statistics to be reset using specific search parameters. For more details, refer
to the table Available filters for Guardian client statistics.
You can select the statistics to be cleared using specific search parameters. For more details,
refer to the table Available filters for Guardian client statistics.
839
Managing Guardian Statistics
Three parameters allow to define a maximum number of entries to keep in the client statistics,
when to start the automatic clearing of the client statistics and the maximum number of remaining
entries after the clearing. When the maximum percentage of entries is reached, the clearing
commands are automatically executed in ascending order until the number of remaining queries
equals or is lower than the minimum percentage of entries. You can configure up to 10 clearing
commands matching the filters of your choice.
• Max clean client percent sets the percentage of Max client entries that is to be reached to
launch the execution of the clearing commands Clean client<0-9>.cmd.
• Min clean client percent sets the percentage of Max client entries to keep in the cache after
executing the clearing commands Clean client<0-9>.cmd .
Once Max clean client percent is reached, the cleaning command Clean client0.cmd is executed.
If the cache still contains more entries than the value of Min clean client percent, the command
Clean client1.cmd is executed. All the commands Clean client<0-9>.cmd are executed in order
until the percentage of entries remaining in the cache matches or is lower than the value of
Min clean client percent.
• Clean client<0-9>.cmd parameters set 10 different clearing commands that respect the
clearing filters of your choice.
By default, only the first two clearing commands Clean client0.cmd and Clean client1.cmd are
configured.
840
Managing Guardian Statistics
8. In the field Max clean client percent, specify the percentage of the maximum number of client
entries that will start the automatic clearing of client statistics.
9. In the field, Min clean client percent, specify the percentage of the maximum number of client
entries that you want to keep in the client statistics after the clearing.
10. Click on OK to complete the operation. The wizard closes.
All the information returned in these panels is based on a set of server statistics available in CLI.
For more details, refer to the table Guardian Server statistics in the section Managing Guardian
Server Statistics.
Note that:
• All the panels contain at least one chart. The y-axis of these charts indicates the unit, the axis
scale and unit prefix depend on the period selected and maximum value displayed. Following
the standard ISO 80000-1, all the y-axis units can have no prefix or any SI prefix such as: m
(milli), k (kilo) or M (mega).
• Each panel can be used as gadget and displayed on any dashboard. For more details, refer
to the section Assigning a Chart on a Properties Page as Gadget.
More detailed statistics and options are available via CLI. For more details, refer to the sections
Managing Guardian Server Statistics and Managing Guardian Client Statistics.
A chart displaying Guardian cache size evolution over time, in bytes. For more details, refer
to the chapter Managing Guardian Cache.
841
Managing Guardian Statistics
A chart displaying the ratio, in percent, of Guardian answered and unanswered queries. For
more details, refer to the chapter Managing Guardian Cache.
A chart displaying the number of queries per seconds that Guardian answered to clients im-
pacted by the trigger action Quarantine or Quarantine redirect. For more details, refer to the
section Managing Guardian Triggers.
A chart displaying Guardian cache statistics, in queries per second, for all DNS traffic. The
results include traffic in quarantine and rescue mode. For more details, refer to the chapter
Managing Guardian Cache.
Based on: Cache hit, Cache missed, Cache missed but exists (expired) and Cache missed,
never queried.
Guardian - Quarantine statistics
A chart displaying Guardian cache statistics, in queries per second, for clients impacted by
the trigger action Quarantine or Quarantine redirect. For more details, refer to the section
Managing Guardian Triggers.
Based on: Cache hit in quarantine mode, Cache missed in quarantine mode, Cache missed
but exists (expired) in quarantine mode and Cache missed, never queried in quarantine
mode.
Guardian - Rescue mode statistics
A chart displaying Guardian cache hit statistics, in queries per second, for clients in rescue
mode. For more details regarding the rescue mode, refer to the section Managing DNS
Guardian Rescue Mode.
Based on: Cache hit in rescue mode, Cache missed in rescue mode, Cache missed but exists
(expired) in rescue mode and Cache missed, never queried in rescue mode.
Guardian - Blocked traffic (Queries)
A chart displaying the cumulated number of queries, per second, generated by all the clients
impacted by the trigger action Block. For more details, refer to the section Managing Guard-
ian Triggers.
A chart displaying the number of client IP addresses impacted by the trigger action Quarantine
or Quarantine redirect. For more details, refer to the section Managing Guardian Triggers.
842
Managing Guardian Statistics
A chart displaying the number of queries, per second, sent and received by Guardian. For
more details, refer to the section Sending the Cache Content to Another Guardian server.
A chart displaying the overall traffic, in bytes per second, generated by the queries sent and
received by Guardian. For more details, refer to the section Sending the Cache Content to
Another Guardian server.
Based on: Sent DNS answers (bytes) and Received DNS queries (bytes).
Guardian - Answers in Quarantine/Rescue Mode (Queries)
A chart displaying the number of queries, per second, answered by Guardian for clients im-
pacted by the trigger action Quarantine or Quarantine redirect or clients in rescue mode. For
more details, refer to the sections Managing Guardian Triggers and Managing DNS Guardian
Rescue Mode.
Based on: Sent DNS answers in quarantine mode and Sent DNS answers in rescue mode.
Guardian - Answers in Quarantine/Rescue Mode (Bytes)
A chart displaying the overall traffic generated by the queries answered by Guardian for clients
impacted by the trigger action Quarantine or Quarantine redirect and clients in rescue mode,
in bytes per second. For more details, refer to the sections Managing Guardian Triggers and
Managing DNS Guardian Rescue Mode.
Based on: Sent DNS answers in quarantine mode (bytes) and Sent DNS answers in rescue
mode (bytes).
Guardian - Invalid traffic (Queries)
A chart displaying the total number of invalid queries that were dropped by Guardian. For
more details, refer to the chapter Managing Guardian Cache.
A chart displaying the traffic generated by all the invalid queries that were dropped by
Guardian, in bytes. For more details, refer to the chapter Managing Guardian Cache.
A chart displaying the number of entries sent and received via shared Guardian cache, in
queries per second. For more details, refer to the section Sharing the Cache of Several
Guardian servers.
Based on: DNS entries received via shared cache and DNS entries sent via shared cache.
Guardian - Cache sharing statistics (Bytes)
A chart displaying the traffic generated by all the entries sent and received via shared
Guardian cache, in bytes. For more details, refer to the section Sharing the Cache of Several
Guardian servers.
843
Managing Guardian Statistics
Based on: DNS entries received via shared cache (bytes) and DNS entries sent via shared
cache (bytes)
Guardian - Return codes statistics
A chart displaying the number of return codes sent by Guardian, in queries per second. For
more details, refer to the chapter Managing Guardian Cache.
Based on: Sent NOERROR rcode, Sent FORMERR rcode, Sent SERVFAIL rcode, Sent
NXDOMAIN rcode, Sent NOTIMP rcode, Sent REFUSED rcode, Sent YXDOMAIN rcode,
Sent YXRRSET rcode, Sent NXRRSET rcode, Sent NOTAUTH rcode and Sent NOTZONE
rcode.
Guardian - Triggers
A chart displaying the number of times each of the first 8 available triggers were armed. The
chart is generated using the position of each trigger, therefore even if you edit the trigger
name, action, period and/or threshold, the graph keeps evolving but might not always have
the same meaning, especially if you duplicate a policy as it resets the trigger positions. For
more details, refer to the sections Managing Guardian Policies and Managing Guardian
Triggers.
Based on: Number of time trigger #0 was armed, Number of time trigger #1 was armed,
Number of time trigger #2 was armed, Number of time trigger #3 was armed, Number of time
trigger #4 was armed, Number of time trigger #5 was armed, Number of time trigger #6 was
armed and Number of time trigger #7 was armed.
Guardian - Recursive queries latency
A chart displaying the recursive query latency distribution of Guardian, in queries per second.
The latency is divided into 6 periods and ranges from less than 10 milliseconds to more than
1600 milliseconds. Clients traffic rate can be limited to 10 queries per ms using the trigger
action Ratelimit. For more details, refer to the section Managing Guardian Triggers.
Based on: Recursive queries with latency < 10ms, Recursive queries with latency >= 10ms
and < 100ms, Recursive queries with latency >= 100ms and < 500ms, Recursive queries
with latency >= 500ms and < 800ms, Recursive queries with latency >= 800ms and < 1600ms
and Recursive queries with latency >= 1600ms.
Guardian - Rate limited traffic (Queries)
A chart displaying the number of queries dropped by Guardian because source clients reached
the configured query limit rate (of 100 QPS), in queries per second. Clients traffic rate can
be limited to 10 queries per ms using the trigger action Ratelimit. For more details, refer to
the section Managing Guardian Triggers.
844
Managing Guardian Statistics
All Guardian tops allow to monitor metrics measured via 5-minute samples over a specific time
window. As illustrated below, a dedicated chart allows to set the time widow and filter the data
to display.
The drop-down list Display allows to select the top of your choice. If you are displaying the
page Analytics of a Guardian server, only Guardian - Top <data> are listed.
Three view displays are available, Overview, Detailed view and Consolidated view. The
number of entries they return depend on the time window you set.
The time window displayed. The two buttons allow to open the calendar where you set
the start and end date and time.
The calendar displays in light gray the selected date. All the dates when data is available
are underlined, you can click on any one to set it as start or end. At the bottom, you can
select the hour and minute of your choice. If you click on NOW you can use the current date
and time as start or end.
A chart representation of the data returned by the top. It allows to zoom in and out to narrow
down the data returned and filter the list.
The timeline provides an overview of the chart. It also allows, like in the image, to select a
specific period to display in the chart and return in the list. For more details, refer to the
section Charts in the chapter Understanding the GUI.
The data matching the selected top, view and time window. Some columns are always empty
in Overview and Consolidated view.
845
Managing Guardian Statistics
Prerequisites
• Making sure that client statistics are enabled on the Guardian server. They are enabled by
default.
If on the server properties page, in the panel Options, the parameter Client stats is listed, it
means that it is not set with the default value and you need to enable it. For more details, refer
to the section Making Sure Guardian Client Statistics Are Enabled.
• Making sure the analytics are collected, as detailed below.
In the module DNS, once you meet the prerequisites, the page Analytics offers dedicated
Guardian tops to monitor client or request data.
Note that until you display the analytics of a specific server, the page might display DNSTOP,
RPZ and Guardian analytics. For more details on DNS and RPZ data, refer to the section Monit-
oring DNS Servers from the Page Analytics.
Next to the drop-down list Display, another drop-down list allows to select a view.
846
Managing Guardian Statistics
Under these lists, a chart allows to set a time window and narrow down the data to return in
the columns. If no data is available for the selected top, the chart is empty.
Guardian analytics provide dedicated columns., depending on the top and view selected some
of them may be empty or not displayed.
You can filter and sort data through all columns, except Start date and Period that you can only
sort.
On the page Analytics, Guardian tops allow to monitor specific client or request data for all
Guardian servers.
847
Managing Guardian Statistics
All tops return detailed 5-minute samples of data measurements of the server traffic, in number
of queries, size or recursion time. These metrics either return information based on the IP address
of a client or queried domain/record.
The information returned by each Guardian top depends on the selected view and on the
time window set.
All Guardian tops provide three different views for the chosen time window:
1. Overview returns a simplified display of the data for each 5-minute sample within the selected
time window. With the column Total, you can identify peaks in the traffic and get more inform-
ation with the consolidated or detailed view. These peaks are also displayed in the chart.
2. Consolidated view focuses on the client or query data, depending on the selected Top. When
a client IP address or a queried domain/record is repeatedly identified over the different 5-
minute samples within the selected time window, these sampling periods add up in the column
Period.
3. Detailed view focuses on a sampling period. For each 5-minute sampling period, this view
lists the number of times one IP address or a domain and RR type has been identified within
the selected time window.
848
Managing Guardian Statistics
• The chart is essentially a filter, the time window you set filters and refreshes the data on the
page. Therefore, the chart cannot be used as gadget and displayed on Dashboards.
• If no data is available for the selected top, the chart is empty and you cannot set any time
window or display data.
• Even if you display the analytics of several Guardian server, the chart only contains one line.
All tops are based on some of the server statistics available via CLI. The data used is indicated
after each description. For more details, refer to the tables Guardian client statistics and Guardian
analytics columns.
Note that you can click on NOW at the bottom of the calendar window to use the current date
and time as start or end.
9. To set the time window directly from the chart:
a. You can zoom in or out of the chart. The page refreshes.
b. You can select the period of your choice in the timeline. The page refreshes
The clients, whose query was received and dropped because a trigger with the action Block
was armed. For more details, refer to the section Managing Guardian Triggers.
849
Managing Guardian Statistics
The clients querying records not in the cache. For more details, refer to the sections Managing
Guardian Client Statistics and Managing Guardian Server Statistics.
The clients querying records in the cache. For more details, refer to the sections Managing
Guardian Client Statistics and Managing Guardian Server Statistics.
The total size of the answers queried by clients that were not in the cache and were received
from the local recursive server. For more details, refer to the section Managing Guardian
Client Statistics.
The total size of the queries whose answer was not in the cache and that were sent to the
local recursive server. For more details, refer to the section Managing Guardian Client Stat-
istics.
The clients querying Guardian. For more details, refer to the section Managing Guardian
Client Statistics.
The clients whose queries were answered with the rcode NOERROR. For more details, refer
to the section Managing Guardian Client Statistics.
The clients whose queries were answered with the rcode NXDOMAIN. For more details, refer
to the section Managing Guardian Client Statistics.
850
Managing Guardian Statistics
The clients for whom the cumulative queries took the longest time to be answered by the
local recursive server, in milliseconds. For more details, refer to the section Managing
Guardian Client Statistics.
The clients whose queries were answered with the rcode SERVFAIL. For more details, refer
to the sections Managing Guardian Client Statistics and Ignoring the SERVFAIL Error Message
Differences.
The number of times a client query armed a trigger and, therefore, triggered an action. For
more details, refer to the sections Managing Guardian Client Statistics and Managing
Guardian Triggers.
The queries sent to Guardian for records not in the cache. For more details, refer to the
section Managing Guardian Server Statistics.
Metrics: Queries.
The queries sent to Guardian. For more details, refer to the section Managing Guardian
Server Statistics.
Metrics: Queries.
The queries for a sub-level domain name that has not been queried before. For more details,
refer to the section Managing Guardian Server Statistics.
851
Managing Guardian Statistics
The queries returned with the rcode NXDOMAIN. For more details, refer to the section
Managing Guardian Server Statistics.
Metrics: Queries.
The recursion of all queries, one fully qualified domain name at a time. For more details, refer
to the section Managing Guardian Server Statistics.
The queries returned with the rcode SERVFAIL. For more details, refer to the sections
Managing Guardian Server Statistics and Ignoring the SERVFAIL Error Message Differences.
Metrics: Queries.
852
Chapter 58. Managing Guardian
Protection
Malicious operations on the DNS infrastructure, such as DDoS, DNS tunneling or data exfiltration
attacks, usually result in overloaded servers and service loss for legitimate clients. You can use
the information provided by the Guardian client statistics to identify the different types of threats.
For instance, a high C-miss value might indicate that a client keeps querying names that are not
cached, thus increasing the load on the recursive server. You can also correlate an important
miss-A-sz to an encapsulated data transfer, taking advantage of the number of characters allowed
in the packets. As for the miss-Q-sz counter, a large size of sent queries might be due to data
exfiltration on the same principle. Other counters like recurs_time or invalid-Q are also good in-
dicators in the case of a sloth or invalid queries attack.
With Guardian:
• If your recursive server is under DDoS attack, a Rescue mode temporarily provides best-
effort delivery and prevents your server from being overloaded or victim of cache-poisoning.
For more details, refer to the section Managing DNS Guardian Rescue Mode.
• You can configure up to 8 Guardian lists of domains, either added manually or automatically
updated, to gather specific metrics to combine with views and triggers. For more details, refer
to the section Managing Guardian Lists.
• You can configure up to 8 Guardian views that you can either associate to a transparent
DNS proxy or to Guardian lists, in order to apply domain specific access policies. For more
details, refer to the section Managing Guardian Views.
• From the GUI, you can create and configure Guardian policies that are containers for triggers.
For more details, refer to the section Managing Guardian Policies
• You can target suspicious clients and either monitor them, put them in quarantine, redirect
them, limit their query rate or block them completely. For more details, refer to the section
Managing Guardian Triggers.
Note that, except for the Rescue mode, DNS Guardian protection requires that you enable
and understand Guardian client statistics. For more details, refer to the table Managing
Guardian Client Statistics.
853
Managing Guardian Protection
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is dis-
played.
6. To enable DNS Guardian protection, in the field Blast, select yes (1).
7. Click on OK to complete the operation. The wizard closes.
Rescue
Mode
Internet
best effort
cached
answers for queries
answers
not in the cache
In Rescue mode, Guardian buffers all the queries and behaves as follows:
1. If the queried record is in the cache, the response is immediate.
2. Usually, if the queried record is not cached yet, Guardian relays it to your local DNS server.
In Rescue mode, the local DNS server offers a best-effort service to deliver answers to the
clients. If the query is answered, it is cached by Guardian.
3. If the queried record has expired, Guardian sends it to the client with the TTL that you have
set beforehand (300 seconds by default) to preserve the local DNS server and potentially
avoid querying it altogether. Keep in mind that you can manually expire all or part of your cache
entries.
You first need to enable Rescue detection so that the Rescue mode can be automatically triggered
when the parameters set when you configure Guardian Rescue mode are met. You can also
force Guardian Rescue mode and then stop it manually. If you do not want the Rescue mode to
be triggered automatically, you can disable Guardian Rescue detection.
Note that:
• For the Rescue mode to be available, Guardian Protection must be enabled. For more details,
refer to the section Enabling Guardian Protection.
• Guardian provides you with charts to visualize different Rescue Mode statistics on the properties
page of the server. For more details, refer to the section Monitoring Guardian Statistics.
854
Managing Guardian Protection
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is dis-
played.
6. To enable the Rescue mode detection, in the field Rescue detection, select auto (1).
7. Click on OK to complete the operation. The wizard closes.
You can set Rescue mode parameters to match your network needs.
855
Managing Guardian Protection
856
Managing Guardian Protection
You can set your lists type and decide to configure domain or client lists.
All lists are empty by default and can be configured using the following parameters via CLI and
from the GUI. Each list is identified with a number between 0 and 7, this number is replaced by
# throughout this section.
Note that you can only use CLI to display Guardian list entries, edit Guardian list content, reset
a Guardian list counter and clear guardian lists.
857
Managing Guardian Protection
The results are sorted, first by number of queries matching this entry, then by Name. You can
filter it to only display the content of specific list(s), as in the example below:
DNS Blast> show list list_id=1
858
Managing Guardian Protection
Keep in mind that from the GUI you can set the list parameters on the properties page of the
DNS server. For more details, refer to the chapter Managing Guardian Configuration.
Note that:
• Each one can contain as many entries as you want.
• The list entries are reviewed in order.
• You can use the wildcard * in place of subdomain names, as in *.verybadzone.ws, and in your
client identifiers.
859
Managing Guardian Protection
• The order and format of the identifiers of a client list must respect the ones set for the parameter
view#.client identifiers of the view. For more details, refer to the section Identifying the Clients
Querying the Views.
You can only manually edit the content of a list via CLI.
4. To manually create a list entry, indicate a name respecting the syntax <FQDN> or <*.FQDN>
and use the following command:
create list_entry list_id=# <list-entry-name>
5. To manually delete a list entry, indicate its exact name and use the following command:
clear list list_id=# <list-entry-name>
To display the list content, refer to the section Displaying Guardian Lists.
From the GUI, you can automatically update and synchronize the content of any list from an ex-
ternal source with two parameters that allow to configure a zone transfer relying on the command
dig.
@<server> <optional-dig-parameters>
where <server> is the IP address or FQDN of the server and <optional-dig-parameters> can
1
accept relevant dig options like -y [hmac:]<name:tsig-key> .
7. In the field List#.zone name, specify the name of the zone, on the server specified above,
from which you want to retrieve the content to update the list.
8. Click on OK to complete the operation. The wizard closes.
Via CLI, you can display the list content as detailed in the section Displaying Guardian Lists.
1
For more details regarding the command dig, refer to the ISC documentation, available at ftp://ftp.isc.org/www/bind/arm95/man.dig.html.
860
Managing Guardian Protection
No matter the type of list, you must configure their content as detailed in the section Editing the
Content of a Guardian List.
To save or clear Guardian list when the service DNS Guardian restarts
1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is dis-
played.
6. In the field List#.save, you can:
• Specify 1 to save the list every time DNS Guardian restarts. This is the default value.
• Specify 0 to clear the list every time DNS Guardian restarts.
We strongly recommend leaving this parameter enabled with the default value 1.
7. Click on OK to complete the operation. The wizard closes.
861
Managing Guardian Protection
4. To reset all the counters of a specific list, use the following command:
reset list list_id=#
5. To reset only the counter of entries that have expired (1) or have not yet expired (0), use the
following command:
reset list list_id=# expired=<0|1>
5. To clear only the entries that have expired (1) or have not yet expired (0), use the following
command:
clear list list_id=# expired=<0|1>
You can add, order and manage views on a Guardian server. The position of a view is visible in
the column Order on the page All views. For more details, refer to the chapters Managing DNS
Views and Configuring DNS Views.
862
Managing Guardian Protection
• Use Guardian lists to restrict domain-specific access for clients associated with a view. For
more details, refer to the section Using Lists to Filter Guardian Views.
• Log the queries to a domain belonging to a list, the answers and the lists matched. For more
details, refer to the section Logging Client Activity Based on the Lists Filtering Guardian Views.
• Set a transparent DNS proxy to hide the DNS server address from clients associated with a
view. For more details, refer to the section Setting a Transparent DNS Proxy for Guardian
Views.
All views can be configured using the following parameters via CLI and from the GUI. Each view
is identified using its order on the local server, a number between 0 and 7 replaced by #
throughout this section.
In the panel Options, the section Advanced options contains the parameters with values
different from the default values. The status of the parameter is displayed.
For more details regarding parameter configuration at server level, refer to the section Editing
Guardian Configuration.
To identify the querying clients, rather than the last resolver that transmitted their query, you can
set the parameter client identifier on each view. You can identify them using the IP address of
the query and/or the value of an EDNS option of the query, that can be an IP address, MAC ad-
dress or CPE identifier.
By default when you display client statistics, the column Client ID returns the source IP address
of the DNS query received by Guardian server, whether it was forwarded or not. If you identify
clients, the values returned in the column change accordingly.
863
Managing Guardian Protection
For each Guardian view you can specify which field(s) of the DNS query to use as client identifier.
The parameter View#.client identifiers can identify:
• Only the IP address of the query with default as follows:
• default ip to retrieve the source IP address of the query.
• default rev_ip to retrieve the source IP address of the query, in reverse format.
• default destination_ip to retrieve the destination IP address of the query.
• default destination_rev_ip to retrieve the destination IP address of the query, in reverse
format.
After the filter default you can combine values, you must separate them with a space, e.g. default
rev_ip destination_ip .
• An EDNS option of the query with all as follows:
• all <EDNS-option>=<identifier> to retrieve the identifier declared in the EDNS option of the
query.
With an option specified, the matching clients are identified in the clients statistics. Their Client
ID could look as follows: 70.0.0.24 if the parameter contains all ecs=ecs_ip .
• An EDNS option and the IP address of the query with all as follows:
• all <EDNS-option>=<identifier> <ip|rev_ip|destination_ip|destination_rev_ip> to retrieve the
identifier declared in the EDNS option and the source or destination IP address of the query,
in standard or reverse format.
With an option and the query IP address specified, the matching clients are identified in the
clients statistics. Their Client ID could look as follows: 70.0.0.24.4.3.2.1 if the parameter contains
all ecs=ecs_ip rev_ip .
Note that even after the EDNS option, you can combine all the values that identify the IP address
of the query. Their Client ID could look as follows: 70.0.0.24.4.3.2.1.192.168.25.125 if the
parameter contains all ecs=ecs_ip rev_ip destination_ip .
The parameter View#.client identifiers can identify the following EDNS options.
ecs The IP address of the EDNS Client Subnet (ECS), in standard or reverse format. The option
accepted identifiers are:
• ecs_ip. The ECS IP address.
• ecs_rev_ip. The ECS IP address, in reverse format.
nominum_cpeid The CPE ID received from a Nominum/Akamai DNS. The option accepted identifier is:
• nominum_cpeid. The client CPE ID.
nominum_deviceid The Device ID received from a Nominum/Akamai DNS. The option accepted identifier is:
• nominum_deviceid. The client device ID.
opendns_deviceid The Device ID received from OpenDNS/Umbrella. The option accepted identifier is:
• opendns_deviceid. The client device ID.
opendns_ip The IP address received from OpenDNS/Umbrella, in standard or reverse format. The
option accepted identifiers are:
• opendns_ip. The client IP address.
864
Managing Guardian Protection
With several identifiers, the parameter is used as an ACL. All the options are reviewed in order,
the first one that matches the client query is used to identify clients. For instance, with all
opendns_ip=opendns_ip, ecs=ecs_rev_ip specified:
• If the option opendns_ip is in the client query, the client is identified using the IP specified in
the EDNS option. The ecs identifier details are ignored.
• If the option opendns_ip is not in the client query, then we look for the option ecs. If ecs is in
the query, the client is identified using the reverse IP specified in the EDNS option.
• If none of them are found, the client is identified using the IP address of the original query, as
if the parameter was set to default ip.
Note that:
• The client identifiers you set can filter traffic when used in Guardian client lists, as long as the
list content matches the order and format of the identifiers specified in the parameter
View#.client identifiers. For more details, refer to the section Managing Guardian Lists.
• The client identifiers you set defines how the client information is displayed is the clients stat-
istics. For more details, refer to the section Managing Guardian Client Statistics in the chapter
Managing Guardian Statistics.
default <ip|rev_ip|destination_ip|destination_rev_ip>
You can combine the values if you separate them with a space, e.g. default rev_ip destin-
ation_ip .
• To only identify clients using a specific EDNS option, you can set the parameter as follows:
all <EDNS-option>=<identifier>
To specify an EDNS option and the IP address of the query refer to the next step.
All EDNS option configurations are described in the table Available EDNS options and values.
Note that if an EDNS option specified is not found in the query, the client is identified using
the source IP address of the original query, as if the parameter was set to default ip.
865
Managing Guardian Protection
8. To identify clients using both an EDNS option and the IP address of the query, you can set
the parameter as follows:
Everything specified after the filter all is used in the client statistics, the values are separated
by a dot ".". If you set the parameter to all ecs=ecs_ip rev_ip, the Client ID of the matching
client could look as follows: 70.0.0.24.4.3.2.1 . Even with an EDNS option, you can combine
all the values that identify the IP address of the query if you separate them with a space.
Note that if the option specified is not found in the query, the whole identifier definition is ig-
nored. If you set the parameter to all ecs=ecs_ip rev_ip and the option is not in the query,
the client is not identified using rev_ip. Instead, either the client is identified using the IP
address of the original query, or you specified several options, as detailed below, and the
next one may match a client query.
9. To configure several identifiers for the view, you must separate them with a comma "," as
follows:
Each identifier is reviewed in order. If the first one matches a client query, all the other are
ignored. If the first one does not match a client query, the next one is reviewed, etc.
Note that if none of the values specified match a query, the client is identified using the
source IP address of the original query.
10. To stop identifying clients in a view, leave the field View#.client identifiers empty. The clients
of the view are identified using the last resolver that transmitted their query again, whether
it was forwarded or not.
11. Click on OK to complete the operation. The wizard closes.
These list filters can be used, for instance, to differentiate domain names associated with many
IP addresses or to redirect clients, based on their identifiers, to a specific view.
These lists extend the match-destination configuration of a Guardian view to apply an advanced
traffic policy. This policy can be based on a domain or a client identifier. For more details on the
list types, refer to the section Defining the Type of a Guardian List.
1. Define which entries, from the Guardian list(s) of your choice, should be applied a traffic policy.
For more details, refer to the section Managing Guardian Lists.
866
Managing Guardian Protection
Filter Description
default The view policy applies to all the entries not impacted by another action. This implies the use of
several actions. There is no need to specify a list for this filter.
This policy applies to clients present in the match-client configuration of the view and querying
an entry present in the specified list(s). When a client queries a domain not in the list(s) or the
client identifier of a querying client is not in the list(s), Guardian applies the default policy
passthru.
3. Set as many view policies as needed, each configured with the domain and client list(s) of
your choice, as described above.
867
Managing Guardian Protection
9. If you want to log the client activity based on your lists, refer to the section Logging Client
Activity Based on the Lists Filtering Guardian Views.
10. To remove all list restrictions from a view, leave the field View#.list id filter empty.
11. Click on OK to complete the operation. The wizard closes.
To configure logging based on the lists used to filter Guardian views you must:
• Set Guardian parameters Querylog, Answerlog and/or List log to 2. For more details, refer to
the chapter Managing Guardian Configuration.
• Type in the options querylog, answerlog and/or list log when you set the parameter View#.list
id filter.
For instance, you can decide to enable the querylog, answerlog and list log for all the entries of
the lists mylist1 and mylist2, with mylist1 containing wikipedia.com and reddit.com and mylist2
containing reddit.com. If a client requests these two domains, the following information is available
in the logs named on the page Syslog:
May 31 15:17:32 solid named[63380]: client 10.0.252.11#38824 (wikipedia.com): answer: wikipedia.com
IN A (10.0.81.4) -> SERVFAIL
May 31 15:17:32 solid named[63380]: client 10.0.252.11#38824: query: wikipedia.com IN A (10.0.81.4)
May 31 15:17:32 solid named[63380]: List Matched 10.0.81.4#38824: query: wikipedia.com IN A
(10.0.81.4){mylist1}
May 31 15:16:46 solid named[63380]: client 10.0.252.11#26822 (reddit.com): answer: reddit.com IN
A (10.0.81.4) -> SERVFAIL
May 31 15:16:46 solid named[63380]: client 10.0.252.11#26822: query: reddit.com IN A (10.0.81.4)
May 31 15:16:46 solid named[63380]: List Matched 10.0.81.4#26822: query: reddit.com IN A
(10.0.81.4){mylist1,mylist2}
For more details regarding how to display the logs, refer to the section Syslog.
868
Managing Guardian Protection
To enable all three options, querylog, answerlog and list log, type in: <any|all|none> <space-
separated-list-ids> <action> +querylog+listlog+answerlog
Keep in mind that +listlog is ignored if you use the filter none.
7. Click on OK to complete the operation. The wizard closes.
Two read-only policies are available by default in SOLIDserver: default and empty.
If there are deployed policies, they are preceded by the icon and listed under the parent
policy name as many times as there are Guardian servers associated with the policy.
869
Managing Guardian Protection
Two policies are available by default and read-only.You can add policies from scratch as described
below or duplicate already existing policies. For more details, refer to the section Duplicating
Guardian Policies.
There are 5 columns on the page All policies that you can sort and filter. By default, all the columns
are displayed on the page and you cannot change their order.
The column Status provides information regarding the policies you manage.
If you deploy the empty policy available by default on a Guardian server that already has triggers,
they are deleted.
• No more than one policy can be deployed on a Guardian server and only servers in version
7.1 or higher are supported.
• You can deploy a policy at any time on a server. You can add a policy and its triggers before
deploying it on one or several servers. For more details regarding how to add triggers, refer to
the section Managing Guardian Triggers.
870
Managing Guardian Protection
To add a policy
1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. In the menu, click on Add. The wizard Add a policy opens.
3. In the field Name, specify the name of the policy.
4. In the field Description, specify the description of the policy.
5. In the list Available Guardian servers, you can select a server and click on . The server
is moved to the list Selected Guardian servers.
Only Guardian enabled physical servers are listed, whether they are managed by a smart
architecture or not.
To remove a server from the Selected Guardian servers, select it and click on . The server
is moved back to the list Available Guardian servers.
6. Click on OK to complete the operation. The policy is listed.
If you deployed the policy on one or more Guardian servers, on the right-end side of the
menu, click on . Several lines appear under the policy itself, there is a line for each of the
server(s) the policy is deployed on.
To edit a policy
1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. Right-click on the name of the policy that you want to edit. The contextual menu appears.
3. Click on Edit. The wizard Edit a policy opens.
4. Edit the policy Description according to your needs. If you are editing a read-only policy,
this field is grayed out.
5. Edit the list Selected Guardian servers according to your needs. Only Guardian enabled
physical servers are listed, whether they are managed by a smart architecture or not.
Select a server in the list Available Guardian servers and click on to add it the list Selected
Guardian servers. Select a server in the list Selected Guardian servers and click on to
move it back to the list Available Guardian servers.
871
Managing Guardian Protection
To duplicate a policy
1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. In the list, select the policy that you want to duplicate.
3. In the menu, select Edit > Duplicate. The wizard Duplicate a policy opens.
4. In the field Policy, name the new policy.
5. Click on OK to complete the operation. The new policy is listed.
To delete a policy
1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. In the list, select the policy that you want to delete.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The policy is no longer listed.
DNS Guardian client statistics can be used to protect the server by targeting suspicious clients
and restricting their traffic. To do so, you can add triggers that:
Once a client traffic reaches a threshold, the trigger is armed for the whole specified period even
if the client traffic drops down below said threshold.
872
Managing Guardian Protection
If the client reaches the traffic threshold again when the trigger is already armed, the action dur-
ation is renewed but there is no mention of the rearming in the logs named on the page Syslog.
For more details, refer to the section Syslog.
Threshold
Trigger armed
Policy
applied over the
defined period
Note that, for the triggers to be available, DNS Guardian Protection must be enabled. For more
details, refer to the section Enabling Guardian Protection.
Keep in mind that you can monitor the analytics of all trigger armings as well as the graph
statistics of 8 triggers. For more details, refer to the section Monitoring Guardian from the GUI.
Limitations
• Any change made in the GUI overwrites the changes made via CLI. The modifications
made in the CLI are erased and replaced by the data available in the GUI.
• Restoring a backup on a management appliance leads to a synchronization between
the GUI and the Guardian server: The objects that are on the server and also in the GUI are
kept. The objects that are only present on the server are deleted and the objects only in the
GUI are added on the server.
Therefore, if you created, edited or deleted objects since the backup was saved, all changes
are lost and may even not be visible in the GUI. Before restoring a backup, make sure you
saved it when the Application or Guardian database was up-to-date.
Browsing Triggers
To display the list of triggers
1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. To display or hide policy deployments, on the right-end side of the menu, click on . For
more details regarding policy deployments, refer to the section Browsing Policies.
By default, there are five triggers available in the policy default. You cannot modify these triggers
as the policy default is in read-only.
873
Managing Guardian Protection
Users of the group admin can add customized column layouts. The button Listing template,
on the right-end side of the menu, allows any user to display them. For more details, refer to the
section Customizing the List Layout.
There are 9 columns on the page All triggers that you can sort and filter. By default, all the columns
are displayed on the page.
The column Status provides information regarding the triggers you manage.
Adding Triggers
You can add as many triggers as needed. Triggers contain:
• One of the actions illustrated below.
• The rule that defines when the action is launched. The trigger rule syntax is based on the Re-
verse Polish Notation (RPN) which is parenthesis-free and where each operator follows all of
its operands. The rule uses one or more metrics from the Guardian clients metrics described
in the table Trigger metrics.
• The metric operators +, -, *, / .
• The threshold operators =, !=, >=, <=, <, > .
874
Managing Guardian Protection
Note that it is also possible to include a condition for the DNS views in a trigger. For more details,
refer to the section Adding Triggers Armed by Several Thresholds.
With triggers, you can launch five actions in order to protect your servers:
normal Internet
Rescue
Mode
In the table below are described the metrics you can use in the triggers:
rate limited client 100
Table 58.12. Trigger metrics
Internet
875
Managing Guardian Protection
Metric Description
cache_miss_not_exist Number of cache misses that have never been cached.
cache_miss_quarantine Number of cache misses in quarantine mode.
cache_miss_quarantine_redir- Number of cache misses in quarantine mode that were redirected.
ect
recurs_time Total time in recursion in milliseconds.
auth_query_size Size, in bytes, of authoritative queries.
auth_answer_size Size, in bytes, of authoritative answers.
hit_query_size Size, in bytes, of hit queries.
hit_answer_size Size, in bytes, of hit answers.
miss_query_size Size, in bytes, of missed queries.
miss_query_size_not_exist Size, in bytes, of missed queries that have never been cached.
miss_answer_size Size, in bytes, of answers to missed queries.
miss_answer_size_not_exist Size, in bytes, of answers to missed queries that have never been cached.
answer_noerror Number of answers returning a NOERROR rcode.
answer_formerr Number of answers returning a FORMERR rcode.
answer_servfail Number of answers returning a SERVFAIL rcode.
answer_nxdomain Number of answers returning a NXDOMAIN rcode.
answer_notimp Number of answers returning a NOTIMP rcode.
answer_refused Number of answers returning a REFUSED rcode.
auth_answer_noerror Number of authoritative answers returning a NOERROR rcode.
auth_answer_formerr Number of authoritative answers returning a FORMERR rcode.
auth_answer_servfail Number of authoritative answers returning a SERVFAIL rcode.
auth_answer_nxdomain Number of authoritative answers returning a NXDOMAIN rcode.
auth_answer_notimp Number of authoritative answers returning a NOTIMP rcode.
auth_answer_refused Number of authoritative answers returning a REFUSED rcode.
hit_answer_noerror Number of answers (hits) returning a NOERROR rcode.
hit_answer_formerr Number of answers (hits) returning a FORMERR rcode.
hit_answer_servfail Number of answers (hits) returning a SERVFAIL rcode.
hit_answer_nxdomain Number of answers (hits) returning a NXDOMAIN rcode.
hit_answer_notimp Number of answers (hits) returning a NOTIMP rcode.
hit_answer_refused Number of answers (hits) returning a REFUSED rcode.
miss_answer_noerror Number of answers (misses) returning a NOERROR rcode.
miss_answer_formerr Number of answers (misses) returning a FORMERR rcode.
miss_answer_servfail Number of answers (misses) returning a SERVFAIL rcode.
miss_answer_nxdomain Number of answers (misses) returning a NXDOMAIN rcode.
miss_answer_notimp Number of answers (misses) returning a NOTIMP rcode.
miss_answer_refused Number of answers (misses) returning a REFUSED rcode.
rpz_hit Number of RPZ hits.
To do so, select the action Block for a duration of 3600s and type in the rule query@10 100 >.
876
Managing Guardian Protection
All the events that armed (ARMING) or disarmed (DISARMING) the trigger are detailed in the
logs named on the page Syslog, along with the client's IP address and the related action policy.
For more details regarding how to display the logs, refer to the section Syslog.
The arming and disarming of the trigger are logged in the logs named with the tag Trigger-B:
01/03/2018 18:13:18 solid named[12962]: ARMING trigger on 142.12.0.101 (action:BLOCK) (Trigger-B)
01/03/2018 18:13:18 solid named[12962]: DISARMING trigger on 142.12.0.101 (action:BLOCK) (Trigger-B)
To add a trigger
1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. In the menu, click on Add. The wizard opens.
3. In the list Guardian policy, select the policy in which you want to add the trigger. Only the
non read-only policies are available.
4. Click on NEXT . The page Add a trigger opens.
5. The field Position is in read-only. The value is retrieved from the available positions.
6. In the field Name, specify the name of the trigger.
7. In the drop-down list Action, select the action that you want to launch when the trigger is
armed. For more details, refer to the table below.
8. In the field Duration (in seconds), specify how long the action should last.
9. In the section Action options, tick the boxes Querylog and/or Answerlog. For more details,
refer to the section Enabling Querylog and Answerlog on Triggers.
877
Managing Guardian Protection
10. In the field Rule definition, type in the definition of the rule in Reversed Polish Notation, using
at least one of one of the metrics described in the table Trigger metrics as in the following
example:
You can also add a trigger using the result of an operation combining two or more metrics
using a metric operator, as in the following example:
The syntax above can also be combined with Guardian lists. For more details, refer to the
section Adding Triggers Relying on Lists Metrics.
11. To activate the trigger, tick the box Manage. If you do not, it is never armed even if its threshold
is reached.
Note that you can manage this option on one or more triggers at once. For more details,
refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
If you added the trigger in a policy that is deployed on one or more Guardian servers, on the
right-end side of the menu, click on . Several lines appear under the trigger itself, there
is a line for each of the server(s) the policy is deployed on.
To do so, select the action Ratelimit for a duration of 3600s and type in the rule cache_miss@10
list1_cache_miss@10 - 100 >.
The available list metrics are the following. Each of the 8 lists available is numbered, in the table
below, # corresponds to a number between 0 and 7.
878
Managing Guardian Protection
The following rule describes how to add a trigger with one metric and one list:
Note that you can manage this option on one or more triggers at once. For more details,
refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
879
Managing Guardian Protection
If you added the trigger in a policy that is deployed on one or more Guardian servers, on the
right-end side of the menu, click on . Several lines appear under the trigger itself, there
is a line for each of the server(s) the policy is deployed on.
To do so, select the action Quarantine for a duration of 3600s and type in the rule query@10 100
> cache_miss@30 50 > |.
You can also add a trigger that includes a condition for the DNS views as one of the thresholds.
For instance, you can add the trigger Trigger-V:
1. That applies the traffic action Quarantine during 3600 seconds to the client that arms the trigger.
2. That is armed when the client is associated with the View whose order number is 2 AND
generates more than 50 queries missing the cache during 30 consecutive seconds.
To do so, select the action Quarantine for a duration of 3600s and type in the rule view 2 =
cache_miss@30 50 > &.
880
Managing Guardian Protection
The following rule describes how to add a trigger with two thresholds:
Note that you can manage this option on one or more triggers at once. For more details,
refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
If you added the trigger in a policy that is deployed on one or more Guardian servers, on the
right-end side of the menu, click on . Several lines appear under the trigger itself, there
is a line for each of the server(s) the policy is deployed on.
The arming and disarming of the trigger is logged in the logs named on the page Syslog but does
not indicate which threshold was met. To display this information, you can use trigger tags. For
more details, refer to the section Adding Tagged Triggers.
Each metric you want to display in the tag is given a numerical position, from left to right, starting
from 0.
To do so, name your trigger Trigger-T1 Queries %0, select the action Block for a duration of 3600
seconds and type in the rule query@10 push_param 100 >=.
The arming and disarming of the trigger is logged in the logs named with the tag Trigger-T1
Queries <value>:
01/03/2018 18:13:18 solid named[12962]: ARMING trigger on 142.12.0.101 (action:BLOCK) (Trigger-T1
Queries 100)
01/03/2018 18:13:18 solid named[12962]: DISARMING trigger on 142.12.0.101 (action:BLOCK) (Trigger-T1
Queries 0)
For more details regarding how to display the logs, refer to the section Syslog.
Tags are the most useful when the trigger has several metrics, as in Trigger-T2:
881
Managing Guardian Protection
1. Called "Trigger-T2 Queries %0 Cache-Miss %1" where the operator %0 is replaced in the
logs by the first tagged metric and %1 by the second tagged metric.
2. Which is enabled and applies the traffic policy Block to the client during 3600 seconds.
3. That is armed when the client generates more than 100 queries during 10 consecutive
seconds, which is the first metric preceded by the operator push_param or when the client
generates more than 50 queries missing the cache in 30 consecutive seconds, which is
the second metric preceded by the operator push_param.
To do so, name your trigger Trigger-T2 Queries %0 Cache-Miss %1, select the action Block for
a duration of 3600 seconds and type in the rule query@10 push_param 100 >= cache_miss@30
push_param 50 >= |.
The arming and disarming of the trigger is logged in the logs named with the tag Trigger-T2
Queries <value> Cache-Miss <value>.
01/03/2018 18:13:18 solid named[12962]: ARMING trigger on 142.12.0.101 (action:BLOCK) (Trigger-T2
Queries 0 Cache-Miss 50)
01/03/2018 18:13:18 solid named[12962]: DISARMING trigger on 142.12.0.101 (action:BLOCK) (Trigger-T1
Queries 0 Cache-Miss 0)
The result above indicates that the threshold of the second metric, tagged as Cache-Miss, was
met.
882
Managing Guardian Protection
11. To activate the trigger, tick the box Manage. If you do not, it is never armed even if its threshold
is reached.
Note that you can manage this option on one or more triggers at once. For more details,
refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
If you added the trigger in a policy that is deployed on one or more Guardian servers, on the
right-end side of the menu, click on . Several lines appear under the trigger itself, there
is a line for each of the server(s) the policy is deployed on.
In addition, you can customize a trigger to also log the queries and/or answers of a client during
the whole action duration. To do so:
• You must set Guardian parameters querylog and/or answerlog to 2. For more details, refer to
the chapter Managing Guardian Configuration.
• You must select the options querylog and/or answerlog when you add the trigger.
To configure this particular trigger, select the action Log only for a duration of 60s as well as the
actions Querylog and Answerlog and type in the rule query@10 500 >.
The arming and disarming of the trigger as well as the client's queries and/or answers are logged
in the logs named with the tag Trigger-Z:
01/03/2018 15:17:37 solid named[12962]: DISARMING trigger on 10.0.252.11 (action:NONE) (Trigger-Z)
01/03/2018 15:17:32 solid named[12962]: client 10.0.252.11#38824 (wikipedia.com): answer:
wikipedia.com IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:17:32 solid named[12962]: client 10.0.252.11#38824: query: wikipedia.com IN A
(10.0.81.4)
01/03/2018 15:16:46 solid named[12962]: client 10.0.252.11#26822 (reddit.com): answer: reddit.com
IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:16:46 solid named[12962]: client 10.0.252.11#26822: query: reddit.com IN A (10.0.81.4)
01/03/2018 15:16:46 solid named[12962]: client 10.0.252.11#29848 (reddit.com): answer: reddit.com
IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:16:46 solid named[12962]: client 10.0.252.11#29848: query: reddit.com IN A (10.0.81.4)
01/03/2018 15:16:45 solid named[12962]: client 10.0.252.11#35200 (reddit.com): answer: reddit.com
IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:16:45 solid named[12962]: client 10.0.252.11#35200: query: reddit.com IN A (10.0.81.4)
01/03/2018 15:16:44 solid named[12962]: client 10.0.252.11#64691 (reddit.com): answer: reddit.com
IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:16:44 solid named[12962]: client 10.0.252.11#64691: query: reddit.com IN A (10.0.81.4)
01/03/2018 15:16:42 solid named[12962]: client 10.0.252.11#16781 (reddit.com): answer: reddit.com
IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:16:42 solid named[12962]: client 10.0.252.11#16781: query: reddit.com IN A (10.0.81.4)
01/03/2018 15:16:37 solid named[12962]: ARMING trigger on 10.0.252.11 (action:NONE) (Trigger-Z)
For more details regarding how to display the logs, refer to the section Syslog.
883
Managing Guardian Protection
Note that if you tick either box, the queries and/or answers are only logged when the trigger
is armed.
10. In the field Rule definition, type in the definition of the rule in Reversed Polish Notation, using
at least one of one of the metrics described in the table Trigger metrics.
11. To activate the trigger, tick the box Manage. If you do not, it is never armed even if its threshold
is reached.
Note that you can manage this option on one or more triggers at once. For more details,
refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
If you added the trigger in a policy that is deployed on one or more Guardian servers, on the
right-end side of the menu, click on . Several lines appear under the trigger itself, there
is a line for each of the server(s) the policy is deployed on.
Editing Triggers
At any time you can update a trigger. Before editing a trigger, note that:
• You cannot edit a trigger belonging to a read-only policy or a policy deployment.
• The trigger edition consists of editing its main properties and its rule definition.
• Unticking the box Manage unmanages a trigger. For more details, refer to the section Managing
or Unmanaging Triggers.
To edit a trigger
1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. Right-click on the name of the trigger you want to edit. The contextual menu opens.
3. Click on Edit. The wizard Edit a trigger opens.
4. Edit the trigger field(s) Name, Action, Duration (in seconds), Action options, Rule definition
(in Reversed Polish Notation) and Manage according to your needs.
5. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
884
Managing Guardian Protection
If you edited the trigger in a policy that is deployed on one or more Guardian servers, on the
right-end side of the menu, click on . Several lines appear under the trigger itself, there
is a line for each of the server(s) the policy is deployed on.
Deleting Triggers
At any time, you can delete a trigger. Keep in mind that you cannot delete a trigger if the Guard-
ian server value is different from N/A.
To delete a trigger
1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. Tick the trigger you want to delete.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The device is no longer
listed.
885
Managing Guardian Protection
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display options(s), select which parameters to display: all, using non-
default values, using default values or different from smart.
6. To disable DNS Guardian protection, in the field Blast, select no (0).
7. Click on OK to complete the operation. The wizard closes.
886
Part XI. NetChange
NetChange allows to locate and monitor your network devices. You can import them using their IP address
and the CDP, NDP and LLDP layer 2 discovery protocols to find more devices on the network.
Once imported, NetChange relies on the SNMP protocol to retrieve information in the MIB of each device.
It provides monitoring for the routes, VLANs and ports the devices contain and the IP addresses of their in-
terfaces as well as the devices connected to them. In addition, it allows to monitor the configuration file
versioning on the devices that support it.
Local
discoveries
Remote
discoveries
Local
Data Center discoveries Small Office
Head Quarter
We recommend importing all possible devices to have a clear overview of your network. All supported
devices are listed on the Knowledge Base in the category NetChange/IPLocator at
https://kb.efficientip.com/index.php/Main_Page.
Note that the depending on the license you chose, you can either retrieve network devices information
or partially configure your network devices and their content. There are two NetChange licenses available:
1. NetChange-IPL, a light version that provides basic management options of your network devices.
2. NetChange, the full license that allows advanced management of your Avaya, Cisco and HP network
devices as it provides configuration options for VLANs and ports, 802.1X authentication, versioning...
Note that from the module Dashboards, you can gather gadgets and charts on NetChange dashboard to
monitor the module data or set up custom shortcuts and search engines. For more details, refer to the part
Dashboards.
Table of Contents
59. Managing Network Devices ...................................................................................... 891
Browsing Network Devices .................................................................................... 891
Adding Network Devices ........................................................................................ 893
Importing Network Devices Using Discovery Protocols ............................................ 894
Enabling or Disabling the 802.1X Authentication Protocol ........................................ 896
Editing the SNMP Properties of a Network Device ................................................... 897
Refreshing the Network Devices Database ............................................................. 898
Connecting to a Network Device Via a Console ....................................................... 899
Making a Network Device Snapshot ....................................................................... 900
Automatically Adding New Network Devices as Group Resource .............................. 901
Creating Network Devices in Device Manager ......................................................... 901
Exporting Network Devices .................................................................................... 902
Deleting Network Devices ...................................................................................... 902
Defining a Network Device as a Group Resource .................................................... 902
60. Managing Routes .................................................................................................... 903
Prerequisites ........................................................................................................ 903
Limitations ............................................................................................................ 903
Browsing Routes ................................................................................................... 903
Enabling the Registry Key Required to Display the VRF Routes ............................... 905
Creating Routes in the IPAM .................................................................................. 906
Exporting Routes .................................................................................................. 906
61. Managing VLANs ..................................................................................................... 907
Browsing VLANs ................................................................................................... 907
Adding a VLAN ..................................................................................................... 908
Editing a VLAN ...................................................................................................... 908
Creating a VLAN in VLAN Manager ........................................................................ 909
Exporting VLANs ................................................................................................... 909
Deleting a VLAN ................................................................................................... 909
62. Managing Ports ....................................................................................................... 910
Browsing Ports ...................................................................................................... 911
Enabling or Disabling a Port ................................................................................... 912
Editing a Port Interconnection ................................................................................ 912
Editing a Port Speed and Duplex Mode .................................................................. 913
Updating a Port Description ................................................................................... 914
Managing the 802.1X Authentication Protocol on a Port ........................................... 914
Restricting Access to a Port with the Protocol Port-security ...................................... 915
Limiting Port Edition Rights to Specific Groups of Users .......................................... 918
Configuring VLAN Tagging on a Port ....................................................................... 920
Exporting Ports ..................................................................................................... 923
63. Managing Configuration Versioning ........................................................................... 924
Prerequisites ........................................................................................................ 924
Limitations ............................................................................................................ 924
Browsing Configuration Files .................................................................................. 924
Managing Connection Profiles ............................................................................... 926
Configuring the Versioning of a Network Device ...................................................... 928
Refreshing a Configuration File .............................................................................. 930
Comparing Configuration Files ............................................................................... 931
Monitoring the Configuration Versioning in the Logs ................................................. 932
Downloading Versioning Information ....................................................................... 933
Configuring Advanced Versioning Options ............................................................... 934
Exporting Configuration Files ................................................................................. 935
889
NetChange
890
Chapter 59. Managing Network Devices
NetChange uses the SNMP protocol to query network devices and centralize all collected inform-
ation in its database. You can add, import and delete network devices with an IPv4 address from
the page All network devices. The devices can manage interfaces with IPv4 or IPv6 addresses
that are displayed on the dedicated page All addresses. There are several ways to integrate new
network devices in NetChange database:
• Adding one or several network devices using their IPv4 address.
• Importing network devices through discovery protocols (like CDP, DP or LLDP) once you added
a device.
• Importing network devices using a CSV file. For more details, refer to the section Importing
Data to NetChange in the chapter Importing Data from a CSV File.
To use NetChange at the maximum of its potential, we strongly suggest that you add at least
one device using its IP address and then use the discovery protocols to add all your network
devices to the page All network devices.
ROUTE
VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT
CONFIG
VLANADDRESS
The properties page of a network device contains a set of panels detailing its configuration:
891
Managing Network Devices
Refresh properties
The device refresh configuration, for both data and configuration file refresh. For more details,
refer to the chapter Managing Configuration Versioning.
Additional information
More specific data that is not displayed in the other panels like the Stack identifier, Uptime,
Number of ports, System OID, System contact and Complete description. For more details,
refer to the section Customizing the Display on the Page All Network Devices.
SNMP properties
All the SNMP monitoring information of the device: its profile name, version, port, number of
retries, timeout, transfer timeout, supported MIBs, etc. For more details, refer to the section
Editing the SNMP Properties of a Network Device.
Configuration versioning properties
The versioning configuration status: unsupported, enabled, disabled. Once enabled and
configured, the connection profile is also displayed in the panel. For more details, refer to
the chapter Managing Configuration Versioning.
IP Addresses List
All the IP addresses configured on the interfaces of the device, whether IPv4 or IPv6. You
can list them all on the page All addresses, for more details refer to the chapter Managing
Addresses.
Network device ports status
A graph representing the active, inactive and disabled ports of the device.
892
Managing Network Devices
Column Description
Slot serial number The slot number and slot serial number (identifier) of used slots as follows:
<slot-number>:<slot-serial-number>. That column only retrieves information
for used slots, empty slots are not listed.
SNMP profile The name of the SNMP profile used on the network device.
SNMP refresh The scheduled database refresh frequency configured on the network device
Status The network device status
OK The network device is up and running.
Timeout The network device is not responding.
Note that:
• You can also import network devices from a CSV file. For more details, refer to the section
Importing Data to NetChange in the chapter Importing Data from a CSV File.
• Users that do not belong to the group admin cannot see the network devices they add, unless
an administrative user either:
• Adds the new devices to the resources of the group(s) they belong to
• Configures the rule 407 to automatically add every new device as resource of the group(s)
they belong to. For more details, refer to the section Automatically Adding New Network
Devices as Group Resource.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the field IP address, type in either the IP address of the device of your choice or the start
address of a range of addresses that contains several or all of your network devices.
5. In the field Ending IP address, you can type in the last address of the range containing net-
work devices.
6. You can select the SNMP profile(s) to use in order to access the SNMP agent on the devices.
893
Managing Network Devices
Field Description
Selected profiles This field lists the SNMP profiles to use in order to retrieve the device(s)
information. SOLIDserver tries all the profiles on the device(s), following
the list order. To order the profiles, select them one by one and click on the
arrows to move them up or down . To remove a profile from the list,
select it and click on .
If you do not select any, NetChange uses the profile standard v2c.
7. In the drop-down list Target space, select the IPAM space associated with the network
device(s), to help differentiate devices on the page.
8. Tick the box Expert mode to specify more details regarding the device(s) information retrieval.
Edit the parameters according to your needs following the table below:
9. Click on OK to complete the operation. The report opens and works for a while before closing.
The page displays the network device(s).
Note that depending on the group they belong to, users may not see the device(s) they added
on the page until an administrative user either:
• Adds the new devices to the resources of the group(s) they belong to
• Configures the rule 407 to automatically add every new device as resource of the group(s)
they belong to. For more details, refer to the section Automatically Adding New Network
Devices as Group Resource.
Once you added one device, you can retrieve all the devices it is directly connected (plugged)
to via the discovery protocol option detailed in the next section.
Note that you can also import network devices from a CSV file before using the discovery protocols.
For more details, refer to the section Importing Data to NetChange in the chapter Importing Data
from a CSV File.
894
Managing Network Devices
The discovery protocol import option retrieves all the information via three layer 2 protocols: the
Cisco Discovery Protocol (CDP), the Nortel Discovery Protocol (NDP) and the Link Layer Discovery
Protocol (LLDP). The information gathered through these protocols is then retrieved using SNMP,
among which, the devices neighbors i.e. the devices connected to the devices listed on the page
All network devices.
The Cisco Discovery Protocol (CDP)
The CDP is a proprietary Data Link Layer network protocol developed by Cisco Systems to
share information between devices, from their topology to their OS version, IP address or
interfaces' status. NetChange uses CDP to discover Cisco network devices.
The Nortel Discovery Protocol (DP)
The DP is a Data Link Layer (OSI Layer 2) network protocol for discovery of Nortel devices
and their topology. NetChange uses it to automatically discover Nortel, Avaya and Ciena
network devices.
The Link Layer Discovery Protocol (LLDP)
The LLDP is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used by net-
work devices for advertising their identity, capabilities, and neighbors on a IEEE 802 local
area network, principally wired Ethernet. LLDP is supported by the following switch vendors:
HP, H3C, Nortel, Extreme Networks, Cisco and Juniper, Dell and Entreats.
The LLDP being the only vendor-neutral protocol, you might need to enable it on your devices,
especially if the devices connected are from different vendors or if you connected a Nortel or
Cisco device with a device from a different vendor.
895
Managing Network Devices
Depending on your firmware version, some options may be unrecognized. For VLAN, unfortunately,
you need to issue the command each time you add a VLAN. When using MT, EAST or SMELT,
you may want to disable ingress filtering:
vlan ports ALL filter-unregistered-frames disable
For Nortel RES 8600, there is no support for LLDP. For Nortel Switch for IBM Blade canter (Nortel
Layer 2-3 and 2-7), you need version 5.1 or more recent.
On capable and configured devices, you can see LLDP information with:
show lldp <detail>
You can individually disable it on the ports. For more details, refer to the section Managing the
802.1X Authentication Protocol on a Port.
• Disabling 802.1X authentication at device level, disables it at port level as well.
At port level, the protocol can still be configured but you can no longer enable it on the ports
when it is disabled on their device.
896
Managing Network Devices
We recommend that you display the column 802.1X to see if the authentication is supported on
your devices and if it is enabled or disabled. For more details, refer to the section Customizing
the List Layout.
This panel also provides an overview of the MIBs supported by the device.
897
Managing Network Devices
6. In the drop-down list SNMP profile, choose a profile using the same version of the SNMP
protocol as the one you selected in the field SNMP version.
If you created SNMP profiles, you can choose one of your profiles. They are listed only if
they use the same version of the SNMP protocol as the one you selected on the previous
page.
Note that the SNMP profiles you can choose from must be configured on the appliance you
are currently working with.
7. Click on OK to complete the operation. The wizard closes. The changes are listed in the
panel.
From the page All network devices, it applies to the selected device(s) and its content.
From any other NetChange page, it applies to the device that the selected object(s) belong to.
• The device parameter SNMP transfer timeout can impact the success of the refresh. For more
details, refer to the section Editing the SNMP Properties of a Network Device.
When the refresh is over, a report might appear and list the created IP addresses (Notice)
and existing ones (Error). This list only regards the device addition or import in the selected
Target space. You can download this report in the format of your choice: TEXT , HTML or
EXCEL .
7. Click on CLOSE to go back to the page All network devices. The page refreshes.
Scheduling a Refresh
The scheduled refresh allows to plan ahead the update of the NetChange database. You can
specify different schedules depending on the devices. Typically, edge switches are queried more
often than backbone routers.
898
Managing Network Devices
The device refresh frequency can be common to several devices or specific to a device. Do not
hesitate to tick one or several devices before setting up a refresh schedule.
5. Tick the Device data to refresh the database of the selected network device(s) at the
scheduled time.
6. If you enabled versioning on the selected device(s), you can tick the box Configuration
versioning. For more details, refer to the section Refreshing a Configuration File.
7. Click on OK to complete the operation. The report opens and closes. The page is visible
again. The refresh frequency that you set is displayed in the panel Refresh properties on
the properties page of your network device.
Any scheduled refresh can be disabled for one or several devices at once.
899
Managing Network Devices
EfficientIP support team might ask for a device snapshot in case of missing or distorted information
on the equipment you want to add to NetChange. The snapshot is generated in .pcap format and
stored in the Local files listing. Keep in mind that the SNMP service and profiles must be configured
beforehand. Note that SNMPv3 is not accepted as a profile. For more details, refer to the sections
Managing the SNMP Service and Managing SNMP Profiles.
900
Managing Network Devices
To avoid having to manually define new network device as group resource, administrators can
configure the rule 407 and automatically add every new network device as resource of the groups
of users of the relevant group(s) of users.
To add the rule 407 that sets which groups have new network devices as resource
To remove a group, select it and click on . The group is moved back to the list Available
groups.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.
For more details, refer to the section Automatically Adding Network Devices in Device Manager.
901
Managing Network Devices
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Note that administrative users can add a rule to ensure that every new network device is added
to the resources of the groups of users of their choice. For more details, refer to the section
Automatically Adding New Network Devices as Group Resource.
Granting access to a network device as a resource also grants access to every item it contains.
For more details, refer to the section Assigning Resources to a Group in the chapter Groups.
902
Chapter 60. Managing Routes
The page All routes is dedicated to the network devices routing tables and displays the existing
routes on the layer 3 network devices you manage.
All the information displayed is retrieved via SNMP. Each route corresponds to a subnetwork
and has a unique IP address and prefix. The prefix size can be any number between 0 and 32
for IPv4 addresses and between 0 and 128 for IPv6 addresses.
NetChange supports more MIBs to provide detailed route information on the page. Thanks to
L3VPN you can now display the VRF routes configured on your network and also retrieve the
routes Type and Protocol.
Prerequisites
• Managing network devices and/or routers that support and have SNMP enabled.
• To discover VRF routes on your network you must:
• Make sure the routers support the MIB MPLS-L3VPN-STD-MIB.
• Make sure the routers configured with VRF have MPLS enabled.
• Make sure the routers configured with VRF have BGP enabled.
• Enable the registry key module.netchange.enable_vrf_route.
Limitations
• Routes are retrieved automatically when you import network devices. You cannot add, edit or
delete them.
• You can only export routes.
• To display the routes' Type and Protocol, the MIBs IP-FORWARD-MIB and IANA-RTPROTO-
MIB must be implemented on the routers.
• Depending on your infrastructure, enabling the VRF routes discovery can significantly increase
the database size.
Browsing Routes
The routes are the second level of organization in NetChange, along with the VLANs, configura-
tions, ports and addresses.
ROUTE
VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT
CONFIG
VLANADDRESS
903
Managing Routes
Keep in mind that you can use colored labels to differentiate at a glance IPv6 address containers.
For more details, refer to the chapter Managing IPv6 Labels.
In addition to the route and network device dedicated columns, the columns VRF name, VRF
RD and Next hop provide detailed information.
904
Managing Routes
Value Description
local The routing is working: it originates from a local interface.
remote The routing is working: it has a remote destination.
blackhole The routing is working: the route is discarding traffic silently.
Another column returns the Protocol via which the route was found.
Enabling the key updates the data on the page All routes, including additional information in the
columns VRF name and VRF RD.
You can create these retrieved routes in the IPAM. For more details, refer to the section Creating
Routes in the IPAM.
To enable the registry key that controls the switch based on time drift
905
Managing Routes
Exporting Routes
From the page All routes, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
906
Chapter 61. Managing VLANs
The page All VLANs provides an overview of the existing Virtual Local Area Networks for each
network device and their ID if you purchased the license NetChange-IPL. If you have the
NetChange license, it also allows to add, edit and delete VLANs on your devices. For more details
regarding the two available NetChange licenses, refer to the table NetChange licenses differences.
Browsing VLANs
The VLANs are the second level of organization in NetChange, along with the routes, configura-
tions, ports and addresses.
ROUTE
VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT
CONFIG
VLANADDRESS
Keep in mind that the column Port list contains the number of all the ports associated with each
VLAN. You can edit this list if you purchased the license NetChange, otherwise this list is merely
informative.
907
Managing VLANs
Adding a VLAN
With the NetChange license, you can add VLANs to the page All VLANs and then associate them
with existing ports. Using 802.1q VLAN Trunking protocol, a VLAN can cover a network area on
multiple switches.
You can also add a VLAN from the list All VLANs of a specific device, in this case the Network
device drop-down list does not appear.
In addition, you can use existing VLANs ID and name and add them to another device. That way,
you only need to specify a device for the VLAN name and ID to be used automatically upon cre-
ation. Obviously, the ports configuration of the selected VLAN is not created in the target network
device.
To add a VLAN from the page All VLANs using an existing name and ID
1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. Right-click over the ID of the VLAN of your choice. The contextual menu opens.
3. Click on . The wizard Add a VLAN opens.
4. In the fields Name and VLAN ID are displayed in gray the name and ID of the chosen VLAN.
5. In the drop-down list Network device, select the device of your choice.
6. Click on OK to complete the operation. The report opens and closes. There are now two
VLAN with the same name and ID listed, only their device differs.
Editing a VLAN
Editing a NetChange VLAN means renaming it. However, with the NetChange license you can
decide to use it with one or several of your network ports. For more details regarding the port
and VLAN interaction, refer to the section Associating a Port With a VLAN.
To rename a VLAN
1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. Filter the list if need be.
3. Right-click over the ID of the VLAN you want to rename. The contextual menu opens.
4. Click on . The wizard Add a VLAN opens.
5. In the field Name, rename the VLAN.
6. In the field VLAN ID, the ID is displayed but cannot be edited.
7. Click on OK to complete the operation. The report opens and closes. The list refreshes, the
new VLAN name is listed.
908
Managing VLANs
Exporting VLANs
From the page All VLANs, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting a VLAN
With the NetChange license you can delete any VLAN from any network device as long as it is
not used on any port.
To delete a VLAN
1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. In the column Network device, click on the name of the device of your choice to display only
its VLANs.
3. Tick the VLAN(s) you want to delete.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The VLAN is no longer
listed.
909
Chapter 62. Managing Ports
The ports are physical interfaces of the network devices. NetChange discovers the network
devices ports using a discovery algorithm that automatically analyzes each port and displays its
type and status. It also allows to know which MAC or IP addresses should be looked for and the
devices connection on the network. Typically the listed ports can be:
• Edge or terminal ports: used to connect the terminal network devices of the network (servers,
workstations, printers, ...);
• Interconnection ports: used to link the network devices between them (the backbone).
Depending on your network devices, some ports can actually be both. Some columns on the
page provide all this information:
• Interco (for interconnection) is purely informative even if you can manually force its value to
Yes, No or Autodetect in the GUI.
• Trunking/Tagging mode provides the actual port type, edge ports are marked Access and
interconnection ports are marked Trunk or Tagged.
NetChange module allows to edit a port and associate it with existing VLANs on your device
(existing by default or that you added). To be able to edit a port, you must meet the following
prerequisites:
1. The SNMP service is configured properly. For more details, refer to the section Managing the
SNMP Service.
2. The SNMP profile used with network devices has a read/write access to interact with the
device(s). For more details, refer to the sections Managing SNMP Profiles and Editing the
SNMP Properties of a Network Device.
3. You have the NetChange license. NetChange-IPL does not provide port edition options. For
more details, refer to the table NetChange licenses differences.
4. The network device on which you edit the port supports MIBs that allow port edition.
Once these prerequisites are met, you can edit your ports. This allows to associate them with
any VLAN on your network or even use them in a tagged or untagged mode and influence their
behavior on the network. As a general rule, when choosing to tag or not a port you should take
into account the following:
• The untagged mode (called Access on Cisco devices) uses the ID of the tagged VLAN the port
is associated with when sending and receiving data. That way packages are identified
throughout the transfer on the network from the sending port to the receiving one. Once the
package is received, the tag number is dismissed, in other words, untagged. This transfer
mode is based on terminal, or edge, ports as packages always reach their destination thanks
to their tag once sent. In the columns VLAN name list and VLAN # list, the untagged/access
VLAN of the port is followed by a star.
• The tagged mode (called Trunk on Cisco devices) uses the ID of the VLANs associated with
the port only when sending packages. The tag identifies the target port. Once the package is
received, the tag number is kept. This transfer mode is based on interconnection ports as it
allows to send out data all over the network.
910
Managing Ports
Browsing Ports
The ports are the second level of organization in NetChange, along with the routes, configurations,
VLANs and addresses.
ROUTE
VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT
CONFIG
VLANADDRESS
Keep in mind that the columns can help you filter the list on specific port settings: Trunking/Tagging
mode, Configured speed, Configured duplex, VLAN name list, VLAN # list, Operating speed,
Operating duplex...
911
Managing Ports
LowerLayerDown
The port is inactive. These statuses are very rare. For more details, refer to the description
NotPresent of the MIB IF-MIB.
Dormant
Unknown The port status is unknown.
Disabled The port was disabled. For more details, refer to the section Enabling or Disabling a Port.
Keep in mind that you should never disable interconnection ports as you take the risk of
losing access to your network device.
To enable/disable a port
1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Tick the port(s) for which you want to change the status.
3. In the menu, select Edit > Port status > Enable or Disable.The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
Keep in mind that on some devices, especially Cisco Catalyst, the configuration is not written
after the modification has been done, so if no write configuration command is made through
CLI, modifications can be lost if the switch is reloaded.
NetChange discovery algorithm automatically isolates interconnection ports: they are marked
Yes in the column Interco if the number of discovered items on a port is greater than a defined
limit (4 by default).
The value of the column Interco is merely a way of filtering the ports in the list. However, if a port
interconnection is set to Yes, any MAC address discovered via the port is not logged on the page
912
Managing Ports
Discovered item history. For more details, refer to the section Tracking the Discovered Items
History of a Specific Device.
If you have selected Auto, the value of the Interco column is Yes or No depending on the
interconnection status of the port.
If you have selected Yes or No, the value of the Interco column switches to Yes (forced) or
No (forced) respectively.
Keep in mind that you can only see the speed and duplex changes of active ports. If you edit the
port and speed of an inactive port, the changes are never visible in the GUI.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the drop-down list Speed and duplex mode, select the port <speed> <duplex> of your
choice.
7. If the port can be configured with VLAN tagging, click on NEXT . The last page opens.
913
Managing Ports
8. Click on OK to complete the operation. The report opens and closes. The ports list is visible
again.
Once you edited the port tagging mode, to see your changes in the columns Configured speed
and Configured duplex, you must refresh the device the port belongs to. For more details, refer
to the section Refreshing a Device Manually below.
Prerequisites
• The license NetChange.
• The network device that the port belongs to must support 802.1X authentication.
• 802.1X authentication must be enabled on the device to be managed from the GUI.
• 802.1X authentication must be configured on each port individually.
• 802.1X authentication must be enabled at device level to be enabled at port level. If it is disabled
on the device, the port is configured with it but not used for authentication.
Limitations
• On HP devices, only the HP-DOT1X-EXTENSIONS-MIB is supported.
• On Cisco devices, the interface vlanTrunkPortDynamicState should not be set to auto or desir-
able.
914
Managing Ports
We recommend that you display the column 802.1X on the pages All network devices and All
ports. For more details, refer to the section Customizing the List Layout.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The last page opens.
7. The section Security configuration contains the box 802.1X. It is grayed out if 802.1X au-
thentication is disabled on the device.
a. To enable the 802.1X authentication, tick the box. The page refreshes.
b. To disable the 802.1X authentication, untick the box. The page refreshes.
8. Click on OK to complete the operation. The report opens and closes. The port is marked
Enabled or Disabled in the column 802.1X.
Note that you can enable both 802.1x authentication and port-security on a port, but on HP
devices, if 802.1x is enabled, only the port-security mode 8021xAuthorised is available.
This protocol allows to restrict input to an interface by limiting and identifying MAC addresses
that are allowed to access the port.
By default, the protocol is enabled on the devices that support it and you can enable or disable
it individually on each port.
Prerequisites
• The license NetChange.
• On Cisco devices, the port mode Trunking/Tagging (i.e. switchport) is set to Access or Trunk.
Limitations
• On Cisco devices, only the CISCO-PORT-SECURITY-MIB is supported.
• Only HP devices supporting the HP-ICF-GENERIC-RPTR MIB can be configured.
• On HP devices, if you enable Port-security and 802.1x on a port, only the port-security mode
8021xAuthorised can be configured.
• On HP devices, if you enable Port-security and 802.1x on a port, you cannot limit the number
of MAC addresses that can access the port.
915
Managing Ports
We recommend that you display the columns Port-security on the page All ports to see which
ports support it. For more details, refer to the section Customizing the List Layout.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The last page opens.
7. In the section Security configuration:
a. To enable Port-security, tick the box Port-security. The page refreshes and displays
the fields Mode, Maximum number of secured MAC addresses and/or Action. For more
details, refer to the section Configuring Port-Security Modes on HP or Cisco Devices
and or Limiting the Number of MAC Addresses Allowed to Access a Port.
b. To disable Port-security, untick the box Port-security. The page refreshes, the dedicated
fields are no longer visible.
8. Click on OK to complete the operation. The report opens and closes. The port is marked
Enabled or Disabled in the column Port-security.
We recommend that you display the columns MAC number limit on the page All ports to see
which ports you restricted the access to, by default it contains the value 1. For more details, refer
to the section Customizing the List Layout.
Note that on HP devices you cannot set a maximum number of MAC address on a port configured
both with 802.1x authentication and Port-security, the Port-security mode 8021xAuthorised does
not allow it.
916
Managing Ports
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The last page opens.
7. In the section Security configuration, tick the box Port-security. The page refreshes.
8. If you are editing the port of a HP device, make sure the Port-security Mode selected is either
FirstN or LimitedContinuous.
9. In the field Maximum number of secured MAC addresses, type in the number of MAC ad-
dresses that can access the port. This number depends on your device. By default, Port-
security is configured with 1 MAC address.
To configure an Action for the port once the number of secured MAC addresses exceeds
the one you just set, refer to the section Configuring Port-Security Modes on HP or Cisco
Devices.
10. Click on OK to complete the operation. The report opens and closes. The column MAC
number limit displays the new value.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The last page opens.
7. In the section Security configuration, tick the box Port-security if it is not ticked.
8. In the field Mode, select FirstN, 8021xAuthorized or LimitedContinuous. If the authentication
802.1x is enabled, you can only select 8021xAuthorized.
Note that the mode configureSpecific cannot be selected during the Mode configuration. It
is automatically retrieved and displayed if it is configured on a port you are editing.
9. In the field Action, select disable, sendTrap or sendTrapAndDisablePort.
917
Managing Ports
If you configured a Maximum number of secured MAC addresses, the Action applies to the
extra MAC addresses: it is performed when the number of MAC addresses exceeds the one
you set in the field.
10. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Click on NEXT . The last page opens.
7. In the section Security configuration, tick the box Port-security if it is not ticked.
8. In the field Action, select shutdown, dropNotify or drop.
If you configured a Maximum number of secured MAC addresses, the Action applies to the
extra MAC addresses: it is performed when the number of MAC addresses exceeds the one
you set in the field.
9. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
Keep in mind that once you configured the rule and enabled and applied the class to a port, only
the users belonging to a group of users authorized in the rule can edit that port. Even users with
edition permissions on the ports and the proper resources are not allowed to edit the ports con-
figured with the class reserved if they do not belong to an authorized group of users.
918
Managing Ports
Keep in mind that once the rule is configured, its configuration overrides the port permissions set
for any group of users. Even if a group has all the existing ports within its resources and edition
permissions over them, its users are not allowed to edit the ports set with the class reserved if
they are not listed among the Authorized groups.
To add the rule 378 that defines the groups of users allowed to edit reserved ports
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select NetChange.
5. In the drop-down list Event, select Edit: ports properties.
6. In the list Rule, select (378) Ports configuration permission.
7. In the field Rule name, name the rule. That name is listed in the column Instance.
8. In the field Comment, you can type in a comment if you want.
9. Click on NEXT . The page Rule filters opens.
10. Click on NEXT . The page Rule parameters opens.
11. In the list Available groups, select one by one the group(s) of users that can edit the ports
configured with the class reserved.
12. Click on . The group is moved to the list Authorized groups. Repeat this action for as many
groups as needed.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.
We recommend that you display the column Class on the page All ports to have an overview of
the ports you applied it to. For more details, refer to the section Customizing the List Layout.
919
Managing Ports
Once the class is applied on a port, only users belonging the Authorized groups configured in
the rule can edit the port.
Keep in mind that the untagged/access VLAN tag of a port is followed by a star (*) in the columns
VLAN name list and VLAN # list.
There are different tagging modes available depending on the network device vendor: Cisco or
others.
Cisco devices tagging modes
Cisco devices offer three tagging modes: Trunk (i.e. tagged), Access (i.e. not tagged) and
auto (the port mode is automatically one or the other). Setting a port to Trunk mode sets its
tag encapsulation mode to 802.1Q .
Other vendors tagging modes
Keep in mind that you can only edit a device Trunking/Tagging mode if the SNMP configuration
set at device level allows to retrieve the MIBs.
920
Managing Ports
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the drop-down list Trunking/Tagging mode, select the mode of your choice: Tagged or
Mixed.
7. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
Once you edited the port tagging mode, to see your changes in the column Trunking/Tagging
mode, you must refresh the device the port belongs to. For more details, refer to the section
Refreshing a Device Manually below.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the drop-down list Trunking/Tagging mode, select the mode of your choice: Trunk, Access
or Auto.
If you set the trunking/tagging mode to auto, the 802.1X authentication must be inactive.
7. Click on OK to complete the operation. The report opens and closes. The page is visible
again.
Once you edited the port tagging mode, to see your changes in the column Trunking/Tagging
mode, you must refresh the device the port belongs to. For more details, refer to the section
Refreshing a Device Manually below.
To rapidly see your port/VLAN association, make sure the columns VLAN # list and VLAN name
list are displayed.
To associate a port with an untagged VLAN, its mode must be Access or Auto (on Cisco devices)
or Mixed (on any other device vendor). To edit the port tagging mode, refer to the section Config-
uring the Tagging Mode above.
921
Managing Ports
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the section VLAN addition, the drop-down list Access/Untagged VLAN displays the un-
tagged VLAN associated with your port. Select the VLAN of your choice. By default, the 1 -
default VLAN is selected.
If your port mode is Mixed or Auto, the previously selected VLAN is moved to the list Available
VLANs.
To associate a port with tagged VLANs, its mode must be Trunk or Auto (on Cisco devices) or
Tagged or Mixed (on any other device vendor). To edit the port tagging mode, refer to the section
Configuring the Tagging Mode above.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the section VLAN addition, the field Trunk/Tagged VLAN list displays all the tagged VLANs
associated with your port.
To add tagged VLANs, in the list Available VLANs, select a VLAN and click on , or double-
click on it, to move it to the list Trunk/Tagged VLAN list.
922
Managing Ports
To remove the port association with tagged VLANs, in the list Trunk/Tagged VLAN list, select
a VLAN and click on , or double-click on it, to move it back to the list Available VLANs.
7. Click on OK to complete the operation. The report opens and closes. The VLANs associated
with the port are displayed in the columns VLAN # list and VLAN name list.
Exporting Ports
From the page All ports, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
923
Chapter 63. Managing Configuration
Versioning
You can manage the configuration file versioning of network devices. Versioning allows to auto-
matically save all the changes in the configuration files, and all the revisions of the files are saved
in SOLIDserver backup file. To monitor versioning from NetChange you must:
1. Create a connection profile from the Administration module.
2. Enable versioning and configure the connection profile on the device.
Once configured, all the revisions are listed on the page All configurations, and you can compare
changes on the page Configuration and download entire files or only changes.
Prerequisites
• SOLIDserver with the license NetChange.
• The network device must support versioning, like HP, Cisco, Juniper or Extreme.
• The network device must already be managed from SOLIDserver. To add a network device,
refer to the section Adding Network Devices.
Limitations
• Disabling the configuration files versioning on a device deletes all the configuration file revisions
from the database.
• Configurations files are local. You cannot push them to the network device you manage from
SOLIDserver.
• Configurations files are read-only. You cannot rollback to a former file version.
• On appliances configured in High Availability, the configuration files versioning of your network
devices can only be managed from the Master appliance.
ROUTE
VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT
CONFIG
VLANADDRESS
924
Managing Configuration Versioning
There are 6 columns on the page All configurations that you can sort and filter. By default, all
the columns are displayed on the page, you cannot change their order.
At the end of the line of each revision listed, you can find two links.
Do not hesitate to set up alerts on the page to monitor any changes. For more details, refer to
the chapter Managing Alerts.
For more details regarding downloads, refer to the section Downloading Versioning Information.
To display the latest configuration file from the page All network devices
1. In the sidebar, go to NetChange > Network devices.The page All network devices opens.
2. In the column Revision, click on r.<revision-number>. The page Configuration opens and
displays the latest version of the network device configuration file.
Above the configuration file content, a gray area contains the network device details: its
name, its IP address, and the date and time when the configuration version was saved.
925
Managing Configuration Versioning
Above the configuration file content, a gray area contains the network device details: its
name, its IP address, and the date and time when the configuration version was saved.
By default, the configuration file displays all the passwords in plain text, if you do not want
all the users to see them you can edit a registry database entry to hide them. For more details,
refer to the section Configuring the Passwords Display in the Configuration Files.
Do not hesitate to set up alerts based on these dedicated columns. For more details, refer to the
chapter Managing Alerts.
926
Managing Configuration Versioning
Connection profiles are managed on the page Network devices connection profiles in the
module Administration.
Only from the group admin can add, edit and delete connection profiles.
Keep in mind that one profile can be used for several devices as long as the profile configuration
suits all the devices it is associated with.
927
Managing Configuration Versioning
10. Click on OK to complete the operation. The report opens and closes. The page is visible
again, in the list Network devices connection profiles the new profile is listed as follows:
<profile-name> [PROTOCOL].
Keep in mind that editing a connection profile associated with a device sets its status in the
column Versioning to Yes on the page All network devices.
If you want to delete a connection profile already associated with a network device, you must
edit the network device in question and select another connection profile. For more details, refer
to the section Configuring Versioning on One Device.
When versioning is enabled, you can manage the configuration files versioning from the pages
All configurations, Configuration and All network devices.
928
Managing Configuration Versioning
At any time you can change the connection profile associated with your network device. Follow
the procedure above and select another connection profile.
Once you enabled versioning, the page All configurations allows to display the list of configuration
file revisions and click on a revision number to open that version of the configuration file. To refresh
a configuration files database, compare revisions or download revisions, refer to the dedicated
sections.
At any time you can change the connection profile associated with several network devices.
Follow the procedure above and select another connection profile.
Once you enabled versioning, the page All configurations allows to display the list of configuration
file revisions and click on a revision number to open that version of the configuration file. To refresh
929
Managing Configuration Versioning
a configuration files database, compare revisions or download revisions, refer to the dedicated
sections.
Note that you can limit the refresh and only allow it for network devices which Status is OK. For
more details, refer to the section Limiting Configuration Refresh Based on the Network Device
Status.
Keep in mind that the device parameter SNMP transfer timeout can impact the success of the
refresh. For more details, refer to the section Editing the SNMP Properties of a Network Device.
930
Managing Configuration Versioning
Field Description
Hour Select a frequency (over the whole day or for a limited period of time each day), a set
of hours or a specific hour per day for the refresh.
Date of the month Select a specific day of the month or a frequency (every day) for the refresh.
Month Select a specific month or a frequency (every month) for the refresh.
Day(s) of the week Select a frequency (over the whole week or for a specific set of days) or a specific
day of the week.
5. The box Device data is ticked. This box refreshes the database at the scheduled time but
not the configuration file of the selected network device(s). You can leave it ticked if you
want. For more details, refer to the section Refreshing the Network Devices Database.
6. Tick the box Configuration versioning to retrieve the latest revision of the configuration file
of the selected device(s). This revision is retrieved only if any changes are detected at the
time of the scheduled refresh.
7. Click on OK to complete the operation. The report opens and closes. The page is visible
again. The refresh frequency that you set is displayed in the panel Refresh properties on
the properties page of your network device.
No matter the amount of information displayed, it is displayed as follows: on the left, the oldest
revision where changes are highlighted in orange; on the right, the latest revision where changes
are highlighted in green.
• Previous changes, on the right-end side, allows to compare older revisions of the configuration
file, when possible. It actually compares the oldest revision with the previous revision of the
configuration.
• Next changes, on the right-end side, allows you to navigate between comparisons of two revi-
sions: toward more recent and/or older changes.
• revision <number> , on the right-end side of each file revision allows to open the configuration file
revision on its own, without the changes.
You can compare consecutive revisions of a device configuration file or even non-consecutive
revisions of a configuration file or configuration files from different network devices.
The very first revision available compares an empty file with that revision.
931
Managing Configuration Versioning
The oldest revision is on the left and the latest on the right. Each revision has its own gray
area with the device revision details.
4. You can use the buttons to navigate the revisions changes, display the entire file with the
changes or only the changes or even display only one revision. For more details, refer to
the introduction of the section Comparing Configuration Files.
The oldest revision is on the left and the latest on the right. Each revision has its own gray
area with the device revision details.
6. You can use the buttons to navigate the revisions changes, display the entire file with the
changes or only the changes or even display only one revision. For more details, refer to
the introduction of the section Comparing Configuration Files.
Versioning dedicated logs include: notifications if the device does not support it, if versioning is
enabled/disabled, the new configurations, etc.
932
Managing Configuration Versioning
5. In the column Description, filter the list using the keyword configuration.
The logs indicate when versioning has been enabled or disabled, they include the network
device name and IP address.
From the page Configuration, you can download one revision or the differences between two
compared configuration files. From the page All configurations, you can display an archive file
containing as many configuration file revisions as you need.
Above the configuration file content, a gray area contains the network device details: its
name, its IP address, and the date and time when the configuration version was saved.
3. On the right-end side of the network device details, click on Download and save the file. The
downloaded file is named <device-ip-address>_r<revision-number>.txt.
Keep in mind that the downloaded file only contains the differences between the two revisions,
even if you display the Full diff.
Depending on the revisions you chose to compare, the downloaded file is named <device-
ip-address>_r<oldest-revision>_r<latest-revision>.diff or <device-1-ip>_r<revision-num-
ber>_<device-2-ip>_r<revision-number>.diff.
933
Managing Configuration Versioning
Thanks to a registry database key, you can show or hide all or some of the passwords of the
configuration file. By default, they are all hidden and we strongly recommend leaving it this way.
Table 63.6. The accepted values of the configuration file password display key
Value Description
0 Hide all the passwords in the configuration files. This is the default value.
1 Display only the encrypted passwords of the configuration files, in their encrypted form. All the
non-encrypted passwords are hidden. Setting the key to 1 can be useful to keep track of the
password changes without displaying them.
2 Display all the passwords of the configuration files. Setting the key to 2 is not recommended.
934
Managing Configuration Versioning
Table 63.7. The accepted values of the configuration file refresh key
Value Description
0 Prevent users from refreshing the configuration of network devices which Status is not OK.
1 Allow configuration refresh of network devices no matter their Status. This is the default value.
8. Click on OK to complete the operation. The report opens and closes. The column Value
contains the value you set.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Keep in mind that disabling the configuration files versioning on a device deletes all the
configuration file revisions saved in the database.
935
Managing Configuration Versioning
5. Click on OK to complete the operation. The report opens and closes. In the panel, only the
line Enable configuration versioning remains, it is marked no.
Once disabled, the network device is marked No in the column Versioning on the page All network
devices.
Once disabled, all the network devices selected are marked No in the column Versioning on the
page All network devices.
936
Chapter 64. Managing Addresses
The page All Addresses lists the IP addresses configured for the interfaces of each network
device managed from the page All network devices.
Browsing Addresses
The addresses are the second level of organization in NetChange, along with the routes, VLANs,
ports and configurations.
ROUTE
VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT
CONFIG
VLANADDRESS
937
Managing Addresses
Column Description
Status The interface status: Active or Inactive.
Keep in mind that you can use colored labels to differentiate at a glance IPv6 address containers.
For more details, refer to the chapter Managing IPv6 Labels.
938
Chapter 65. Managing Discovered Items
The discovered items are devices connected to NetChange network devices. Usually these items
are edge devices, like workstations, servers, printers and so on. All these devices are identified
through their MAC address.
Discovered items are automatically retrieved from NetChange devices after each discovery and
put in the history. They can be discovered through many types of interface such as physical
ethernet interfaces, virtual aggregated interfaces, VLAN interfaces or loopbacks.
The page All discovered items provides detailed information on where a device IP or MAC address
has been connected to the network, when it connected, which device port was used, in which
VLAN etc.
ROUTE
VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT
CONFIG
VLANADDRESS
One MAC address can be listed multiple times. It is listed for each unique IPv4 and/or IPv6 address
associated with the discovered item.
The discovered items do not have a properties page, all the information is displayed on the page.
939
Managing Discovered Items
Some columns on the page provide specific information regarding the discovered items:
The column First seen allows to display the time and date that the discovered items have ever
been seen connected to a port, VLAN or network device. Retrieving that information can lower
NetChange performances, which is why by default it is disabled.
To enable the retrieval of the data displayed in the column First seen, you must add a dedicated
key in the registry database and reboot SOLIDserver.
940
Managing Discovered Items
b. In the section Expert, click on Registry database. The page Registry database opens.
c. In the menu, click on Add. The wizard Registry database Add an item opens.
d. In the field Name, type in module.iplocator.activate_first_seen .
e. In the field Value, type in 1 to enable the data retrieval.
f. Click on OK to complete the operation. The report opens and closes. The key is listed.
2. Reboot SOLIDserver
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Maintenance, click on Reboot SOLIDserver.The wizard Reboot the system
opens.
c. Click on OK to complete the operation. You are logged out, the login page details the
progression until the connection is lost.
d. Refresh the page until the login page appears.
Once the reboot is complete and the login page is visible again, log in and go to the page
All discovered items. In the column First seen, all the information available is displayed.
To refresh manually or schedule the refresh of a network device and all its discovered items,
refer to the section Refreshing the Network Devices Database.
For more details, refer to the section Automatically Adding Discovered Items in Device Manager.
To successfully create IP addresses in the IPAM from NetChange, make sure that:
1. The IP address of the discovered item is actually retrieved and displayed. It might not be
available if the router has not found any equivalence between the MAC and IP address, neither
from the equipment nor from the DHCP.
941
Managing Discovered Items
2. The IP address of the discovered item is available in the IPAM. The option allows to:
• Select a Target space, either the same space as the one set for the network device managing
your item or another space, as long as this space contains a terminal network with free ad-
dresses that you can assign to your discovered items. For more details regarding the space
selection at network level, refer to the section Adding Network Devices.
• Tick the box Use best space to automatically find a space that can receive the discovered
item in the smallest terminal network available.
All MAC addresses discovered prior to the period you set are removed from the page and only
available on the page Discovered items history. For more details, refer to the section Tracking
the Discovered Items History of a Specific Device.
Note that you can also configure or refine the purge frequency via the rule 008, for more details
refer to the section Keeping NetChange Data Up-to-date.
942
Managing Discovered Items
That way, using a MAC address, you can see the different IP addresses an edge device had, at
different periods of time, which switch and port it was connected and which VLAN it belonged to.
This function also allows to track laptops on the network and see on which switches and ports
they have been successively connected to.
To manage the columns display, refer to the section Customizing the Display on the Page All
Discovered Items.
To limit the number of discovered items saved in the history, you can configure and enable a rule
dedicated to purging the NetChange database, including discovered items. For more details,
refer to the section Keeping NetChange Data Up-to-date.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
943
Chapter 66. Managing Statistics
NetChange can provide a set of specific statistics. These statistics are all displayed as pie and
bar charts that can present vendors, speed, usage, etc.
In addition to these holistic charts, NetChange provides specific charts on the network devices
and port properties pages.
944
Managing Statistics
The charts contain In and Out parameters. To better understand them, refer to the table below.
945
Chapter 67. Monitoring and Tuning
NetChange offers a set of options to monitor and tune your network devices and discovered
items.
For more details regarding the reports and their generation, refer to the section Managing Reports.
The choice of periodicity depends completely on your environment and what you intend to do
with NetChange, you may need to have a history of all movements (so you might need to purge
the database every month or trimester) or you may only need the most relevant data when
looking for a host (so you might want to purge every week).
To configure the purge frequency of the data listed on the page All discovered items, you should
edit the rule 008.
To configure and enable the rule 008 that purges NetChange History
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule # search field, type in 008. The rule Purge NetChange history is listed.
4. Configure the rule
a. In the column Instance, click on iplocator_cron_purge_history. The rule properties page
opens.
b. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
c. Click on NEXT . The page Rule filters appears.
d. If you want to schedule the purge, configure the fields according to the table below:
946
Monitoring and Tuning
Field Description
Month Select a month.
Hour Select a specific time or one of the available schedules.
Minute Select a period of time, minutes-wise.
f. Click on OK to complete the operation. The report open and closes. The rule properties
page is visible again.
5. Enable the rule
a. Tick the rule 008 and, in the menu, select Edit > Enable. The wizard Enable opens.
b. Click on OK to complete the operation. The wizard closes, the page refreshes.The rule
is Enabled.
947
Monitoring and Tuning
Once the rule is configured, you have to enable it. Before following the procedure below, check
in the column Status if the rule is marked Disabled or OK (i.e. It is enabled). Note that if you enable
the rule before configuring it, no action is performed for lack of specifications (without a path toward
a CSV file the options were configured with no file to perform them on).
To customize the network devices Type, users with administrative rights over SSH connections
to SOLIDserver must:
1. Create a file <vendor-id>.inc for each vendor and place it in the directory /data1/etc/netchange/
You need one file per vendor that includes all the devices you need, the device Vendor ID is
displayed in the column System OID.
2. Add a line per device that includes its OID and the information to display in the column in json
format.
Note that first part of all devices OID .1.3.6.1.4.1. is already taken into account, so you only
need to specify the device OID from vendor to device.
For instance, to customize the type of Cisco Nexus 6004 devices, you can create a file 9.inc,
9 being Cisco's vendor ID, containing the following information:
948
Monitoring and Tuning
{
"9.12.3.1.3.1237": { "model": "Nexus 6004 Switches in the US"}
{
The column Type now displays Cisco Nexus 6004 Switches in the US instead of Cisco Nexus
6004.
When the refresh is over, a report might appear and list the created IP addresses (Notice)
and existing ones (Error). This list only regards the device addition or import in the se-
lected Target space. You can download this report in the format of your choice: TEXT ,
HTML or EXCEL .
f. Click on CLOSE to go back to the page All network devices. The page refreshes.
In the column Type, the information regarding the device(s) matching the OID you
specified in the files are updated.
949
Part XII. Workflow
The Workflow is a request-based module allowing standard users to ask for changes in the IPAM and DNS:
• DNS zones addition, edition or deletion.
• IPAM non-terminal networks addition, edition or deletion. These can be block-type or subnet-type net-
works.
• IPAM terminal networks addition, edition or deletion.
• IPAM pools addition, edition or deletion.
• IPAM IP addresses addition, edition or deletion.
Keep in mind that to use the Workflow at the best of its potential you must:
1. Grant sufficient rights to requestors and request managers: the group they belong to needs to be
granted the appropriate IPAM, DNS and/or Workflow rights. For more details, refer to the section Managing
the Rights of a Group of Users in the chapter Managing Groups.
2. Grant users access to request classes, the existing classes or the ones you created. For more details,
refer to the chapter Granting Access to Workflow Classes.
3. Customize the page Incoming requests if need be. For more details, refer to the chapter Customizing
the Requests Administration.
4. Grant relevant users access to the Workflow pages, that way they can create or deal with the requests.
5. Executing the action required in the requests if they are accepted.
Note that from the module Dashboards, you can gather gadgets and charts on Workflow dashboard to
monitor the module data or set up custom shortcuts and search engines. For more details, refer to the part
Dashboards.
Table of Contents
68. Granting Access to Workflow Classes ....................................................................... 952
69. Managing Outgoing Requests .................................................................................. 953
Browsing Outgoing Requests ................................................................................. 953
Adding Requests for Creation ................................................................................ 953
Adding Requests for Edition ................................................................................... 955
Adding Requests for Deletion ................................................................................. 956
Editing Requests ................................................................................................... 958
Exporting Outgoing Requests ................................................................................ 959
Canceling Requests .............................................................................................. 959
70. Managing Incoming Requests .................................................................................. 961
Browsing Incoming Requests ................................................................................. 961
Managing the Requests Content ............................................................................ 961
Administrating Requests Using the Default Statuses and Options ............................. 962
Administrating Requests Using Your Own Settings .................................................. 965
Exporting Incoming Requests ................................................................................ 965
71. Executing Requests ................................................................................................. 966
Executing Requests Using the Execute Option ........................................................ 966
Executing Requests Using Classes ........................................................................ 967
72. Customizing the Requests Administration .................................................................. 970
Editing the Workflow Statuses ................................................................................ 971
Editing the Email Notification Details ...................................................................... 973
Adding a Workflow Status ...................................................................................... 974
Customized Statuses Best Practices ...................................................................... 975
951
Chapter 68. Granting Access to Workflow
Classes
As every request is based on a specific Workflow class, users need to be granted access to the
relevant ones. That way, they can select a class when adding a request and fill in the fields
defined through the class.
There are five classes dedicated to Workflow requests. They define all the required fields when
asking for the addition, edition or deletion of the object they are named after:
• request_dns_zone is dedicated to requests regarding DNS zones.
• request_ip_block is dedicated to requests regarding IPv4 non-terminal networks, block-type
or subnet-type.
• request_ip_subnet is dedicated to requests regarding IPv4 terminal networks.
• request_ip_pool is dedicated to requests regarding IPv4 pools.
• request_ip_address is dedicated to requests regarding IPv4 addresses.
The users that do not have access to Workflow request classes are not able to properly complete
the request addition wizard: the request addition wizard is still available, but it is impossible to
define the needed containers or resources to apply the requested changes to.
Obviously, you can add your own Workflow request classes. These classes must be dedicated
to the Module Workflow and the Type Request. For more details, refer to the chapter Configuring
Classes.
Keep in mind that in this case, the Execute option is not available in the page Incoming requests.
For more details, refer to the section Executing Requests Using the Execute Option.
Once the classes of your choice are part of the resources of a group, its users can choose from
one of them when requesting the addition, edition or deletion of objects in the DNS or IPAM
database.
1
Any group EXCEPT the admin group as, by default, it has authority over all the resources of SOLIDserver database.
952
Chapter 69. Managing Outgoing
Requests
From the page Outgoing requests, users with sufficient Workflow rights can:
• Add requests for addition/edition/deletion.
• Edit the requests they created.
• Cancel the requests they created.
The requests management respects the groups hierarchy by default. Therefore, once created if
the user belongs to a group that has a parent group, then by default the request can be dealt
with by all the users of the parent group as well as the users of the group admin. If the users
want the request to be dealt with by specific users, they can set a managing group when creating
or editing the request.
953
Managing Outgoing Requests
Reminder
To add a DNS zone creation request, the group of the user must have at least been granted
the following rights:
• In the panel Workflow, all the rights that suit your needs
• In the panel DNS, the right Display: DNS servers list.
To add a DNS zone creation request, the group of the user must include among its resources:
• At least one server to grant access to all the objects it contains.
13. Click on OK to complete the operation. The report opens and closes. The request is listed
and marked as New in the column Status.
On the request properties page, the Main properties and Request parameters sum up the request
details.
954
Managing Outgoing Requests
The edition request only applies to the values that you can usually edit in each module, so:
• You cannot ask for the edition of anything configured for DNS zones.
• You can only ask for the edition of the name of the networks, pools and addresses.
To add an IPv4 address edition request, the group of the user must have at least been
granted the following rights:
• In the panel Workflow, all the rights that suit your needs
• In the panel IPAM, the right Display: spaces list.
To add an IPv4 address edition request, the group of the user must include among its re-
sources:
• At least one space, which grants access to all the objects it contains.
955
Managing Outgoing Requests
Parameter Description
Yes You can select an existing group of users to manage your request. Once the
option is selected, the drop-down list Managing group appears.
Managing group Select an existing group. This action allows the request managers of the group
to accept the request and deal with it, or deny it.
15. Click on OK to complete the operation. The report opens and closes. The request is listed.
It is marked New in the column Status and Modified in the column Action.
On the request properties page, the Main properties and Request parameters sum up the request
details.
Note that to the class request_ip_block applies to non-terminal networks of both subnet and block
type.
Reminder
To create a terminal network deletion request, the group of the user must have at least been
granted the following rights:
• In the panel Workflow, all the rights that suit your needs
• In the panel IPAM, the right Display: spaces list.
To edit an IP address related request, the group of the user must include among its resources:
• At least one space to grant access to all the objects it contains.
956
Managing Outgoing Requests
10. In the field Motivation, type in a text or a maximum of 3000 characters explaining the reason
for the network deletion request.
11. Click on NEXT . The last page opens.
12. If you want, you can select a group to manage your request as described in the table below.
Otherwise, users of the group admin can manage it.
13. Click on OK to complete the operation. The report opens and closes. The request is listed.
It is marked New in the column Status and Delete in the column Action.
On the request properties page, the Main properties and Request parameters sum up the request
details.
It automatically creates a request in the Workflow using the default class request_ip_subnet for
terminal networks or request_ip_block for non-terminal networks (block-type or subnet-type).
Reminder
To add a network deletion request, the group of the user must have at least been granted
the following rights:
• In the panel Workflow, all the rights that suit your needs.
• In the panel IPAM, the right Display: spaces list.
To edit an IP address related request, the group of the user must include among its resources:
• At least one space to grant access to all the objects it contains.
957
Managing Outgoing Requests
5. In the drop-down list Source, select a group if you belong to several groups. If you only belong
to one group, it is automatically selected. The managing group of the selected group handles
the request.
6. Click on OK to complete the operation. The report opens and closes.
7. In the sidebar, go to Workflow > Outgoing requests. The request is listed. It is marked
New in the column Status and Delete in the column Action.
Editing Requests
Once you created a request, you can edit its details or provide additional information via a note
and/or file upload.
Uploading a File
Requestors can add up to 10 files to their request. They cannot upload more than 5 Mb of files.
958
Managing Outgoing Requests
6. Once selected, it is displayed in the fields File name and Final value.
7. Click on to add the file to the list Attached files. Repeat these actions for as many files
as you want.
8. Click on OK to complete the operation. The report opens and closes. The panel Upload file
contains the file(s).
Adding a note
Requestors can add notes to their request in addition to the Motivation expressed when creating
the request.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Canceling Requests
At any time, you can cancel a request you created. By default, this action is only possible is the
request status is New. Once it is handled or accepted, you can no longer cancel it.
Once canceled, you no longer see it on the page, only request managers can still see it.
To cancel a request
1. In the sidebar, go to Workflow > Outgoing requests.The page Outgoing requests opens.
2. Tick the request you want to cancel.
3. In the menu, select Edit > Cancel. The wizard Status edition opens.
4. In the field Enter a note, you can type in a text of 3000 characters at most, explaining why
you want the request canceled.
5. Click on OK to complete the operation. The report opens and displays the cancellation report
status.
959
Managing Outgoing Requests
6. You can click on CSV (DATA) , TEXT , HTML or EXCEL to download the cancellation report in the
corresponding format.
7. Click on CLOSE to go back to the page Outgoing requests. The request is no longer listed.
960
Chapter 70. Managing Incoming
Requests
From the page Incoming requests, administrators or request managers can:
1. Deal with pending requests using the default options of the menu Edit: handle, edit, execute,
reject, finish and finally delete the requests.
2. Deal with pending requests using custom options. The available options would then depend
on the administrator configuration and intern use of the module.
Keep in mind that by request managers, we mean users belonging to a group with sufficient rights
and resources. Make sure they belong to a group configured with:
• All the Workflow rights, to be able to manage the requests completely.
• All the DNS and IPAM objects that regular users can create requests for among the group re-
sources.
• All the relevant IPAM and DNS rights that allow them to comply with the request.
On the request properties page are displayed all the request details as well as the requestor
notes and uploaded files. In the Request history are listed all the administrators and request
managers notes added when editing the request status.
961
Managing Incoming Requests
To display notes
1. In the sidebar, go to Workflow > Outgoing requests.The page Outgoing requests opens.
2. Right-click over the Name of the request you want to edit. The contextual menu opens.
3. Click on . The request properties page opens.
4. In the panel Note, all the notes are displayed under the Date and User. You can scroll down
if there are several notes.
The administrators and request managers can also add notes and upload files. For more details,
refer to the section Adding Information to a Request.
Every time a request status is edited, it sends an email to the user who requested it to inform
them of the request evolution. Therefore, make sure your requesting users profile is set up
properly. For more details, refer to the chapter Managing Users.
Only the Archive option does not correspond to any status as it basically deletes the request from
the page and stores it on the page Local files listing.
By default, the requests managers can set these statuses as long as they respect the following:
• New requests can be handled, accepted, rejected and canceled.
962
Managing Incoming Requests
Using the default options and statuses is useful as it allows to use the Execute option. This option
allows to execute a request from the Incoming requests directly. For more details, refer to the
section Executing Requests Using the Execute Option.
Handling Requests
The request managers and administrators can at any point handle New requests.
To handle a request
1. In the sidebar, go to Workflow > Incoming requests.The page Incoming requests opens.
2. Tick the request(s) you want to handle.
3. In the menu, select Edit > Handle. The wizard Status edition opens.
4. In the field Enter a note, you can type in a reason for accepting or the user performing the
task. This text is available on the request properties page, in the Request history panel.
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.
Accepting Requests
The request managers and administrators can, at any point, accept New and Handled requests.
To accept a request
1. In the sidebar, go to Workflow > Incoming requests.The page Incoming requests opens.
2. Tick the request(s) you want to accept.
3. In the menu, select Edit > Accept. The wizard Status edition opens.
4. In the field Enter a note, you can type in a reason for accepting or the user performing the
task. This text is available on the request properties page, in the Request history panel.
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.
Rejecting Requests
The request managers and administrators can at any point reject New and Handled requests.
To reject a request
1. In the sidebar, go to Workflow > Incoming requests.The page Incoming requests opens.
2. Tick the request(s) you want to reject.
963
Managing Incoming Requests
3. In the menu, select Edit > Reject. The wizard Status edition opens.
4. In the field Enter a note, you can type in a reason for accepting or the user performing the
task. This text is available on the request properties page Request history module.
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.
Finishing Requests
Once the request has been dealt with, when the object has been added, edited or deleted, the
request managers and administrators can set the requests to Finished.
To finish a request
1. In the sidebar, go to Workflow > Incoming requests.The page Incoming requests opens.
2. Tick the request(s) you want to finish.
3. In the menu, select Edit > Finish. The wizard Status edition opens.
4. In the field Enter a note, you can type in a reason for accepting or the user performing the
task. This text is available on the request properties page Request history module.
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.
Archiving Requests
Archiving a request actually means moving it to the Local Files Listing. This means that it is no
longer listed on the Incoming requests and Outgoing request pages.
Archiving a request is useful for requests that have been dealt with, have been canceled or that
were rejected. In any of these cases, once the requesting user has been informed, it is probably
useless to keep the request in the list.
The request managers and administrators can archive Canceled, Rejected and Finished requests.
To archive a request
1. In the sidebar, go to Workflow > Incoming requests.The page Incoming requests opens.
2. Tick the request(s) you want to remove from the list.
3. In the menu, select Edit > Archive. The wizard Status edition opens.
4. In the field Local file name, type in the name of the .txt file that contains the request details
following the format <file-name>.txt .
By default, the file is saved in the directory /data1/exports but you can save it in an existing
sub-directory of /data1 if you want: specify the subdirectory name following the syntax <sub-
directory-name>/<file-name>.txt .
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.
964
Managing Incoming Requests
Once you customized these entries, the restrictions detailed in the section Administrating Requests
Using the Default Statuses and Options might not apply anymore. However, requests managers
and administrators may still rely on the procedures detailed in said section to administer the re-
quests from the page Incoming requests.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
965
Chapter 71. Executing Requests
There are different ways of executing requests:
1. Use the Execute option from the page Incoming requests if you are using the Workflow default
classes. For more details regarding this option, refer to the section Executing Requests Using
the Execute Option.
2. Use classes to integrate the requests to the addition, edition or deletion wizard. This method
can be used if you use the default Workflow classes or if you use customized ones. For more
details, refer to the section Executing Requests Using Classes.
3. Go to the IPAM or DNS module and add, edit or delete the requested objects and change the
status to Finished once the request was executed.
If the request demands a network addition, the wizard skips the network type selection page
and directly creates the relevant network.
6. If need be, you can fill in the optional object details fields and configure advanced properties.
Click on NEXT . The Workflow dedicated page opens.
7. In the drop-down list Request, the request you are executing is selected by default. The list
can contain other request numbers if other requests for addition of a similar resource were
created.
8. Under this field, the fields Requested <object> name and Requestor motivation contain the
request original details as a reminder.
9. The requests for IP address addition have an extra page: the page Aliases configuration.
You can add aliases if need be. Then click on NEXT to display the last page of the wizard.
10. Click on OK to complete the operation. The report opens and closes. The request status is
now Finished, the object is now created.
966
Executing Requests
4. Depending on the classes configured you might have class dedicated pages. Select a class
or none and click on NEXT .
5. On the object edition page, the object name and details are in a gray field as a reminder.
6. If need be, you can fill in the optional object details fields and configure default parameters.
Click on NEXT . The Workflow dedicated page opens.
7. In the drop-down list Request, the request you are executing is selected by default. The list
can contain other request numbers if other requests for edition of a similar resource were
created.
8. Under this field, the fields Requested <object> name and Requestor motivation contain the
request original details as a reminder.
9. The requests for IP address edition have an extra page: the page Aliases configuration. You
can add aliases if need be. Then click on NEXT to display the last page of the wizard.
10. Click on OK to complete the operation. The report opens and closes. The request status is
now Finished, the object is now edited.
Once the request is executed, the requestor receives a notification email. The administrator or
request manager can archive the request. For more details, refer to the section Archiving Requests.
On the request properties pages, in the panel Attached objects, are listed all the object configur-
ation details if the request concerned an addition or an edition. For instance, if a specific class
or default parameters were set by the administrator or request manager.
967
Executing Requests
If you do not already use a class for which you would like to add the Pre-defined variable, create
a class. Otherwise, directly follow the procedure To add a Workflow request association pre-
defined variable.
Once the class is configured, you can apply it from the DNS and/or IPAM module to automate
the addition or edition of objects.
968
Executing Requests
Once the request is executed, the requestor receives a notification email. The administrator or
request manager can archive the request. For more details, refer to the section Archiving Requests.
969
Chapter 72. Customizing the Requests
Administration
Depending on your needs, you can entirely customize the menu Edit of the page Incoming requests
as well as the restrictions associated with the status edition. As detailed in the section Adminis-
trating Requests Using the Default Statuses and Options, you cannot set all the statuses to the
requests as you please. As you can see in the image below.
1 New
2 Handle
Request
3 Accept execution 4 Reject 5 Cancel
6 Finish
Archive
These default edition restrictions are all set in the registry database. The default configuration of
the Workflow in the registry database is the following:
970
Customizing the Requests
Administration
You can edit default statuses, remove default statuses from the GUI and add new statuses.
Whatever the customization you have in mind, we recommend that you take into consideration
the section Customized Statuses Best Practices.
Whether you decide to edit an existing status or hide it from the GUI, to make sure the request
cycle is complete, we recommend that you follow, the sections Status Edition Best Practices and
Status Deletion Best Practices.
The Workflow configuration entries are all named module.workflow.state<detail>. There are
seven entries dedicated to the default statuses.
1. module.workflow.state.accept .
2. module.workflow.state.archive .
3. module.workflow.state.cancel .
4. module.workflow.state.finish .
5. module.workflow.state.handle .
6. module.workflow.state.new .
7. module.workflow.state.reject .
971
Customizing the Requests
Administration
Each entry is important as it sets the permissions and restrictions related to the status. The status
key value is a string in which the order matters. They must be separated by a coma as follows:
<page>, <icon>, <visibility>, <callback>, <attribute_1, attribute_2, ..., attribute_n> .
In this example, the Accept status is displayed (t) on the page Incoming requests (incoming) and
is preceded by the green icon. Any user with sufficient rights can accept New requests (new-
target) and only the request manager who Handled or Rejected the request can accept it (accept-
operator, reject-operator).
Each element of the string has a set of acceptable values that define the request status logic and
organization that suits your needs:
Page
incoming specifies that the status is available on the page Incoming requests.
outgoing specifies that the status is available on the page Outgoing requests.
Icon
wf-archive does not display any icon as archiving means removing the request from the list.
972
Customizing the Requests
Administration
Visibility
t stands for true and indicates that the status is available in the menu Edit of the specified
<page>.
f stands for false and indicates that the status is not displayed in the menu Edit of the specified
<page>.
Callback parameters
This parameter is obsolete. You can find in the keys the values: callback, nocallback,
archive_callback and cancel_callback. Do not edit them, they are part of the string.
Attributes
This last part of the string sets which user can set the status described in the string. This
permission depends on who set the previous status: the user who set the status listed can
now set the status described in the string.
The permissions structure follows the format: <action>-<user> in which action can be: accept,
archive, cancel, finish, handle, new and reject, each one corresponds to the default
statuses.
Therefore, only the users specified in the field Value of the status entry can set the status
described and only if the previously set one of the statuses associated with their <user>
name.
The default configuration sends an email to the requestors whenever the status request they
created is edited. This is why, by default, it contains new,handle,accept,reject,finish .
The requestors only receive an email if their User profile was set properly. For more details, refer
to the chapter Managing Users in the section Adding Users or Editing Users.
973
Customizing the Requests
Administration
974
Customizing the Requests
Administration
c. Click on OK to complete the operation. The report opens and works for a while. A noti-
fication pop-up appears in the lower right corner of the GUI when the operation is over.
Once the entry is created and registered, the new status is visible in the menu Edit of the selected
page as followed: rq_<your-status-name>. Once you attributed the status to a request, the request
Status is rq_in_<your-status-name>. You can translate both using the page Language editor.
1
This example is only valid if you still use the default statuses cycle.
975
Customizing the Requests
Administration
• Once you edited the registry database entries the Execute option still only applies to New,
Handled and Accepted requests. For more details, refer to the section Executing Requests
Using the Execute Option.
• The restrictions detailed in the Administrating Requests Using the Default Statuses and Options
no longer apply to your request status cycle.
• The request execution automation using the pre-defined variables class objects can still be
configured. For more details, refer to the section Executing Requests Using Classes.
976
Part XIII. Device Manager
Device Manager provides an overview of all the equipment on your network. Relying on both manual and
automatic management options, it helps to piece together the data registered in the modules NetChange,
IPAM, DHCP and DNS to map out the device interactions and their connections through interfaces and
ports. It allows to organize devices and their content.
Hostname: local.computer
MAC address: a0:12:34:56:78:90
NetChange DHCP
Note that all the data saved in Device Manager is never deleted, unless you decide to delete it. Therefore
you can save a lot of information regarding users or pieces of equipment through their MAC address or IP
address without impacting the other modules.
Note that from the module Dashboards, you can gather gadgets and charts on Device Manager dashboard
to monitor the module data or set up custom shortcuts and search engines. For more details, refer to the
part Dashboards.
Table of Contents
73. Managing Devices ................................................................................................... 979
Browsing Devices .................................................................................................. 979
Adding Devices ..................................................................................................... 980
Editing Devices ..................................................................................................... 985
Duplicating Devices ............................................................................................... 986
Merging Devices ................................................................................................... 986
Adding Devices from the IPAM ............................................................................... 986
Exporting Devices ................................................................................................. 987
Deleting Devices ................................................................................................... 987
74. Managing Ports and Interfaces ................................................................................. 988
Browsing Ports and Interfaces ................................................................................ 988
Adding Ports and Interfaces ................................................................................... 989
Editing Ports and Interfaces Properties ................................................................... 996
Tracking Changes on the Page All ports & interfaces ............................................. 1000
Updating Ports and Interfaces from the IPAM ........................................................ 1001
Exporting Ports and Interfaces ............................................................................. 1001
Deleting Ports and Interfaces ............................................................................... 1001
75. Managing the Interaction with the IPAM ................................................................... 1003
Assigning IP Addresses to an Interface Using their MAC Address ........................... 1003
Managing the IP Addresses / Interfaces Link from the IPAM ................................... 1005
76. Rules Impacting Device Manager ............................................................................ 1008
DHCP Rules Impacting Device Manager ............................................................... 1008
Adding Device Manager Rules ............................................................................. 1008
Enabling or Disabling Device Manager Rules ........................................................ 1009
978
Chapter 73. Managing Devices
The devices are managed from the page All devices, where any device on the network can be
managed (network devices, computers, virtual machines...) and uniquely identified based on the
ports or interfaces it manages.
You can add them manually or automatically retrieve them. Devices can contain interfaces and/or
ports, depending on the discovered MAC and IP addresses.
You can merge devices, duplicate them, edit their content or delete them. You cannot rename
them.
Browsing Devices
Within the module Device Manager, the devices are the highest level of the hierarchy. It is required
to create devices to manage ports and interfaces.
INTERFACE
DEVICE
PORT
Keep in mind that a set of columns provides an overview of the devices interfaces and ports
content:
• Interfaces usage and Ports usage: the total portion, in percent of used interfaces/ports on a
device, along with a progression bar,
• Number of Interfaces and Number of Ports: the total number of interfaces/ports on the device,
• Free Interfaces and Free Ports: the number of available interfaces/ports on the device.
Note that the data listed in the column IP Address can be sorted but not filtered. It only retrieves
and displays the IP address of all the interfaces of the device.
979
Managing Devices
The option Manage allows to manage or unmanage the device of your choice, whether you added
it yourself or it was Imported from another module.
Keep in mind that you cannot unmanage a device associated with an IP address of the IPAM.
To manage/unmanage devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Tick the device(s) of your choice.
3. In the menu, select Edit > Manage > Yes or No. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. The device is marked
Unmanaged or Managed in the column Status.
Adding Devices
You can add devices manually or automatically from several modules.
Before adding any device, we recommend Configuring Device Manager to make sure the data
listed is consistent with the equipment configuration of your network.
Once added, you can decide which devices you want to display and deal with on the page All
devices. For more details, refer to the section Managing the Devices Visibility.
Keep in mind that Device Manager does not delete on its own the entries that you might delete
in other modules. In that way, it provides an overview of former devices. To delete devices and
their content refer to the section Deleting Devices.
Note that you can also import devices on the page All devices. From then on, you can add or
import the ports and interfaces it contains and organize your network as you please. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.
We recommend configuring Device Manager before managing any device, port and interface
because it compares the information of the other modules with what is listed in Device Manager.
On the page All ports & interfaces of each device, the columns Manually linked to and Automat-
ically linked to identify how the devices are linked together. If the column Manually linked to is
empty, configuring Device Manager overwrites its content with the information collected during
the automatic addition. This ensures that the data listed reflects the interaction between the
devices on your network.
This option has to be ticked once. Afterward, a data check is performed each time a port or inter-
face is added or edited.
980
Managing Devices
Once you retrieved data automatically, you should monitor the column Reconciliation on the
page All ports & interfaces to prevent any drift. For more details, refer to the section Tracking
Changes on the Page All ports & interfaces.
Note that you can also import devices on the page All devices. From then on, you can add or
import the ports and interfaces it contains and organize your network as you please. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.
After Configuring Device Manager, you can execute the option automatic discovery from the
page All devices.
The option Automatic discovery performs a sweep of the other modules data and retrieves all
the devices along with the ports and interfaces they contain. The option analyzes data in the
modules NetChange, DHCP, IPAM and DNS. The more information there is in these modules,
the more efficient is the option as it behaves as follows:
1. It retrieves NetChange data: network devices, ports and discovered items. The MAC ad-
dresses linked to the ports that have the interconnection set to No become interfaces in Device
Manager. The discovered items DNS name is retrieved as well, the IP address is only retrieved
if it is part of the IPAM. NetChange network devices can be managed as several devices in
Device Manager depending on their content.
Note that if several ports in NetChange are linked to one MAC address, the option retrieves
all the ports and the MAC address but randomly links it to one of the ports.
2. It retrieves the names of the devices, ports and interfaces if the information is available in
the modules NetChange, IPAM, DHCP or DNS:
a. In NetChange, on the page All discovered items, the option retrieves all the MAC addresses,
DNS names and IP addresses, only if they are part of the IPAM database.
If the MAC addresses retrieved have a DNS name, the option stops here.
If the MAC addresses do not have a DNS name, the option looks for it in the IPAM.
b. In the IPAM, on the page All addresses, the option tries to match the collected MAC ad-
dresses with a name, using the available IPv4 and IPv6 addresses.
If a name is found for the MAC addresses, the option stops here.
981
Managing Devices
c. In the DHCP, on the page All statics, the option tries to match the collected MAC addresses
with a name, using the available IPv4 statics and statics without IP.
If a name is found for the MAC addresses, the option stops here.
If no name is found, Device Manager assigns the relevant MAC and IP addresses a name
based on the information collected in all four modules.
3. It assigns a name to:
a. Devices
In Device Manager, the name of devices, including network devices, depends on their
content.
• Network devices that contain one or several ports keep their NetChange name and only
manage ports. The interfaces are managed in a different device.
• Devices which IP address is declared in an A record of the DNS are listed under that
name in Device Manager.
• Network devices hosting the MAC address of one virtual machine, are named using the
hostname of the virtual machine.
• Network devices hosting the MAC address of several virtual machines are named
1
vm_server_# .
• Devices hosting an interface from which few information was retrieved are named gener-
ic_#.
b. Ports
All interfaces are named according to the port they are linked to. When a MAC address has
a name, this name is used to name the device it belongs to.
• Interfaces linked to an ethernet port are named eth#, where # differentiates the interfaces
belonging to one device.
• Interfaces linked to a wifi port are named wifi#.
• Interfaces linked to a virtual port are named vm_interface_#.
• Interfaces from which few information - except the MAC address - was retrieved are
named generic_#.
1
# is a number used to differentiate all these devices.
982
Managing Devices
2. In the menu, select Tools > Automatic Discovery. The wizard Automatic discovery
opens.
3. Click on OK to complete the operation. The report opens and closes. In the column Status,
the devices are marked Imported and you can manually manage and edit the devices,
ports and interfaces.
Keep in mind that the automatic discovery retrieves data but does not automatically update
it, if you delete data or make changes in NetChange, you must make the same changes in Device
Manager.
If the automatic discovery created more devices that your need, you can merge devices to reor-
ganize the data as you need. For more details, refer to the section Merging Devices.
From the NetChange pages All network devices and All discovered items you can select objects
to create devices, with the ports and interfaces they contain, in Device Manager.
After Configuring Device Manager, you can use the option Create in Device Manager on the
page All network devices to select network devices and create them in Device Manager. It takes
into account the information available on the pages All network devices, All ports and All discovered
items and behaves as follows:
1. The device is created in Device Manager, it keeps the same name and contains all the network
device ports, no matter their interconnection configuration.
2. The interfaces (discovered items) of the device are retrieved and based on the MAC address:
a. If the MAC address has a DNS name, a device is created using that name. The interface
2
is named eth# .
b. If the MAC address has no DNS name, a device is created, it is named generic_#. It contains
the MAC address, it is named eth#.
If the option creates more devices that your need, you can merge devices to reorganize the data
as you need. For more details, refer to the section Merging Devices.
After Configuring Device Manager, you can use the option Populate Device Manager on the
page All discovered items to create interfaces from the discovered item of your choice. The MAC
addresses selected create interfaces and devices as follows:
2
# differentiates interfaces within one device.
983
Managing Devices
3
• If the selected MAC address has a DNS name, it creates an interface named generic_# that
belongs to a device named using the DNS name.
• If the selected MAC address has no DNS name, it creates an interface named generic_# that
belongs to a device named generic_#.
If the option creates more devices that your need, you can merge devices to reorganize the data
as you need. For more details, refer to the section Merging Devices.
From the IPAM page All addresses you can automatically add devices managing interfaces created
from the IPv4 and IPv6 addresses In use of your choice. The option names the objects as follows:
• The devices are named using the selected IP address name. If the IP addresses, v4 and/or
v6, share the same name, like the addresses Gateway, they belong to one device. If the selected
IP address does not have a name, the device is named generic_#.
• The interfaces are all named generic_#, where # differentiates interfaces within one device.
Their IP address and the space they originated from are displayed in the column Status.
If the option creates more devices that your need, you can merge devices to reorganize the data
as you need. For more details, refer to the section Merging Devices.
In the module Device Manager, the device and interface are marked Imported in the
column Status. In the column IP address, the IP address and the space they originated from
are displayed as follows: <ip-address> (<space>).
3
# differentiates interfaces within one device.
984
Managing Devices
Note that you can also import devices on the page All devices. From then on, you can add or
import the ports and interfaces it contains and organize your network as you please. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the field Device, name your device.
5. In the field Description, you can add a description.
6. Click on OK to complete the operation. The report opens and closes. The device is listed.
Note that, from the device addition wizard, you can also add the ports and/or interfaces it manages.
For more details, refer to the section Manually Adding Ports and Interfaces.
Editing Devices
You can edit devices from their properties page or from the contextual menu on the page All
devices.
To edit a device
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Right-click over the Name of the device you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a device opens.
4. If you or your administrator created classes at device level, in the list Device class select a
class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the Device name and/or Description according to your needs.
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the page.
985
Managing Devices
Duplicating Devices
At any time, you can duplicate the content and class parameters of a device. Duplicating devices
can be used to anticipate provisioning.
If you know that you will add a new network device to NetChange and an existing device in Device
Manager has configuration similar, you should duplicate the device to import more easily the
network device to the page All devices. In this case you should:
1. Duplicate your device and name it like the NetChange network device to come, as detailed in
the procedure below.
2. Edit the device content to make sure it matches the network device to come, starting with its
MAC address but also the number of ports and/or interfaces it manages, the links between
the devices, etc. For more details, refer to the sections Adding Ports and Interfaces, Editing
Ports and Interfaces Properties and Deleting Ports and Interfaces.
To duplicate a device
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Tick the device you want to duplicate. You can only duplicate one device at a time.
3. In the menu, select Edit > Duplicate. The wizard Duplicate device opens.
4. In the field Device name, type in the name of the new device.
5. Click on OK to complete the operation. The report opens and closes. The device is listed. It
contains the same ports and/or interfaces. However, the link from ports to device has to be
set manually and interfaces MAC addresses are automatically generated.
Merging Devices
You can merge devices to manage the ports and interfaces they contain from a unique device.
Merging devices can be useful if you want to correct what was automatically found on the network.
For instance, if after automatically retrieving information from NetChange, a port and an interface
end up in two different devices even if they both belong to one laptop, you can merge these
devices to manage them from a single device.
To merge devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Tick the devices you want to merge.
3. In the menu, select Edit > Merge. The wizard Merge device opens.
4. In the drop-down list Name, select the device that should include all the ports and interfaces.
The other device(s) are emptied and deleted.
5. Click on OK to complete the operation. The report opens and closes. The device is listed,
the other devices are no longer listed.
986
Managing Devices
For more details, refer to the chapter Managing Advanced Properties in the section IP Address
Advanced Properties.
Exporting Devices
From the page All devices, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting Devices
At any time you can delete a device, this also deletes the ports and interfaces it contains. This
action is non-reversible.
To delete a device
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Tick the device(s) you want to delete.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The device and the
ports and interfaces it contains are no longer listed.
987
Chapter 74. Managing Ports and
Interfaces
From the page All ports & interfaces, you can manage the ports and the interfaces that belong
to your devices.
You can add them to a specific device or when you create a device. You can also automatically
retrieve them, along with the device they belong to, from other modules.
The ports link devices together, the interfaces are connected to the ports.
The interfaces have a MAC address and can have one or several IPv4 and/or IPv6 addresses.
Both IPv4 and IPv6 addresses are listed on the page.
Note that, to minimize any error or distortion between what is really connected to the network
and what is listed, you can track changes and reconcile data on this page. For more details, refer
to the section Tracking Changes on the Page All ports & interfaces.
INTERFACE
DEVICE
PORT
INTERFACE
DEVICE
PORT
988
Managing Ports and Interfaces
2. Filter the column Type, type in port or interface to list the objects that suit your needs.
3. At the end of the line of the port or interface of your choice, click on . The properties page
opens.
Keep in mind that the column Addition date provides extra information regarding the devices'
content. You can use it to sort or filter the list.
The option Manage allows to manage or unmanage the port or interface of your choice, whether
you added it yourself or it was Imported from another module.
To manage/unmanage a device
1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & interfaces
opens.
2. Tick the port and/or interface of your choice. You can tick more than one.
3. In the menu, select Edit > Manage > Yes or No. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. The device is marked
Unmanaged or Managed in the column Status.
Before adding any port or interface, we recommend Configuring Device Manager to make sure
the data listed is consistent with the equipment configuration of your network.
Once added, you can decide which items you display and deal with on the page, as detailed in
the section Managing the Ports and Interfaces Visibility.
Keep in mind that Device Manager does not delete the entries that you might delete in other
modules on its own. In that way, it provides an overview of former port and interface interactions,
to delete ports and interfaces refer to the section Deleting Ports and Interfaces.
Note that you can also import ports and/or interfaces on the page All ports & interfaces. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.
989
Managing Ports and Interfaces
This option has to be ticked once, if you already configured Device Manager there is no need
to do it again.
On the page All ports & interfaces of each device, the columns Manually linked to and Automat-
ically linked to identify how the devices are linked together. If the column Manually linked to is
empty, configuring Device Manager overwrites its content with the information collected during
the automatic addition. This ensures that the data listed reflects the interaction between the
devices on your network.
Once you retrieved data automatically, you should monitor the column Reconciliation on the
page All ports & interfaces to prevent any drift. For more details, refer to the section Tracking
Changes on the Page All ports & interfaces.
Note that you can also import ports and/or interfaces on the page All ports & interfaces. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.
Automatically Adding Ports and Interfaces from the page All Devices
After Configuring Device Manager you can use the option Automatic discovery from the page
All devices to retrieves devices, and the ports and interfaces they contain. The name of all the
objects reflect the amount of information available in the modules NetChange, IPAM, DHCP and
DNS.
This option creates devices from network devices. Some of these devices manage only ports
and others manage one or several interfaces based on the MAC addresses retrieved.
On the page All network devices, the ports can have the following names:
• Ethernet ports can be named Ethernet <slot>/<port>, FastEthernet <slot>/<port>, GigaEthernet
<slot>/<port> or TenGigaEthernet <slot>/<port>.
• Wifi ports are named wifi#, where # differentiates the ports belonging to one device.
• Virtual ports are named Virtual port <slot>/<port>.
On the page All network devices, the interfaces can have the following names:
• Interfaces linked to an ethernet port are named eth#, where # differentiates the interfaces be-
longing to one device
• Interfaces linked to a wifi port are named wifi#.
• Interfaces linked to a virtual port are named vm_interface_#.
990
Managing Ports and Interfaces
• Interfaces from which few information - except the MAC address - was retrieved are named
generic_#.
For more details regarding what data is retrieved and how it is named, refer to the section Auto-
matically Adding Devices from the Page All Devices.
To automatically add ports and interfaces from the page All devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, select Tools > Automatic Discovery. The wizard Automatic discovery
opens.
3. Click on OK to complete the operation. The report opens and closes.
4. In the bread crumb, click on All ports & interfaces. The page opens.
5. In the column Status, the ports and interfaces are marked Imported.
Once the automatic discovery retrieved ports and interfaces, you can rename or edit them if need
be. For more details, refer to the section Editing Ports and Interfaces Properties. You should also
monitor the column Reconciliation as detailed in the section Tracking Changes on the Page All
ports & interfaces.
Keep in mind that the option retrieves data but does not automatically update it, if you delete data
or make changes in NetChange, you must make the same changes in Device Manager.
From the IPAM page All addresses you can automatically add interfaces and the devices they
belong to from the IPv4 and IPv6 addresses In use of your choice. The option names the objects
as follows:
• The devices are named using the selected IP address name. If the IP addresses, v4 and/or
v6, share the same name, like the addresses Gateway, they belong to one device. If the selected
IP address does not have a name, the device is named generic_#.
• The interfaces are all named generic_#, where # differentiates interfaces within one device.
Their IP address and the space they originated from are displayed in the column Status.
No ports are added as the interfaces are created using the MAC address of the selected IP ad-
dresses.
In the module Device Manager, the device and interface are marked Imported in the
column Status. In the column IP address, the IP address and the space they originated from
are displayed as follows: <ip-address> (<space>).
991
Managing Ports and Interfaces
Once you added data, you should monitor the column Reconciliation on the page All ports & in-
terfaces to prevent any drift. For more details, refer to the section Tracking Changes on the Page
All ports & interfaces.
Note that you can also import ports and/or interfaces on the page All ports & interfaces. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.
After Configuring Device Manager you can add ports manually from the pages All devices and
All ports & interfaces.
From the page All devices you can add as many ports as you want when you add a device. All
these ports have the same name and can be numbered.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the field Device, name your device.
5. Tick the box Add port(s)/interface(s). The ports and interfaces configuration fields appear
6. In the drop-down list Type, select Port. The port related fields appear.
7. Set the number of ports and their name:
8. You can link the port you are creating with another device port or interface. This is not re-
quired, if you do not want to link your port go to step 8.
992
Managing Ports and Interfaces
Field Description
Link with port/interface Type in the name of the port or interface you want to link the port with. The auto-
completion retrieves a list of available ports and interfaces matching this name
that you can choose from.
9. Click onADD . The port is listed as such: port: <number of ports> <port name> in the Inter-
faces/Ports list. If you want to add more ports to the device. Repeat these actions for as
many ports as needed.
10. In the list Interfaces/Ports, you can reorder the entries by selecting them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
11. Click on OK to complete the operation. The report opens and closes. The device is listed.
On the pages All devices and All ports & interfaces, in the column Status, the device and
the port(s) are marked Managed.
From the page All ports & interfaces, you can add one port at a time in a specific device.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field Name, name the port.
7. In the drop-down list Type, select Port.
8. You can link the port you are creating with another device port or interface. This is not re-
quired, if you do not want to link your port go to step 8.
9. Click on OK to complete the operation. The report opens and closes. The port is listed and
marked Managed.
993
Managing Ports and Interfaces
After Configuring Device Manager you can add interfaces from the pages All devices and All
ports & interfaces.
Keep in mind that you can also add devices and the interfaces they contain from the IPAM. For
more details, refer to the section Adding Devices from the IPAM.
From the page All devices you can add as many interfaces as you want when you add a device.
Each interface has a unique name, they can have be assigned an existing IP address, they must
have a MAC address that you either set or let Device Manager generate automatically, in this
case the MAC address is not displayed on the page.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the field Device, name your device.
5. Tick the box Add port(s)/interface(s). The ports and interfaces configuration fields appear.
6. In the drop-down list Type, select Interface.
7. In the field Name, type in the interface name.
8. You can link the interface with an IP address. This step is optional.
Table 74.4. Options to link an interface you are creating with an IP address
Field Description
MAC address Type in the MAC address if you know it.You then have to type in the correspond-
ing IP address.
IP Address Type in a known IP address of the IPAM module, the corresponding MAC address
a
is deduced and entered in the field MAC Address .
a
If the MAC address is already listed on the page All ports & interfaces, this interface addition is impossible.
9. In the drop-down list Space, you can select one of the existing IPAM spaces.
10. You can link the interface you are creating with another device port or interface. If you do
not want to link the interface to a port, go to step 10.
Table 74.5. Options to link an interface you are creating to another device
Field Description
Link with device Type in the name of the device you want to link the interface with. The auto-
completion retrieves a list of existing devices matching this name that you can
choose from.
Link with port/interface Type in the name of the port you want to link the interface with. The auto-com-
pletion retrieves a list of available ports and interfaces matching this name that
you can choose from.
994
Managing Ports and Interfaces
11. Click on ADD . In the list Interfaces/Ports, the interface is listed as such: interface: <interface
name> <MAC address> <IP Address>. Repeat these actions for as many interfaces as you
need.
12. In the list Interfaces/Ports, you can reorder the entries by selecting them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again, you can edit it
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
13. Click on OK to complete the operation. The report opens and closes. The device is listed.
On the pages All devices and All ports & interfaces, in the column Status, the device and
the interface(s) are marked Managed.
From the page All ports & interfaces, you can add one interface at a time in a specific device.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field Name, name the interface.
7. In the drop-down list Type, select Interface. The interface related fields appear.
8. You can link the interface with an IP address. This step is optional.
Table 74.6. Options to link an interface you are creating with an IP address
Field Description
MAC address Type in the MAC address if you know it.You then have to type in the correspond-
ing IP address.
IP Address Type in a known IP address of the IPAM module, the corresponding MAC address
a
is deduced and entered in the field MAC Address .
a
If the MAC address is already listed on the page All ports & interfaces, this interface addition is impossible.
9. In the drop-down list Space, you can select one of the existing IPAM spaces.
10. You can link the interface you are creating with another device port or interface. If you do
not want to link the interface to a port, go to step 10.
995
Managing Ports and Interfaces
Table 74.7. Options to link an interface you are creating to another device
Field Description
Link with device Type in the name of the device you want to link the interface with. The auto-
completion retrieves a list of existing devices matching this name that you can
choose from.
Link with port/interface Type in the name of the port you want to link the interface with. The auto-com-
pletion retrieves a list of available ports and interfaces matching this name that
you can choose from.
11. Click on OK to complete the operation. The report opens and closes. The interface is listed
and marked Managed.
Editing port and interfaces is required if you duplicated existing devices. Once you duplicated
the relevant device, you must edit its content as follows:
1. Add/delete the ports and interfaces it contains as needed. For more details, refer to the sections
Adding Ports and Interfaces and Deleting Ports and Interfaces.
2. Manually link the ports/interfaces to the needed device as detailed in the sections Editing a
Port and Editing an Interface.
Keep in mind that ports retrieved from NetChange had a name before you chose to manage them
in Device Manager. Once you renamed a port, both NetChange and Device Manager names are
displayed on its properties page: the field Name displays your name, the field NetChange port
name displays the port original name.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
996
Managing Ports and Interfaces
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the field Name, rename the interface.
8. Click on OK to complete the operation. The report opens and closes. In the Main properties
panel, the name is edited.
Editing a Port
At any time, the ports links toward devices can be edited.
If you duplicated a device, you must edit these links. Once a device is duplicated, the newly
created device ports are not linked to any other device. In this case, you have to create the link
between the ports and the needed device port or interface. To successfully edit the port links
between devices, you must:
1. Add a new link toward the newly created device interfaces.
2. Perform an automatic discovery if both the ports and interfaces links are edited.
3. Check the data.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
997
Managing Ports and Interfaces
Table 74.8. Options to link a port/interface you are editing to another device
Field Description
Link with device Type in the name of the device you want to link the port with. The auto-completion
retrieves a list of existing devices matching this name that you can choose from.
Link with port/interface Type in the name of the port or interface you want to link the port with. The auto-
completion retrieves a list of available ports and interfaces matching this name
that you can choose from.
7. Click on OK to complete the operation.The report opens and closes.The device you selected
is visible in the panel Main properties in the Manually linked to line, the selected interface
is between brackets. If you go back to the page All ports & interfaces, you have the same
information in the column Manually linked to.
Now that the links are saved, if you already added the new device in NetChange, you can run
the automatic discovery. For more details, refer to the section Adding Network Devices.
If you also have interfaces in that device, edit their links and MAC addresses before running
the automatic discovery. For more details, refer to the section Editing an Interface.
Once your changes are done and the list of ports is up-to-date, you can compare the data added
manually and automatically.
Editing an Interface
At any time, the interfaces' links toward devices can be edited.
If you duplicated a device, you must edit the links. Once a device is duplicated, the newly created
device interfaces are not linked to any other device and their MAC address is probably incorrect.
In this case, you have to create the link between the interfaces and the needed device port or
interface. To successfully edit the interfaces' links between devices, you must:
1. Add a new link toward the newly created device interfaces.
2. Update the MAC address of the interface.
3. Perform an automatic discovery if both the ports and interfaces links are edited.
4. Check the data.
998
Managing Ports and Interfaces
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Specify the other device port or interface.
7. Click on OK to complete the operation.The report opens and closes.The device you selected
is visible in the panel Main properties in the Manually linked to line, the selected interface
is between brackets. If you go back to the page All ports & interfaces, you have the same
information in the Manually linked to column.
Once you linked the interfaces to another device interface, update its MAC address.
Once you updated a MAC address, the former MAC address is deleted and the IP address(es)
it is linked to are saved whether it is an IPv4 or an IPv6 address.
Now that the links are saved and the MAC addresses updated, if you already added the new
device in NetChange, you can run the automatic discovery. For more details, refer to the section
Adding Network Devices.
If you also have ports in that device, edit their links as well before running the automatic
discovery. For more details, refer to the section Editing a Port.
999
Managing Ports and Interfaces
Once your changes are done and the list of interfaces is up-to-date, you can compare the data
added manually and automatically.
The reconciliation allows to compare the manual and/or automatic links between devices through
ports and interfaces.
! Drift The information displayed in the columns Automatically linked to and Manually linked to is not a match.
The Top List Alert on ports/interfaces reconciliation drift tracks any drift in the column. For more
details, refer to the section Gadgets Displayed by Default.
1000
Managing Ports and Interfaces
However, if you decided to enter some data manually, you can reconcile both link related columns
with the reconciliation option.That is to say, the content of the column Manually linked to overwrites
the content of the column Automatically linked to.
For more details, refer to the chapter Managing Advanced Properties in the section IP Address
Advanced Properties.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
1001
Managing Ports and Interfaces
1002
Chapter 75. Managing the Interaction
with the IPAM
From Device Manager, you can manage the interaction of interfaces with IPAM IPv4 and IPv6
addresses via their MAC addresses or the option Link IP addresses to Device Manager interfaces.
From the IPAM module, a set of options allows to edit Device Manager database. You can:
• Add devices from the page All addresses when assigning an IP address.
• Associate IP addresses to existing interface or remove that link.
• Edit the link between devices from the page All addresses.
For more details, refer to the part Global Policies, in the section IP Address Advanced Properties.
This assignation links an IPAM IP address with an interface through a MAC address retrieved
by Netchange discovered items. There is no automatic detection of matching MAC addresses
within these modules, therefore you must manually assign each IP address to each interface.
Keep in mind that adding, editing or deleting a MAC address saved in Device Manager may
change or remove the IP address/interface link you configured.
Note that if no class is set and enabled, the class dedicated page is automatically
skipped. Applying a class on an object can impact the configuration fields available
and/or required, for more information contact your administrator.
1003
Managing the Interaction with the
IPAM
If the report page displays the warning message MAC address already used. (Space:
..., Address: ....), on as many lines as IP address(es) used on the interface, click on OK
to commit the addition of the extra IP address on the interface. To cancel the assignment,
click on CLOSE . To edit the MAC address, click on PREVIOUS . The Aliases configuration
page opens first, click on PREVIOUS again to open the page Add an IPv4 address where
you can make the needed changes.
With IPv6 addresses, the interface assignment also involves going through the IPAM
module and editing the interface within Device Manager. However, we recommend that
you make sure the MAC address of the interface using this IPv6 address is present
among the NetChange discovered items. That way it is directly detected by Device
Manager.
1004
Managing the Interaction with the
IPAM
e. If you or your administrator created classes, the list IP address class is visible. Select
a class or None and click on NEXT . The next page opens.
f. The field IP address name is gray and empty.
g. The field IP address displays the IP address.
h. In the field MAC address, paste your MAC address.
i. In the field Shortname, name your IP address: it is automatically displayed in the IP
address name field.
j. Click on NEXT . The page Aliases configuration opens. There is nothing to set up in this
page when you are simply assigning an IPv6 address to an interface. For more details,
refer to the section Configuring and Managing IP Address Aliases.
k. Click on OK to complete the operation. The report opens and closes. The IPv6 addresses
list opens again and the IP address is listed as used, named and has a MAC address.
If the report page displays the warning message MAC address already used. (Space:
..., Address: ....), on as many lines as IP address(es) used on the interface, click on OK
to commit the addition of the extra IP address on the interface. To cancel the assignment,
click on CLOSE . To modify the MAC address, click on PREVIOUS . The Aliases configuration
page opens first, click on PREVIOUS again to open the page Add an IPv6 address where
you can make the needed changes.
4. Within Device Manager
a. In the sidebar, go back to Device Manager > Ports & interfaces. The page All ports
& interfaces opens.
b. Order the list by MAC address. The interfaces are listed first.
c. Right-click over the Name of the interface of your choice. The contextual menu opens.
d. Click on . The interface properties page opens.
e. Click on EDIT . The wizard Edit a port or interface opens.
f. In the field IP address, type in the address of your choice, the auto-completion will retrieve
its MAC address.
g. Click on OK to complete the operation. The report opens and closes. In the panel Inter-
face attachments, the IPAM section regarding v6 addresses is updated and displays
the new IP address information. The address is visible in the list All ports & interfaces.
You can use the procedure above for as many IP addresses as needed for one interface. Beyond
one IPv6 address, the addition wizard displays a report step listing the IP addresses already used
on this interface to make sure that you actually want to use an extra IP address.
The columns Device manager name and Device manager interface allow to display the interactions
on that page. For more details regarding columns display, refer to the section Customizing the
List Layout.
Any ports and interfaces changes made from the IPAM change the content of the column
Manually linked to. For more details, refer to the section Tracking Changes on the Page All ports
& interfaces.
1005
Managing the Interaction with the
IPAM
The auto-completion provided in the device name and interface name only lists the device and
interfaces marked as Managed and Imported. The Unmanaged items are not listed.
First, as detailed in the section Linking IP Addresses with Existing Interfaces, you can simply
specify a device and interface and tick the box Overwrite.
Second, if the IP address was assigned a MAC address, you can simply edit the MAC address
to link the IP address with another interface. For more details regarding IP address edition, refer
to the section Editing an IP Address.
1006
Managing the Interaction with the
IPAM
1007
Chapter 76. Rules Impacting Device
Manager
From the module Administration, you can add, enable or disable rules related to Device Manager.
Note that the rules are first organized by modules ans then event, so even if they both ultimately
impact Device Manager, you will find them under the module DHCP and the event Add: <DHCP-
object>.
Rule 221
Enabling this rule creates an interface every time you add a static, with or without an IPv4
address. The interface has the same name as the static and belongs to a device also named
after the static. To add this rule, refer to the procedure To add a Device Manager rule and
select the Module DHCP and the Event Add: DHCP statics.
Rule 225
Enabling this rule creates an interface every time an IPv4 lease is generated. The interface
is named generic_# and belongs to a device named using the lease hostname. To add this
rule, follow the procedure To add a Device Manager rule and select the Module DHCP and
the Event Add: DHCP leases.
1008
Rules Impacting Device Manager
1009
Part XIV. VLAN Manager
VLAN Manager allows to create and handle Virtual Local Area Networks (VLANs) and Virtual Extensible
LAN (VXLAN) to set up layer 2 data exchange between networks and devices.
Keep in mind that the VLAN Manager VLANs are different from the VLAN interfaces you can set up on the
page Network configuration. For more details, refer to the section Setting up a VLAN Interface.
From the module VLAN Manager you can include up to 3 levels of organization:
• Domains: the highest level of the hierarchy. They contain ranges and VLANs. For more details, refer to
the chapter Managing VLAN Domains.
• Ranges: an optional second level in the hierarchy. They contain VLANs. For more details, refer to the
chapter Managing VLAN Ranges.
• VLANs: the lowest level of the hierarchy. They are unique with a VLAN Identifier (ID) and belong to a
domain or range. For more details, refer to the chapter Managing VLANs.
Once you organized your VLANs, you can connect them with IPAM subnet-type networks belonging to dif-
ferent spaces or networks and make them communicate no matter their IP address. For more details, refer
to the Global Policies chapter Managing Advanced Properties.
Note that from the module Dashboards, you can gather gadgets and charts on VLAN Manager dashboard
to monitor the module data or set up custom shortcuts and search engines. For more details, refer to the
part Dashboards.
Table of Contents
77. Managing VLAN Domains ....................................................................................... 1012
Browsing VLAN Domains ..................................................................................... 1012
Adding VLAN Domains ........................................................................................ 1012
Editing VLAN Domains ........................................................................................ 1013
Automatically Adding New VLAN Domains as Group Resource .............................. 1014
Exporting VLAN Domains .................................................................................... 1015
Deleting VLAN Domains ...................................................................................... 1015
Defining a VLAN Domain as a Group Resource ..................................................... 1015
78. Managing VLAN Ranges ........................................................................................ 1016
Browsing VLAN Ranges ....................................................................................... 1016
Adding VLAN Ranges .......................................................................................... 1016
Editing VLAN Ranges .......................................................................................... 1017
Exporting VLAN Ranges ...................................................................................... 1018
Deleting VLAN Ranges ........................................................................................ 1019
Defining a VLAN Range as a Group Resource ...................................................... 1019
79. Managing VLANs ................................................................................................... 1020
Browsing VLANs ................................................................................................. 1020
Adding VLANs ..................................................................................................... 1021
Editing VLANs ..................................................................................................... 1022
Adding VLANs from the IPAM ............................................................................... 1022
Creating VLANs from NetChange ......................................................................... 1023
Exporting VLANs ................................................................................................. 1023
Deleting VLANs ................................................................................................... 1023
1011
Chapter 77. Managing VLAN Domains
VLAN domains are managed from the page All domains.They can be composed of VLAN ranges
and VLANs or exclusively of VLANs depending on your organizational needs.
A domain is defined by its name and start and end ID. These IDs corresponds to the first and
last VLAN ID that it manages, it sets the number of VLANs it can contain:
• A VLAN domain can contain between 1 and 4094 VLANs.
• A VXLAN domain can contain between 1 and 16777215 VLANs.
Every time you add a domain, you can set the same set of IDs. They are duplicated on the page
All VLANs, and even if you have several VLANs with the ID 1, they are different. Indeed, they do
not belong to the same domain or range and might be assigned different names.
RANGE
DOMAIN
VLAN
1012
Managing VLAN Domains
• You can import domains from a CSV file. For more details, refer to the section Importing VLAN
Domains in the chapter Importing Data from a CSV File.
• Once you created a domain, you cannot edit its start and end ID, or decide to make it a VXLAN
domain instead of VLAN or vice versa.
• Users that do not belong to the group admin cannot see the domains they add, unless an ad-
ministrative user either:
• Adds the new domains to the resources of the group(s) they belong to
• Configures the rule 408 to automatically add every new domain as resource of the group(s)
they belong to. For more details, refer to the section Automatically Adding New VLAN Domains
as Group Resource.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the field Domain, type in the VLAN domain name.
5. In the field Description, you can add a description. This field is optional. By default, 1 is
displayed in the field.
6. To create a VXLAN domain, tick the box Use VXLAN.
7. In the field Starting VLAN ID, specify the ID of the first VLAN of the domain.
a. For a VLAN domain, type in a number between 1 and 4094.
b. For a VXLAN domain, type in a number between 1 and 16777215.
8. In the field Ending VLAN ID, specify the ID of the last VLAN of the domain.
a. For a VLAN domain, type in a number between 1 and 4094. By default, 4094 is displayed
in the field.
b. For a VXLAN domain, type in a number between 1 and 16777215. By default, 16777215
is displayed in the field.
9. Click on OK to complete the operation. The report opens and closes. The domain is listed.
Note that depending on the group they belong to, users may not see the domain they added
on the page until an administrative user either:
• Adds the new domains to the resources of the group(s) they belong to
• Configures the rule 408 to automatically add every new domain as resource of the group(s)
they belong to. For more details, refer to the section Automatically Adding New VLAN
Domains as Group Resource.
1013
Managing VLAN Domains
You can edit a VLAN domain from the page All domains, via the contextual menu, or from its
properties page.
If a domain no longer matches you needs and you want to edit its start ID, end ID, make it a
VXLAN domain or make it a VLAN domain, you must:
1. Create a new domain configured with the settings that suit your needs.
You can either recreate the VLANs it contains and name them the same or export the VLANs
of the domain you want to edit and reimport them into the domain you created. For more details,
refer to the part Imports and Exports.
2. Delete the obsolete domain.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the fields Domain and/or Description according to your needs.
6. Click on OK to complete the operation. The report opens and closes. The domain is listed
with the changes you just made.
To avoid having to manually define new VLAN domain as group resource, administrators can
configure the rule 408 and automatically add every new VLAN domain as resource of the groups
of users of the relevant group(s) of users.
To add the rule 408 that sets which groups have new VLAN domains as resource
1014
Managing VLAN Domains
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can type in a comment.
9. Click on NEXT . The page Rule filters opens.
10. Click on NEXT . The page Rule parameters opens.
11. In the list Available groups, select a group of users and click on . The group is moved to
the list Selected groups. You can add as many groups as you want.
12. In the list Selected groups, you can select and reorder the groups using and .
To remove a group, select it and click on . The group is moved back to the list Available
groups.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Note that administrative users can add a rule to ensure that every new VLAN domain is added
to the resources of the groups of users of their choice. For more details, refer to the section
Automatically Adding New VLAN Domains as Group Resource.
Granting access to a domain as a resource also grants access to every item it contains. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
1015
Chapter 78. Managing VLAN Ranges
VLAN ranges provide an extra level of management for your VLANs. They are optional.
A VLAN range can contain as many VLANs as the domain it belongs to, or just or portion of the
VLANs.
Like the domain, a range is defined by its name, its start ID and its end ID. Considering that it
belongs to a domain, it cannot manage VLANs that are not managed by the domain, in other
words you cannot create a range with the start and end IDs 5-10 in a domain managing the IDs
6-10.
Within a domain, you can create as many ranges as you want to manage the VLANs of the domain.
Your ranges can manage the same VLAN IDs if you allow overlapping, the VLANs are different
as they belong to different ranges.
RANGE
DOMAIN
VLAN
If you want to create ranges with unique sets of VLAN ID, you can tick the box No ID overlapping.
Keep in mind that the overlap restriction applies whether it was set on existing ranges or on
ranges you are trying to create.Therefore, if a range managing the VLAN IDs 1-512 already exists
1016
Managing VLAN Ranges
and you try to create the range 512-550, an error message is returned whether the box was ticked
on the existing range or on the range you are creating.
With the overlapping allowed, if you set several ranges with common VLANs, the common VLAN
ID is replicated on the page All VLANs. You can differentiate them through their range, and po-
tentially their name.
Note that you can also import ranges from a CSV file. For more details, refer to the section Im-
porting VLAN Ranges in the chapter Importing Data from a CSV File.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the list Domain, select the domain of your choice.
5. Click on NEXT . The last page opens.
6. In the field Range, name your VLAN range.
7. In the field Description, you can add a description. This field is optional.
8. In the field Starting VLAN ID, type in the ID of the first VLAN of the range. By default, the
Starting VLAN ID of the domain is displayed in the field.
9. In the field Ending VLAN ID, type in the ID of the last VLAN of the range. By default, the
Ending VLAN ID of the domain is displayed in the field.
10. The box No ID overlapping is ticked by default, you can untick it if you want to allow VLAN
ID overlapping in several ranges.
11. Click on OK to complete the operation. The report opens and closes. The range is listed.
You can edit a VLAN range from the page All ranges, via the contextual menu, or from its prop-
erties page.
1017
Managing VLAN Ranges
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the fields Domain, Description according to your needs.
6. Tick or untick the box No ID overlapping according to your needs.
7. Click on OK to complete the operation. The report opens and closes. The range properties
are updated.
Resizing a Range
At range level, you can change the number of VLANs managed.You can decide to manage more
or less VLANs, i.e. VLAN IDs. This option basically shifts the VLAN identifier number to add IDs
to the VLAN range or remove some IDs.
In a domain managing the IDs 1-15, you cannot resize a range and make it manage the IDs
10-20, instead of 10-15.You would be asking to manage IDs that do not exist in the domain.
• The new range size does not exclude any Used VLAN of the range or include any Used
VLAN belonging to another range.
In case of overlap, you can either delete the used VLAN and recreate it in the new range or export
it and reimport it in the new range.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
1018
Managing VLAN Ranges
Granting access to a range as a resource also grants access to every item it contains. For more
details, refer to the section Assigning Resources to a Group in the chapter Managing Groups.
1019
Chapter 79. Managing VLANs
Once you have created at least one domain, the VLANs it contains are listed on the page All
VLANs. They can belong to ranges.
All the VLANs are differentiated through their ID. You can assign them a name to set up an inter-
action with the module IPAM at network level between several subnet-type networks or devices
within a network. For this reason, once a VLAN has a name, the range and/or domain it belongs
to cannot be deleted.
Browsing VLANs
Within VLAN Manager, the VLANs are the lowest level of the hierarchy.
RANGE
DOMAIN
VLAN
Only the Used VLANs are listed. If the VLAN ID overlapping is enabled, the columns Domain
and Range help differentiate VLAN IDs.
2. To display the Used and Free VLANs of a specific domain, in the column Domain, click on
the name of your choice. The page refreshes.
3. To display the Used and Free VLANs of a specific range, in the column Range, click on the
name of your choice. The page refreshes.
4. To display more Free VLANs, in the column VLAN ID click on left of the ID of your choice.
The first or last 13 VLANs appear.
For more details regarding statuses, refer to the section Understanding the VLAN Statuses.
1020
Managing VLANs
Used The VLAN was assigned a name, it can interact with the IPAM. The domain and range it belongs
to cannot be deleted.
Adding VLANs
Adding a VLAN means using it as all the VLANs were added at the same time as the domain
they belong to. When you add a VLAN, you can assign it a name.
Note that you can import VLANs from a CSV file. For more details, refer to the section Importing
VLANs or VXLANs in the chapter Importing Data from a CSV File.
You can also use existing NetChange VLANs to create VLANs in VLAN Manager. For more details,
refer to the section Creating a VLAN in VLAN Manager.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
8. In the field VLAN name, you can name the VLAN.
9. In the field VLAN ID, type in the VLAN ID of your choice.
10. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the VLAN is now marked as Used. If you gave it a name, it is displayed in the column
Name.
1021
Managing VLANs
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
9. In the field VLAN name, you can name the VLAN.
10. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the VLAN is now marked as Used. If you gave it a name, is displayed in the column
Name.
Editing VLANs
You can edit a VLAN name.
Keep in mind that renaming a VLAN breaks the IPAM / VLAN interaction.
To edit a VLAN
1. In the sidebar, go to VLAN Manager > VLANs. The page All VLANs opens.
2. Filter the list if need be.
3. Right-click over the VLAN ID of your choice. The contextual menu opens.
4. Click on Edit. The wizard opens.
5. If you or your administrator created classes at VLAN level, in the list VLAN class, select a
class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field VLAN name, you can rename the VLAN.
7. Click on OK to complete the operation. The report opens and closes. The new VLAN name
is displayed.
For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.
1022
Managing VLANs
Exporting VLANs
From the page All VLANs, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting VLANs
You can only delete Used VLANs. Before proceeding keep in mind that:
• Once deleted, the VLANs are still listed, if you are displaying the VLANs of a specific domain
or range, but are Free and no longer have a name.
• If the VLANs were associated with a subnet-type network, deleting VLANs breaks the association
and removes the VLAN information from the network properties. For more details, refer to the
chapter Network Advanced Properties.
The Free VLANs are unused so you cannot delete them. They are listed on the page All VLANs
of the domain or range they belong to. To delete unused VLANs from the list, you must delete
the range and/or domain they belong to.
To delete a VLAN
1. In the sidebar, go to VLAN Manager > VLANs. The page All VLANs opens.
2. Tick the Used VLAN(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The VLAN is no longer
listed.
5. To see this VLAN, display the list of the VLANs for the domain or range it belongs to. This
VLAN no longer has a name in the column Name and its status is Free.
1023
Part XV. VRF
VRF, Virtual Routing and Forwarding, allows to simultaneously define and maintain multiple instances of a
routing table on a single router.
This technology is commonly used for implementing L3 VPN(s) provided by MPLS service providers. In
such networks MPLS encapsulation is used to isolate individual customer traffic, and an independent routing
table (VRF) is maintained for each one of them.
Following RFC 4364, each VRF has a unique Route Distinguisher (RD) identifier. In that context, MP-BGP
is commonly employed to facilitate complex redistribution schemes to import and export routes to and from
VRFs (using route targets) to provide Internet connectivity or inter-VRF communication. Technically, you
should keep in mind that:
• Each VRF behaves like an independent router with its own interfaces, IP subnet-type networks and routing
protocol.
• Each VRF has separate routing and forwarding tables used only for the packets that traffic through the
VRF based on its interface mapping.
From the module VRF, you can display and have an overview of the VRF and Route Targets that associate
them on your network on two dedicated pages. All available options are detailed in the chapters:
• Managing Virtual Routing and Forwarding.
• Managing VRF Route Targets.
Table of Contents
80. Managing Virtual Routing and Forwarding ............................................................... 1026
Browsing VRFs ................................................................................................... 1026
Adding VRFs ....................................................................................................... 1026
Editing VRFs ....................................................................................................... 1027
Exporting VRFs ................................................................................................... 1027
Deleting VRFs ..................................................................................................... 1027
81. Managing VRF Route Targets ................................................................................. 1029
Browsing VRF Route Targets ................................................................................ 1029
Adding VRF Route Targets ................................................................................... 1029
Exporting VRF Route Targets ............................................................................... 1030
Deleting VRF Route Targets ................................................................................. 1030
1025
Chapter 80. Managing Virtual Routing
and Forwarding
From the page All VRFs, you can add, import, edit and delete Virtual Routing and Forwarding
(VRF) for basic management purposes. The page inventories all VRFs using their name and
unique Route Distinguisher or RD.
You can oversee the communication configurations between your VRFs via the Route Targets.
For more details, refer to the chapter Managing VRF Route Targets.
Browsing VRFs
Within the module VRF, the VRFs are the highest level, the entry point of your inventory.
Adding VRFs
You can add as many VRFs as you need.
Note that you can also import VRFs, for more details refer to the section Importing Data to VRF
in the chapter Importing Data from a CSV File.
To add a VRF
1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. In the menu, click on Add. The wizard Add a VRF opens.
3. If you or your administrator created classes at VRF level, in the list VRF class select a class
or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
1026
Managing Virtual Routing and
Forwarding
6. In the field Comment, you can type in a comment. This field is optional.
7. Click on OK to complete the operation. The report opens and closes. The VRF is listed.
Editing VRFs
Once created, you can edit all the information regarding a VRF, from the listing page or from its
properties page in the panel Main properties.
Keep in mind that editing a VRF name or RD also edits its VRF Route Target(s) in the GUI.
To edit a VRF
1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. Right-click over the Name of the VRF you want to edit. The contextual menu opens.
3. Click on . The wizard opens.
4. If you or your administrator created classes at VRF level, in the list VRF class select a class
or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Edit the Name, RD and Comment fields according to your needs.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the VRF is listed with the new information.
Exporting VRFs
From the page All VRFs, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting VRFs
At any point you can delete one or several VRFs.
Keep in mind that deleting a VRF also deletes its VRF Route Targets in the GUI.
1027
Managing Virtual Routing and
Forwarding
To delete a VRF
1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. Tick the VRF(s) you want to delete.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The VRF is no longer
listed, its VRF Route Targets are deleted as well.
1028
Chapter 81. Managing VRF Route Targets
From the page All VRF Route Targets, you can oversee the communication you set or want to
set on your network between the VRFs. This page simply illustrates the VRF communication
configuration, it assists in inventorying it all.
A Route Target sets up an exchange of routes between two VRFs, via their RD. They allow to
import and/or export the routes of the VRFs, one is the source VRF, the other is the target VRF.
Every VRF can be associated with one or more Route Targets.
VRF Route Targets do not have a properties page as all the information is displayed on the page.
1029
Managing VRF Route Targets
2. Create another Route Target that establishes that the Source VRF site B can export the
routes the Target VRF site A.
Note that:
• You can also import Route Targets, for more details refer to the section Importing VRF Route
Targets in the chapter Importing Data from a CSV File.
• A Route Target may be edited if its Source or Target VRF is edited.
• You cannot edit Route Targets from the page All VRF Route Targets. You must delete the
Route Target that no longer suits your needs and create it again.
To add the Route Targets that establish the communication between two VRFs
1. In the sidebar, go to VRF > VRF Route Targets. The page All VRF Route Targets opens.
2. Create the first Route Target
a. In the menu, click on Add. The wizard Add a VRF Route Target opens.
b. In the field Source VRF name, specify the VRF of your choice.
Type in the first letters of the source VRF, the auto-completion provides the list of
matching names, select the one you want.
c. In the field Target VRF name, specify the VRF of your choice using auto-completion.
d. You can tick the box Import to let the Target VRF retrieve the routes of the Source VRF.
e. You can tick the box Export to let the Source VRF send out its routes to the Target VRF.
f. Click on OK to complete the operation. The report opens and closes. The VRF is listed.
3. Create the second Route Target
a. In the menu, click on Add. The wizard Add a VRF Route Target opens.
b. In the field Source VRF name, specify the Target VRF of the first Route Target.
c. In the field Target VRF name,specify the Source VRF of the first Route Target.
d. If you ticked the box Export in the first Route Target, tick the box Import to confirm the
communication configuration.
e. If you ticked the box Import in the first Route Target, tick the box Export to confirm the
communication configuration.
f. Click on OK to complete the operation. The report opens and closes. The VRF is listed.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Note that Route Targets can be deleted from the page when one of the VRFs they link is deleted.
1030
Managing VRF Route Targets
1031
Part XVI. SPX
The Service Provider eXtension (SPX) assists Local Internet Registry (LIR) declarations as it allows to
manage the complete life cycle of the IP address networks allocated to you by a Regional Internet Registry
(RIR) member. From SOLIDserver GUI, SPX helps you manage networks that were allocated to you by the
RIPE (Réseaux IP Européens) or the APNIC (Asia-Pacific Network Information Center).
The module SPX comes in addition to the IPAM and is available through a dedicated license option. To
make sure you do have this license option, the administrator can go to the page Admin Home and, in the
section System, click on License. When the page opens, in the panel Current license, all the license options
are listed: SPX must be listed.
1033
Chapter 82. Configuring SPX
No matter what RIR you depend on, there is only one wizard to configure SOLIDserver. Once
SPX is properly set and matches your allocated network(s), only assigned networks can be added
and edited: their containers are managed by the RIR itself. Whenever you add or edit assigned
networks from the GUI, an email is sent to your RIR.
1034
Configuring SPX
• Your SPX classes and rules are enabled. They apply to IPv4 and IPv6 allocated networks,
IPv4 and IPv6 assigned networks, autnums and finally users. For more details, refer to the
sections Enabling the SPX Classes and Enabling the SPX Rules.
Keep in mind that this configuration wizard allows to configure your RIPE or APNIC "real" database
as well as your "TEST" database, if you have one.
Field Description
RIR Select either RIPE or APNIC.
Comment Type in a comment regarding the organization.
Maintainer Type in your RIPE or APNIC maintainer full name. This information is contained
in the field mntner and reused in the field mnt-by of your assigned networks.
Password Type in your RIPE or APNIC password. It is used to authenticate the database
updates.
Source Select either the RIR you selected above to configure your official database or
TEST to configure your test database.
NCC REGID Type in your registry identifier. It was provided to you by your RIR, if not, you
should contact them to obtain it.
From (email) Type in the email address used as source address in the emails sent to your
RIR.
Notify (email) Type in the email address of the person notified of any change made in the RIPE
or APNIC database.
Changed (email) Type in the email address displayed in the field changed of the description of
your assigned network in the RIPE or APNIC database. It can be a generic ad-
dress or the address of a person.
AW validation (email) Type in the email of the person notified if you exceed the number of IP addresses
of your Assigned Window.This person must be granted sufficient rights to perform
the appropriate operations if your new assigned networks exceed the allocated
range of addresses.
AW size Type in the number of IP addresses you are allocated in the RIPE or APNIC
Assigned Window.
Update method Select POST or EMAIL.
POST This service based method is selected by default to notify your RIR of any
changes.
EMAIL (deprecated) This method allows to notify your RIR of any changes via email. Once selected,
the following fields appear.
Update pop3 mailbox Type in the pop3 address of your mail server.
Update mailbox login Type in the login of the specified mail server.
Update mailbox password Type in the password of the specified mail server.
Expert mode Tick this box if you want to set up a proxy server to communicate changes to
your RIR. Once ticked, the following fields appear.
Whois RIR host Type in the full name of the proxy server.
Whois port Type in the number of the Whois RIR host port used
to transmit information. Port 80 is generally used.
RIR Update host Type in the name of the server of your RIR receiving
the updates
1035
Configuring SPX
Field Description
RIR update URL Type in the URL of the RIPE or APNIC server receiv-
ing your updates.
Email used for the update Type in the email address used as source address in
the emails notifying your RIR of any update.
The details are moved to the Maintainer list and displayed as follows: Source: <selected-
source> - Maintainer : <maintainer-name>.
4. Repeat the configuration step for as many maintainers as needed.
5. Click on NEXT . The next page opens.
6. On the page SPX allocated networks classes configuration, configure the classes of your
RIR allocated networks:
a. In the drop-down list Allocated network class, select one of your classes or the default
1
class SPX/RIPE_block .
b. In the drop-down list Allocated network PI class, select one of your classes or the default
class SPX/RIPE_PI_block.
c. Click on NEXT . The next page opens.
7. On the page SPX assigned networks classes configuration, configure the classes of your
RIR assigned networks:
a. In the drop-down list Assigned network class, select one of your classes or on of the
default classes, SPX/RIPE_PI_subnet or SPX/RIPE_subnet.
The selected class is moved to the field New Assigned network class.
b. Click on ADD to confirm the selection. The class is moved to the List of SPX assigned
networks.
c. Repeat these steps for as many classes as needed.
d. Click on NEXT . The next page opens.
8. On the page SPX allocated networks (v6) classes configuration, configure the classes of
your IPv6 RIR allocated networks:
a. In the drop-down list Allocated network class (v6), select one of your classes or the
default class SPX/RIPE_Block.
b. Click on NEXT . The next page opens.
9. On the page SPX assigned networks (v6) classes configuration, you can configure the
classes of your IPv6 RIR assigned networks:
a. In the drop-down list Assigned network class (v6), select one of your classes or the
default class SPX/RIPE_subnet.
The selected class is moved to the field New assigned network class (v6).
b. Click on ADD to confirm its selection. The class is moved to the List of SPX assigned
networks (v6).
c. Repeat the steps above for as many classes as needed.
d. Click on NEXT . The next page opens.
1
All the classes name can be preceded by a / if they belong to a specific directory, following the format: <directory-name>/<class-
name>. In this case, the default class RIPE_Block belongs to the directory SPX.
1036
Configuring SPX
10. On the page SPX aut-nums classes configuration, you can configure the classes for your
autnums:
a. In the drop-down list Aut-num class, select one of your classes or the default class
SPX/RIPE. The selected class is moved to the field New aut-num class.
b. Click on ADD to confirm its selection. The class is moved to the List of SPX aut-num
classes.
c. Repeat these steps for as many classes as needed.
d. Click on NEXT . The next page opens.
11. On the page SPX users classes configuration, you can configure the classes of your RIPE
or APNIC users:
a. In the drop-down list User class, select one of your classes or the default class
SPX/RIPE_person.
At any time, you can edit these settings or add new maintainers. For more details, refer to the
section Editing the Connection to the RIPE or APNIC.
Keep in mind that you should not edit the maintainer name, registry identifier or AW size if
you already imported your allocated networks.
1037
Configuring SPX
8. Click on NEXT . The page SPX allocated networks (v6) classes configuration opens.
9. You can select a different class in the drop-down list Allocated network class (v6).
10. Click on NEXT . The page SPX assigned networks (v6) classes configuration opens.
11. You can edit the list of classes in the List of SPX assigned networks classes (v6): select a
class in the drop-down list Assigned network class (v6) and ADD it, or select a class in the
list and DELETE it.
12. Click on NEXT . The page SPX aut-num classes configuration opens.
13. You can edit the list of classes in the List of SPX aut-num classes: select a class in the drop-
down list Aut-num class and ADD it, or select a class in the list and DELETE it.
14. Click on NEXT . The page SPX users classes configuration opens.
15. You can edit the list of classes in the List of SPX users classes: select a class in the drop-
down list User class and ADD it, or select a class in the list and DELETE it.
16. Click on OK to complete the operation. The report opens and closes, the page refreshes.
1038
Chapter 83. Managing SPX Persons
Before managing SPX networks, you need to add or import RIPE and APNIC persons.
Within the GUI, SPX persons are managed from the page Users. As for any other user, you need
to add SPX persons to groups and grant them rights and resources. For more details, refer to
the part Rights Management.
Note that most of these parameters are only available if you correctly enabled the classes
located in the directory SPX. For more details, refer to the chapter Enabling the SPX Classes.
5. Click on SAVE . The page refreshes.
6. You can filter the list to display only SPX users by typing RIPE in the search engine of the
column Class.
To make sure the person addition was confirmed, you can display the column Waiting. For more
details, refer to the section Browsing the SPX Persons.
1039
Managing SPX Persons
2. In the section Authentication & Security, click on Users. The page Users opens.
3. In the menu, click on Add. The wizard Add a user opens.
4. In the list User class, select the class RIPE_person .
5. Click on NEXT . The page Add a user opens.
6. Configuring the SPX person details:
a. In the field Usr login, an identifier is automatically incremented. You can edit it if need
be.
b. In the field Address, type in the person mailing address to fill in the RIPE or APNIC field
address.
c. In the field Phone, type in the person phone number following the format: +<country
code> <area code> <phone number>.
d. In the field Fax, you can type in a fax number following the same format as the field
Phone.
e. In the field Email, type in the user email address.
f. In the field Remark, you can type in a comment regarding the person.
g. In the field Notify, you can type in the email address of the person notified of any changes
made on the details of the person you are creating.
h. In the drop-down list Maintainer, select your maintainer.
7. If need be, configure extra details for the person management from the GUI:
a. In the field First name, type in the person first name.
b. In the field Last name, type in the person last name.
c. In the field Pseudonym, the user last and first name are automatically displayed. You
can replace them by a shortname or shorter name if you want.
8. Click on OK to complete the operation. The report opens and closes. The user is listed, its
state is Creating. Its status is not OK, until the RIPE or APNIC has confirmed the addition.
The column Waiting details the states.
If the person status stays in wait_mail_add, refer to the section Registering SPX Person
Changes.
Every time you edit a person, you have to wait for the RIPE or APNIC confirmation. To make
sure the person edition was confirmed, you can display the column Waiting. For more details,
refer to the section Browsing the SPX Persons.
1040
Managing SPX Persons
7. Edit the user information according to your needs. All details can be edited, except their
Pseudonym. For more details, refer to the procedure To add an SPX person.
8. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
9. Go back to the page Users to see the person state and make sure it was confirmed by the
RIPE or APNIC. Its status is not OK, until the RIPE or APNIC has confirmed the edition.
The column Waiting details the states.
If the person status stays in wait_mail_add, refer to the section Registering SPX Person
Changes.
A dedicated option allows to resend the person information to the RIPE or APNIC via POST or
EMAIL, depending on your configuration.
Every time you delete a person, you have to wait for the RIPE or APNIC confirmation. To make
sure the assigned network edition was confirmed, you can display the column Waiting. For more
details, refer to the section Browsing the SPX Persons.
Before deleting a person, make sure that the assigned networks they were managing are
already managed by someone else. You need to edit the relevant assigned networks Contacts
details before deleting the person. For more details, refer to the section Editing SPX Networks.
If the person status stays in wait_mail_del, refer to the section Registering SPX Person
Changes.
1041
Chapter 84. Managing SPX Networks
From SOLIDserver GUI, you can import allocated networks and edit their content by adding,
editing and deleting assigned networks.
SPX assigned networks addition is assisted by dedicated classes that the administrator
should enable in Class Studio, all these classes belong to the Directory SPX. For more details,
refer to the chapter Configuring SPX.
More generally, SPX networks can be managed the same way as regular networks, For more
details, refer to the chapter Managing Networks, Managing Pools and Managing IP Addresses.
1
Note that SOLIDserver supports Provider Aggregatable and Provider Independent addresses .
You can import or add them using the dedicated classes available for allocated networks and
assigned networks.
Any addition sends a request to the RIPE or APNIC that is confirmed or denied. The status of
that request can be displayed in a dedicated column on the page All networks in the module
IPAM.
1
For more details, refer to http://www.ripe.net/lir-services/member-support/info/faqs/isp-related-questions/pa-pi.
1042
Managing SPX Networks
Note that most of these parameters are only available if you correctly enabled the classes
located in the directory SPX. For more details, refer to the chapter Enabling the SPX Classes.
5. Click on SAVE . The page refreshes.
6. You can filter the list to display only SPX networks by typing RIPE in the search engine of
the column Class.
Once you imported an allocated network, you can then add, you can add SPX assigned networks
using dedicated classes, the ones that come with the appliance and/or some that you created.
Note that you can also import assigned networks. For more details, refer to the section Importing
SPX Assigned Networks.
Keep in mind that you must indicate the SPX user that manages your network through SOLID-
server. Therefore, before creating an assigned network, you must have a user in charge of
managing it in the RIPE or APNIC database. If the person managing the assigned network
already exists in the RIPE or APNIC database, there is no need to create it in the GUI, you can
import it. For more details, refer to the chapter Managing SPX Persons.
Once you added an assigned network via the GUI, you have to wait for the RIPE or APNIC con-
firmation. To make sure the assigned network addition was confirmed, you can display the column
Waiting state. For more details, refer to the section Browsing SPX Networks.
6. Select a Size, Prefix or Netmask. The two other fields are edited accordingly.
7. Click on NEXT . The page Search result opens.
8. In the list Network address, select a start address.
9. Click on NEXT . The page Add an IPv4 network opens.
10. Configure the assigned network:
a. The Address and Prefix fields are displayed in read-only as they correspond to the cri-
teria previously set.
b. In the section Terminal network, the box is ticked.
c. In the field Gateway, the gateway is displayed. Its IP address corresponds to the default
gateway offset configured. You can edit it if need be.
1043
Managing SPX Networks
d. In the drop-down list Number of pools, you can select a value between 1 and 5, depend-
ing on the number of pools you want to create in the assigned network. Once you selec-
ted a value, you need to set the Size and Type of each pool.
e. In the drop-down list Advanced properties, Default is selected by default. If you want
to set particular behaviors for the assigned network, select All. New fields appear. For
more details, refer to the section Configuring IPAM Advanced Properties in the chapter
Managing Advanced Properties.
f. At the bottom of the wizard, in the field Inetnum, the assigned network start and end
address are displayed in read-only.
g. In the field Net name, name the assigned network. The field automatically displays
capital letters. The value entered in also displayed in the field Network name.
h. In the field Description, type in a description for the assigned network.
i. In the drop-down list Country, you can select the country where the organization is
located.
11. Click on NEXT . The next page opens and allows you to set up a notify mail:
a. In the field Notify mail, you can type in the email address of the person notified of any
change made on the assigned network you are creating.
b. Click on ADD . The address is moved to the list Notify.
c. In the field Remarks, you can type in a comment regarding the assigned network.
12. Click on NEXT . The page Contacts opens.
a. Specify the assigned network technical contacts (tech-c):
1. In the field Nic handle / Person, type in the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
2. Click on SEARCH to retrieve their details.
3. Click on ADD . The contact is moved to the field Technical contacts.
b. Specify the assigned network administrative contacts (admin-c):
1. In the field Nic handle / Person, type in the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
2. Click on SEARCH to retrieve their details.
3. Click on ADD . The contact is moved to the field Administrative contacts.
13. Click on OK to complete the operation. The report opens and closes. The assigned network
is listed, its state is Creating. Its status is not OK, until the RIPE or APNIC has confirmed
the addition. The column Waiting details the states.
If the assigned network status stays in wait_mail_add, refer to the section Registering SPX
Network Changes.
If the assigned network status stays in wait_aw_confirm, refer to the section Validating a
New Assignment Window.
1044
Managing SPX Networks
5. In the list Network class, select the SPX Assigned network class of your choice. Click on
NEXT . The page Network Size opens.
13. Click on OK to complete the operation. The report opens and closes. The assigned network
is listed, its state is Creating. Its status is not OK, until the RIPE or APNIC has confirmed
the addition. The column Waiting details the states.
1045
Managing SPX Networks
If the IPv6 assigned network status stays in wait_mail_add, refer to the section Registering
SPX Network Changes.
Editing the content of your assigned networks follows the same procedures as regular assigned
networks. For more details, refer to the chapters Managing Pools and Managing IP Addresses.
Once you edited an assigned network via the GUI, you have to wait for the RIPE or APNIC con-
firmation. To make sure the assigned network edition was confirmed, you can display the column
Waiting state. For more details, refer to the sections Browsing SPX Networks and .
If the assigned network status stays in wait_mail_add, refer to the section Registering SPX
Network Changes.
If the assigned network status stays in wait_aw_confirm, refer to the section Validating a
New Assignment Window.
1046
Managing SPX Networks
You can also send any change made on SPX persons to the RIPE or APNIC. For more details,
refer to the section Registering SPX Person Changes.
In both cases, the assigned networks are marked wait_aw_confirm. Keep in mind that if you do
exceed the AW, you need to:
1. Follow the appropriate RIPE or APNIC procedures to be able to extend your Assignment
Window.
2. Once your request is approved by the RIPE or APNIC, you can use the option Validate AW
in the GUI.
If your request is denied, you should delete the assigned network. For more details, refer to the
section Deleting SPX Allocated Networks.
1047
Managing SPX Networks
5. Click on OK to complete the operation. The report opens and closes. The page All networks
is visible again. In the columns Waiting and Status you can monitor the evolution.
If you had used addresses within a deleted assigned network, they are placed in an Orphan
address and listed among your assigned networks. They are simply displayed in the GUI
but no longer used within your RIPE or APNIC database as the whole assigned network was
deleted.
If the assigned network status stays in wait_mail_del, refer to the section Registering SPX
Network Changes.
1048
Chapter 85. Managing SPX AS Numbers
On the page AS Numbers of the module SPX, you can add or import the RIPE or APNIC regis-
tration details (aut-nums) for the Autonomous System (AS) Numbers that suit your needs. When
it is done, all the routing routing policies, described by enumerating all neighboring AS Number
with which routing information is exchanged, are listed in the page All policies. For each neighbor,
the routing policy is described in terms of exactly what is being sent (announced) and allowed
(accepted).That way, each aut-num contains policies that describes what can be implemented
and enforced locally by said AS Number.
Note that most of these parameters are only available if you correctly enabled the classes
located in the directory SPX. For more details, refer to the chapter Enabling the SPX Classes.
4. Click on SAVE . The page refreshes.
5. You can filter the list to display the AS Numbers that suit your needs using the search engine
of the column AutNum name and AS name.
1049
Managing SPX AS Numbers
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Configure the AS Number:
a. In the field AutNum name, the AS Number full name is displayed once you filled in the
field AS Number as follows: AS<AS-number>.
b. In the field AS Number, type in the number of your choice.This number must be available,
composed of 10 digits at the most and lower that 4294967295. The value entered
automatically completes the field AutNum name.
c. In the field AS name, you can name the AS Number.
d. In the field Description, you can type in a description.
e. In the drop-down list Maintainer, select your maintainer.
6. Click on NEXT . The page Contacts opens.
a. Specify the AS Number technical contacts (tech-c):
i. In the field Nic handle / Person, type in the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
ii. Click on SEARCH to retrieve their details.
iii. Click on ADD . The contact is moved to the field Technical contacts.
b. Specify the AS Number administrative contacts (admin-c):
i. In the field Nic handle / Person, type in the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
ii. Click on SEARCH to retrieve their details.
iii. Click on ADD . The contact is moved to the field Administrative contacts.
7. Click on OK to complete the operation. The report opens and closes. The user is listed, its
state is Creating. Until its status is not OK, the RIPE or APNIC has not confirmed the
addition. Have a look in the column Waiting state for more details regarding the addition
confirmation.
1050
Managing SPX AS Numbers
1. Editing its details, i.e. AS name, Description, Maintainer and Contact information but you
cannot edit the Autnum full name.
2. Editing its content, i.e. deleting some of its policies.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. Click on NEXT . The page Edit an AS Number opens.
6. Edit the AS Number configuration via the fields AS name, Description and Maintainer,
7. Click on NEXT . The page Contacts opens.
8. Edit the contact details according to your needs.
9. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
If you want to delete the policies of an AS Number refer to the section Editing SPX AS Numbers.
1051
Managing SPX AS Numbers
1052
Part XVII. Identity Manager
The module Identity Manager allows to retrieve Windows Active Directory (AD) authentication events.
Within the module, you can add your AD domains as directories. All the users of the domain are retrieved
using the related LDAP repository. In addition, SOLIDserver retrieves all Windows Event Logs, via Windows
Event Forwarding, to allow you to monitor the authentication events of each user within each domain.
Once events are retrieved, you can monitor the activity of all users as identities. In addition, each identity
can have one or more sessions, they identify individually the connection events of a user and an IP address.
Before using Identity Manager you must configure the module, this configuration includes your appliance
and your AD domain controller(s). For more details, refer to the chapter Configuring Identity Manager.
Table of Contents
86. Configuring Identity Manager .................................................................................. 1055
Prerequisites ....................................................................................................... 1055
Limitations .......................................................................................................... 1055
Preparing the Module .......................................................................................... 1055
Configuring the Directory Synchronization Frequency ............................................ 1059
87. Managing Directories ............................................................................................. 1060
Browsing Directories ............................................................................................ 1060
Adding Directories ............................................................................................... 1061
Synchronizing Directories .................................................................................... 1062
Editing Directories ............................................................................................... 1062
Deleting Directories ............................................................................................. 1063
88. Managing Identities ................................................................................................ 1064
Browsing Identities .............................................................................................. 1064
89. Managing Sessions ................................................................................................ 1066
Browsing Sessions .............................................................................................. 1066
Purging Sessions ................................................................................................ 1067
1054
Chapter 86. Configuring Identity Manager
To configure the module Identity Manager and use it to the fullest you must:
1. Meet the prerequisites.
2. Take into account the limitations.
3. Follow the section Preparing the Module to properly configure SOLIDserver and your AD domain
controller(s).
To go further, you can even configure the data synchronization frequency, before adding direct-
ories. For more details, refer to the section Configuring the Directory Synchronization Frequency.
Prerequisites
• A SOLIDserver appliance in version 7.3 or higher.
• An AD domain with a Group Policy (GPO).
• A user with administrative rights over the domain.
• An SSL certificate and its related CA ready, in PEM format, both are required on your appliance
and AD domain controller. Keep in mind that you must use a unique CA:
• If you are configuring the module on several appliances, you need one SSL certificate per
appliance. All certificates must rely on the same CA.
• If you are configuring the module for an AD domain managed from several AD domain con-
trollers, all controllers must rely on the same CA.
Limitations
• The module Dashboards does not include a page dedicated to the module Identity Manager.
• Imports and exports are not available in the module.
When both configurations are set, SOLIDserver can communicate with your AD domain control-
ler(s) and retrieve the data you monitor from the module Identity Manager.
1. Configuring SOLIDserver
To properly prepare Identity Manager on your appliance you must:
1. Allow traffic on the port 5986, it is dedicated to communicating with AD domain controllers.
2. Configure the service Windows Events Collector. You must configure it with the SSL cer-
tificate and its related CA. This CA must also be used on the AD domain controller(s) managing
the AD domain you intend to monitor from the appliance.
If you are configuring Identity Manager on appliances configured in High Availability, you must
follow the procedure on both the Master appliance and Hot Standby appliance.
1055
Configuring Identity Manager
To configure SOLIDserver
If not, you must edit the rule, as detailed in the section Editing a Firewall Rule of the
chapter Configuring the Network.
3. Import both certificates.
a. Locate the SSL certificate and CA certificate you want to use. Both must be in PEM
format.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
d. In the menu, select Import > Certificate. The wizard Import an SSL object opens.
e. In the field Name, name the certificate.
f. In the drop-down list Type, select Certificate.
g. In the field Certificate, paste in the certificate, in PEM format.
h. In the field Private key, paste in its private key.
i. Click on OK to complete the operation. The report opens and closes. The certificate is
listed, its private key is available on the certificate properties page.
j. Once you imported one certificate, repeat the steps b to j for the other one.
4. When both certificates are imported, configure the service Windows Events Collector.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section System, click on Services configuration.The page Services configuration
opens.
c. Under the menu, in the drop-down list SOLIDserver, make sure the local appliance is
selected.
d. Click on the link Windows Events Collector. The wizard Change the current SSL certi-
ficate opens.
e. In the drop-down list SSL Certificate, select the SSL certificate you imported. You must
use the same SSL certificate within SOLIDserver and your AD domain controller(s). By
default, None is selected.
f. In the drop-down list Certificate Authority, select the CA certificate you imported. You
must use the same CA certificate within SOLIDserver and your AD domain controller(s).
By default, None is selected.
g. Click on OK to complete the operation. The wizard works for a while and closes. The
name of the SSL certificate and CA certificate you selected are listed.
1056
Configuring Identity Manager
5. If you are configuring Identity Manager on appliances configured in High Availability, repeat
the steps 1 to 4 on the Hot Standby appliance.
If you intend to retrieve data from several AD domain controllers, you must perform these config-
urations on each domain controller.
2. From your Microsoft Management Console (MMC), import the client authentication certi-
ficate.
4. From the Group Policy MMC snap-in (gpedit.msc), configure the source host security policy
to enable event forwarding.
a. Go to Computer Configuration > Administrative Templates > Windows Components >
Event Forwarding.
b. Right-click over the SubscriptionManager setting and select Properties.
c. Enable the SubscriptionManager setting, and click on Show to add a server address.
1057
Configuring Identity Manager
d. Specify the SOLIDserver appliance that collects your events following the format:
Server=HTTPS://<FQDN of the SDS>:5986/wsman/,Refresh=<Refresh interval in
seconds>,IssuerCA=<certificate authority certificate thumbprint>.
Note that you can copy the IssuerCA fingerprint from your MMC. In the Certificates
snap-in of the Local Computer, you can find the Issuing CA certificate, in the Thumbprint
of the tab Details.
e. Make sure the SubscriptionManager configuration is applied using the following com-
mand:
gpupdate /force
Once the event forwarding is configured on all relevant AD domain controllers, you must configure
the log generation. This configuration applies to all related AD domain controllers.
Policy Value
Audit Credential Validation Success
Audit Kerberos Authentication Service Success
Audit Kerberos Service Ticket Operations Success
Audit Other Account Logon Events Success
4. Go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit
Policy Configuration > System Audit Policies > Logon/Logoff and configure the following:
Policy Value
Account Logon Success
Account Logoff Success
Once your AD domain controller(s) configuration is complete, SOLIDserver can retrieve AD domain
data.
If you want to configure the synchronization frequency of the AD domains you add, refer to the
next section.
1058
Configuring Identity Manager
By default, each directory is synchronized every minute to retrieve all its identities, based on its
credentials and endpoint.
As you can manually synchronize directories, you may want to edit the rule 410 and change the
synchronization frequency.
To edit the rule 410 that sets the directory synchronization frequency
10. Click on OK to complete the operation. The report opens and closes. The rule properties
page is visible again.
1059
Chapter 87. Managing Directories
Directories are the AD domains that you monitor from SOLIDserver. Each directory contains
identities, AD users, and sessions automatically synchronized.
From the page All directories, you can add, edit, synchronize, monitor and delete directories.
Note that any user granted the relevant rights over the directories can display all directories as
well as the identities and sessions they contain. Within Identity Manager, no object can be set
as a group resource.
Browsing Directories
The directory is the highest level of Identity Manager hierarchy.
SESSION
DIRECTORY IDENTITY
SESSION
All the columns on the page can be sorted and filtered. By default, the page displays the directory
Name and Type.
You can also display the columns Synchronization status, Windows Event Collector Status and
Metas to import. Both status columns are detailed in the next section.
1060
Managing Directories
Timeout The endpoint configured for the directory is unreachable, or the AD domain controller is
taking too long.
Invalid credentials The login and password configured for the directory are invalid.
N/A No information is available.
The column Event Collector Status returns information regarding the domain controller that sends
information to each directory.
Table 87.2. The event collector statuses on the page All directories
Status Description
OK The domain controller event collection and forwarding is operational.
! Warning No information was received from the domain controller in the last 5 minutes.
Error No information was received from the domain controller in the last hour.
N/A No information was received, either the domain is misconfigured or no certificate was
a
found .
a
To ensure your certificates are properly configured, refer to the chapter Configuring Identity Manager.
Adding Directories
You can add AD domains as directories to monitor user activity. Note that:
• Before adding a directory, you must configure Identity Manager. During this configuration you
must configure one or more AD domain controllers, if several AD domain controllers manage
your AD domain. For more details, refer to the chapter Configuring Identity Manager.
• All directories are automatically synchronized to retrieve user identities and sessions. By default,
all information is retrieved every minute, you can edit this frequency. For more details, refer to
the section Configuring the Directory Synchronization Frequency.
• All directories can be configured with metadata that allow to import the specific user settings
of your domain or repository, like their contact details, company details, country... and
propagate them to the identities.
To add a directory
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. In the menu, click on Add. The wizard Add a directory opens.
3. If you or your administrator created classes at directory level, in the field Directory class
select a class or None.
1061
Managing Directories
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
4. In the field Name, specify the name of the AD domain of your choice.
5. In the field Session TTL, specify in seconds the maximum lifetime of your AD users ticket.
It sets the maximum length of the sessions.
6. In the field Endpoint, specify the URL of the AD domain controller used to synchronize the
identities of the directory. It must follow the format ldap://<IP-or-name-of-the-server> or
ldaps://<IP-or-name-of-the-server>.
7. In the field Login, specify the login of a user with sufficient rights.
8. In the field Password, specify the corresponding password.
9. In the list Available metadata, select one by one the AD user account details you want to
import for the directory. They are considered metadata entries and can be displayed as a
column on the page All identities.
The available user details are the following: City, Company, Country, Country (abbr.), Creation
date, Description, Email, Fax, First name, Home phone, IP Phone, Job department, Job title,
Last name, Mobile phone, Office, Postal box, State/Province, Street, Telephone and Zip
code.
10. Click on . The entry is moved to the list Metadata to import. To remove an entry from the
list, select it and click on , it is moved back to the list Available metadata.
11. Click on OK . The report opens and closes. The new directory is listed.
Make sure that its Synchronization status and Event collector Status are OK. If any
other status is returned, it may be that either the directory or the module is misconfigured.
For more details, refer to the section Understanding the Statuses on the Page All Directories.
Once a directory is added, its identities and sessions are automatically retrieved.
Synchronizing Directories
All directories are automatically and regularly synchronized.
If you edited the metadata of a directory you can manually synchronize it, rather than wait for the
automated synchronization to ensure that its information is up-to-date.
To synchronize a directory
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. Tick the directory of your choice, you can tick several.
3. In the menu, click on Edit > Synchronize. The wizard Synchronization opens.
4. Click on OK to complete the operation. The report opens and closes. The directory is listed,
its information is up-to-date.
Note that administrators can edit the default synchronization settings. For more details, refer to
the section Configuring the Directory Synchronization Frequency in the chapter Configuring
Identity Manager.
Editing Directories
You can edit directories from the page All directories or from their properties page. Note that:
1062
Managing Directories
To edit a directory
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. Right-click over the Name of the directory of your choice. The contextual opens.
3. Click on Edit. The wizard Edit a directory opens.
4. If you or your administrator created classes at directory level, in the field Directory class
select a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. The Name is displayed in a read-only gray field. You cannot edit it.
6. Edit the Session TTL, Endpoint, Login, Password and/or Metadata to import of the directory
according to your needs. For more details on the fields, refer to the procedure in the section
Adding Directories.
7. Click on OK to complete the operation. The report opens and closes. The directory is listed,
its properties are updated.
Deleting Directories
You can delete your directories to stop monitoring an AD domain.
To delete a directory
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. Filter the list if need be.
3. Tick the directory of your choice, you can tick several.
4. In the menu, click on . The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The directory is no
longer listed.
1063
Chapter 88. Managing Identities
Identities are the users of each directory. They are automatically retrieved from the AD domain
thanks to the LDAP repository.
All identities are displayed in read-only on the page All identities, where you can monitor them:
• All identities are named after the login used for the connection to the AD domain.
• Each identity inherit the metadata of its directory, you can display them in dedicated columns.
Until the directory is synchronized, some metadata may be missing.
By default, all identities are retrieved every minute, you can edit this frequency. For more details,
refer to the section Configuring the Directory Synchronization Frequency.
• Identities can contain one or more sessions, each session indicates a user connection.
• If the page is missing identities or is empty, it may be that there is a problem at directory level
or that the module was not properly configured. For more details, refer to section Configuring
the Directory Synchronization Frequency in the chapter Managing directories or to the chapter
Configuring Identity Manager.
Note that any user granted the relevant rights over the directories can display all identities.
Within Identity Manager, no object can be set as a group resource.
Browsing Identities
The identity is the second level of Identity Manager hierarchy.
SESSION
DIRECTORY IDENTITY
SESSION
1064
Managing Identities
By default, a set of columns are displayed on the page.You can also display the metadata inherited
from the directory in dedicated columns. All the columns can be sorted and filtered.
Disabled The user account is disabled, they cannot connect, no session is available.
N/A The identity was retrieved, but the AD domain controller has not sent status inform-
ation yet.
1065
Chapter 89. Managing Sessions
Sessions are unique user connections to an AD domain. They are automatically retrieved from
your identities and directories.
All user sessions are displayed in read-only on the page All sessions, where you can monitor
and purge them:
• All sessions are displayed on dedicated lines, they can rely on IPv4 or IPv6.
• A session details a user connection activity and indicates when a user was last seen.
• All active sessions combine an identity, an IP address and a start. The user is currently
connected.
• All inactive sessions combine an identity, an IP address, a start and an end.The user session
ended, they may have started a new session.
• Each session duration is set at directory level. The Session TTL set on each directory defines
when the session becomes inactive.
• One identity can have several sessions if there are active and inactive sessions for one IP
address; or if the sessions have a different IP address.
• If the page is missing sessions or is empty, it may be that there is a problem at directory level
or that the module was not properly configured. For more details, refer to section Understanding
the Statuses on the Page All Directories in the chapter Managing directories or to the chapter
Configuring Identity Manager.
Note that any user granted the relevant rights over the directories can display all sessions.
Within Identity Manager, no object can be set as a group resource.
Browsing Sessions
The session is the lowest level of Identity Manager hierarchy.
SESSION
DIRECTORY IDENTITY
SESSION
By default, the page is filtered through the column Last seen to display the sessions of the
last 3 hours.
2. To display the sessions of a specific directory, in the column Directory, click on the name
of your choice. The page refreshes.
1066
Managing Sessions
3. To display the sessions of a specific identity, in the column Identity, click on the name of
your choice. The page refreshes.
All session information is displayed on the page, sessions do not have a properties page.
All the columns on the page are displayed by default, they can be sorted and filtered.
Purging Sessions
By default, all inactive sessions are deleted if they have been inactive for more that 30 days or
if your database contains more than 2 million inactive sessions. You can edit the rule 411 to
change either threshold.
To edit the rule 411 that sets the sessions purge mechanism
1067
Managing Sessions
4. At the end of the line, click on . The rule properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. The name is listed in the column Instance.
7. In the field Comment, you can insert, edit or delete the rule comment.
8. Click on NEXT . The page Rule filters opens.
These filters define when the rule executes the checks to purge the sessions, if the thresholds
you set on the next page are met.
9. Edit the drop-down lists according to your needs.
1068
Part XVIII. Rights Management
Configuring access rights to operations and resources is essential to properly manage an appliance. Rights
management relies on users, group of users and authentication rules.
Users belong to groups, they can access any module if their group has sufficient resources and rights. For
that reason, configuring user access requires to:
1. Add or import users.
2. Add a group of users.
3. Configure that group with users. At group level, the users are considered a group resource.
4. Configure that group with rights. From the page Rights of each group you can grant or deny access to
operations in all modules to the users of the group.
5. Configure that group with resources. From the page Resources of each group you can add existing objects
as resource. This defines on which objects they can perform the rights they are granted. Without resources,
the users of the group can perform operations but cannot perform them on anything.
Rights
display: space
add: network
edit: network
delete: network display: space
...
display: network
IPAM
edit: pool
add: address Resources
Group A ...
IPAM
Group B
display: server
display: scope
edit: range
delete: range
...
DHCP
Group C
Figure 255. The rights and resources of a user depend on the group they belong to
From the module Administration, the hierarchy of Rights Management can include up to 3 levels:
• Groups: the highest level of the hierarchy.The groups contain Rights and Resources, the users and objects.
For more details, refer to the chapter Managing Groups.
• Authentication Rules: an optional second level. The rules define if external Microsoft Active Directory,
RADIUS, LDAP and OpenID users can access SOLIDserver.These rules allow to retrieve user credentials
stored in the corresponding remote directory and to secure remote authentications. The authenticated
users are granted the rights defined by the group they belong to. For more details, refer to the chapter
Managing Authentication Rules.
• Users: the lowest level of the hierarchy. You can manage local and external users on one page. Once
added, you can set them as resource of a group to manage their access rights and restrictions. For more
details, refer to the chapter Managing Users.
Note that the superuser, ipmadmin, is granted all rights by default and has access to all existing objects.
They belong to the most privileged group, admin.
Table of Contents
90. Managing Groups .................................................................................................. 1071
Browsing Groups of Users ................................................................................... 1071
Adding Groups of Users ....................................................................................... 1072
Managing the Rights of a Group of Users .............................................................. 1073
Managing the Resources of a Group of Users ....................................................... 1074
Managing the Users of a Group of Users .............................................................. 1078
Editing Groups of Users ....................................................................................... 1079
Enabling or Disabling Groups of Users .................................................................. 1080
Exporting Groups of Users ................................................................................... 1080
Deleting Groups of Users ..................................................................................... 1080
91. Managing Users .................................................................................................... 1081
Browsing Users ................................................................................................... 1081
Adding Users ...................................................................................................... 1082
Editing Users ...................................................................................................... 1083
Changing the User Password ............................................................................... 1084
Configuring the User Password Complexity ........................................................... 1085
Configuring Users Connection Parameters ............................................................ 1085
Configuring User Sessions ................................................................................... 1087
Enabling or Disabling Users ................................................................................. 1088
Generating User Reports ..................................................................................... 1088
Exporting Users .................................................................................................. 1088
Deleting Users .................................................................................................... 1088
92. Managing Authentication Rules ............................................................................... 1089
Browsing Authentication Rules ............................................................................. 1090
Adding Authentication Rules ................................................................................ 1090
Editing Authentication Rules ................................................................................. 1100
Enabling or Disabling Authentication Rules ........................................................... 1100
Deleting Authentication Rules .............................................................................. 1101
1070
Chapter 90. Managing Groups
The groups of users allow to delegate administrative rights to the users they manage. Groups
define user profiles and levels of management. You can add as many groups as you want.
The rights and resources of a group determine what operations its users can perform and on
which resources. Any operation denied to the group in off limits to their users, any resource not
listed among their resources is not available on the managing page even if the group has to access
the page itself.
The groups can manage remote users authenticated via Microsoft Active Directory (AD), RADIUS,
LDAP and OpenID Connect. For more details regarding users secure authentication, refer to the
chapter Managing Authentication Rules.
AUTHENTICATION
GROUP OF USER
USERS
RESOURCE
SERVICE
By default, the group admin is listed on the page Groups. This group manages ipmadmin, the
superuser, and is granted access to all rights and resources by default.You cannot deny it access
to rights or resources. Any user added to this group has full administrative rights, like ipmadmin.
1071
Managing Groups
2. In the section Authentication & Security, click on Groups. The page opens.
3. At the end of the line of the group of your choice, click on . The properties page opens.
Note that you can also import groups of users from a CSV file. For more details, refer to the
section Importing Groups of Users in the chapter Importing Data from a CSV File.
If you intend to add authentication rules, we strongly suggest configuring group of users
before enabling them. Once the authentication rules are enabled, the corresponding users can
access the web interface and are added to the page Users; as they do not belong any group,
they cannot access any module or perform any operation. For more details on Active Directory,
LDAP, RADIUS and OpenID authentication, refer to the chapter Managing Authentication Rules.
To add a group
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
7. In the field Group name, name the group. If you intent to authenticate users via AD, name
the group after an existing AD group.
8. In the field Description, you can type in a description.
9. In the drop-down list Copy rights from group, you can select any group, except admin, or
None. The rights of the selected group are granted to the group you are adding.
This option can be used as a template when you add new groups. If some rights should be
granted or denied, you can edit the group Rights later on.
10. Click on OK to complete the operation. The report opens and closes. The group is listed.
1072
Managing Groups
AUTHENTICATION
GROUP OF USER
USERS
RESOURCE
SERVICE
You can grant a group access to the operations performed by all SOLIDserver users if you
grant it access to the User tracking right.
The name of each right includes a verb detailing the operation. The most used verbs are the
following:
Table 90.2. The most common operations in the name of the rights
Verb Description
Add The service allows to add and edit an object.
Delete The service allows to delete an object.
1073
Managing Groups
Verb Description
Display The service allows to display the complete list of objects on its management page.
Edit The service allows to perform specific edition operations on an object.
List The service allows to delegate administrative rights from one administrator to the other, usually
group management related rights.
There are more operations available: Configure, Convert, Copy/Move, Display, Migrate, Split...
The other rights, to add, edit, delete... objects must be granted specifically in each module panel
of the properties page. For instance, if you grant a group the right to edit networks but did not
assign them any network, the users of the group have access to the page All networks and to
the menu Edit but cannot see the list of existing networks. Hence the need to grant right AND
assign resources.
At any time, you can edit this configuration using the same procedure.
AUTHENTICATION
GROUP OF USER
USERS
RESOURCE
SERVICE
1074
Managing Groups
Following each module internal hierarchy, once an object is set as a resource the whole path in
the internal hierarchy of the module is available for display. In the same way, the objects set as
resource provide read-only access to lower levels.
Resources Rights Re
DNS SERVER
ns1.mycorp.com
IPAM resources
• Spaces as resource provide read-only access to the IPv4 and IPv6 block-type networks,
IPv4 and IPv6 subnet-type networks, IPv4 and IPv6 pools and IPv4 and IPv6 addresses
they contain.
• IPv4 block-type network as resource provide read-only access to the subnet-type net-
works, pools and IP addresses they contain.
• IPv6 block-type network as resource provide read-only access to the subnet-type net-
works, pools and IP addresses they contain.
• IPv4 subnet-type network as resource provide read-only access to the pools and IP ad-
dresses they contain.
• IPv6 subnet-type network as resource provide read-only access to the pools and IP ad-
dresses they contain.
• IPv4 pool as resource provide read-only access to the IP addresses they contain.
• IPv6 pool as resource provide read-only access to the IP addresses they contain.
1075
Managing Groups
DHCP resources
• Servers as resource provide read-only access to the shared networks, scopes, ranges,
statics, groups, failover channels, option configurations, option definitions and ACLs they
contain.
• Servers (v6) as resource provide read-only access to the shared networks, scopes, ranges,
statics, groups, failover channels, option configurations and option definitions they contain.
• Scopes as resource provide read-only access to the ranges, statics and option configura-
tions they contain as well as to the shared networks of the server they belong to.
• Scopes (v6) as resource provide read-only access to the ranges, statics and option con-
figurations they contain as well as to the shared networks of the server they belong to.
DNS resources
• Servers as resource provide read-only access to the options (all) - including forwarding,
access control, notify... -, views, zones, resource records, keys, access control lists and
RPZ rules they contain.
• Views as resource provide read-only access to the options (all) - including forwarding,
access control, notify... -, zones, resource records, keys, access control lists and RPZ
rules they contain.
• Zones as resource provide read-only access to the zone options, resource records, access
control lists and RPZ rules they contain.
• RPZ zones as resource provide read-only access to the resource records, access control
lists and RPZ rules they contain.
Applications resources
• Applications, pools and nodes cannot be assigned as resources. All users have read-only
access to these objects.
• DNS servers as resource provide read-only access to the traffic policy deployments for
applications associated with the selected servers.
Guardian resources
• Policies and triggers cannot be assigned as resources. All users have read-only access
to these objects.
• DNS servers as resource provide read-only access to deployments of policies they are
associated with.
NetChange resources
• Network devices as resource provide read-only access to the ports, VLANs and discovered
items they contain.
VLAN Manager resources
• VLAN domains as resource provide read-only access to the VLAN ranges and VLANs
they contain.
• VLAN ranges as resource provide read-only access to the VLANs they contain.
Identity Manager resources
• Directories, identities and sessions cannot be set as resource. However, once a group is
granted the right to list directories, its users can see all the added directories as well as
the identities and sessions they contain.
Administration resources
• Classes as resource provide read-only access to the class objects (Class Editor) they
contain.
1076
Managing Groups
You can add objects as resource of a group from the page Resources, the listing page All <object>
or the properties page of an object.
On the object(s) properties page, the panel Groups access lists the group.
1
Any group EXCEPT the group admin as, by default, it has authority over all the resources of SOLIDserver database.
1077
Managing Groups
On the object properties page, the panel Groups access lists the group(s).
For instance, if a group has among its resources the space Local and a network local-terminal-
network, when you decide to remove access to the space, you can remove it from their resources.
Keep in mind that removing the space prevents users from performing operations on the space
but they can still access its content because the network local-terminal-network is still part of
their resources: users have read-only access to the resource path within the module.
Keep in mind that to remove resources from a group, users that do not belong to the group admin
need to be granted the appropriate rights.
1078
Managing Groups
For more details regarding user creation, refer to the chapter Managing Users.
If you want to edit the users, rights or resources of a group, refer to the sections Managing the
Users of a Group of Users, Managing the Rights of a Group of Users and Managing the Resources
of a Group of Users.
1079
Managing Groups
5. If you or your administrator added classes, in the list Group class select a class or None.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Edit the Parent group, Group name, Description and/or Copy rights from group according
to your needs. For more details, refer to the procedure To add a group.
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again and includes the changes in the panel.
Keep in that if you disable a group, the users its contain are still able to connect to
SOLIDserver but do not have access to any module or resource.
To enable/disable a group
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Tick the group(s) of your choice.
4. In the menu, select Edit > Status > Enable or Disable. The corresponding wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The group(s) is marked
OK or Disabled in the column Status.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Keep in mind that if you delete a group, the users its contain are still able to connect to
SOLIDserver but do not have access to any module or resource.
To delete a group
1080
Chapter 91. Managing Users
Depending on the group they belong to, users can have administrative or standard access to the
appliance. You can add as many users as you want.
By default, user authentication is performed using the local database. However you can have:
Local users
To use local authentication, you must configure a group and manually add this local user into
the group. Once added to a group, a user is considered as a resource of the group. For more
details, refer to the section Managing the Users of a Group of Users of the chapter Groups.
Remote users
To use remote user authentication via Microsoft Active Directory (AD), RADIUS, LDAP or
OpenID Connect, you must configure the relevant rule. For more details, refer to the chapter
Managing Authentication Rules.
Once the rule is configured, remote users are automatically added the first time they are
authenticated and granted access to the interface. Until they belong to a group, they cannot
access any module or resource or perform any operation. Therefore, you must either add
them as resource of a group after their first connection to the appliance, or add the remote
users to the page Users and set them as resource of the relevant group before their first
connection.
To ensure access to the appliance if your remote directory is unreachable, you must have
at least one local user in the group admin.
Keep in mind that if you manage local and remote users, every remote and local user must have
a unique login. If a remote user and a local user share the same login, it is no longer possible to
authenticate the remote user.
If you want to manage RIPE or APNIC persons, refer to the part SPX.
Note that any connected user can set their display settings and change their password, as detailed
in the section Account Configuration.
Browsing Users
In the rights management hierarchy, users constitute the lowest level, along with resources and
rights, the services. Users are must belong to one or several groups to set profiles.
AUTHENTICATION
GROUP OF USER
USERS
RESOURCE
SERVICE
1081
Managing Users
By default, the superuser ipmadmin is the only user listed on the page. It belongs to the admin
group and has all the rights and every manageable object among its resources.
Adding Users
You can add as many users as you want on the page Users. Once listed on the page, users are
part of local database.
If you locally add users of Microsoft Active Directory (AD), RADIUS, LDAP or OpenID Connect,
make sure that their login is unique. Once you manage local and remote users, if a remote user
and a local user share the same login, it is no longer possible to authenticate the remote user.
Note that you can also import users from a CSV file. For more details, refer to the section Importing
Users in the chapter Importing Data from a CSV File.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
5. In the field Login, type in the user login. This login cannot be an email address.
1082
Managing Users
1
6. In the field Password, type in the user password .
7. In the field Confirm password, type in the user password again.
8. If need be, configure additional parameters:
a. Tick the box Expert mode.
b. In the field First name, type in the user first name.
c. In the field Last name, type in the user last name.
d. In the field Pseudonym, the user last and first name are automatically displayed. You
can replace them by a shortname or shorter name if you want.
e. In the field Email, type in the user email address.
f. In the field Login URL, type in the URL toward which the user should be directed after
being authenticated.
g. In the drop-down list Maintainer group, select the group of users that should be able to
edit the user information (names, credentials, email...) and classes.
9. Click on OK to complete the operation. The report opens and closes. The user is listed among
the users with its Login, Official name and Origin in the corresponding columns.
Connected users can edit their session time and date or listing page display, interface language
or password. For more details, refer to the section Account Configuration.
Editing Users
At any time an administrator can edit a user details or group.
Keep in mind that users must belong to a group: a user not belonging to any group, they can
connect to SOLIDserver but their session does not contain any module or they cannot perform
any action as no right is granted to individual users.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. Edit the user information according to your needs. You can edit any detail except their
Pseudonym, all parameters are detailed in the procedure To add a local user.
1
If the user is of Unix type and the password is not printable, the system password is used.
1083
Managing Users
If you type in a different password from the initial one, you overwrite the user current pass-
word. Overwriting a user password can log them out after your changes, they may no longer
be able to log in.
7. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again and includes the changes in the panel.
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the list Available group(s), you can select a group and click on . The group is moved to
the Selected group(s).
7. In the list Selected group(s) are displayed the group(s) the user belongs to. In other words,
the user profiles. You can remove a group from the list clicking on , the group is moved to
the list Available group(s).
8. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again and includes the changes in the panel.
If you want to set a specific password complexity, refer to the section Configuring the User
Password Complexity.
1084
Managing Users
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field Password, type in the new password.
7. In the field Confirm password, type in the password again.
8. Click on OK to complete the operation. The report opens and closes. The properties page
is visible again.
From the registry database, you can add a dedicated key and set its value using the regular ex-
pression, regex, that suits your needs. For instance:
# The following regex requires in the password at least: one uppercase character, one lowercase
# character, one digit and one punctuation mark.
.*(?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[^0-9a-zA-Z]).*
Once you added the registry key, you must change the passwords that do not match the regular
expression you set.
To edit the registry key to set the maximum number of failed connection attempts
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
1085
Managing Users
1086
Managing Users
Feb 23 16:09:37 solid httpd: SOLIDserver: too many connection attempts with invalid credentials.
Retry later.
1087
Managing Users
To enable/disable a user
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.
3. Tick the user(s) of your choice.
4. In the menu, select Edit > Status > Enable or Disable. The corresponding wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The user(s) is marked
OK or Disabled in the column Status.
For more details regarding the reports and their generation, refer to the section Managing Reports.
Exporting Users
From the page Users, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting Users
Deleting local users prevents them from connecting to SOLIDserver and removes them from the
page Users.
Keep in mind that deleting users connecting remotely, like AD users, does not prevent them from
connecting. Once the rule is enabled, users are added locally upon connection and placed in an
existing group of users if their name matches the name of the group they belong to in the Active
Directory.
1088
Chapter 92. Managing Authentication
Rules
Authentication rules allow to securely log in external users to the GUI. These rules set up access
for users whose credentials are stored on remote Microsoft Active Directory, LDAP, RADIUS
servers and/or OpenID compatible identity providers.
To provide secure user connections, all remote authentications are challenged when a user
connects with their login and password. If several authentications rules are configured, the con-
nection process is the following:
1. The first authentication rule is used to authenticate the user. If it fails, SOLIDserver tries the
next authentication rule. Each configured authentication rule is tried and used, whether it relies
on Active Directory, LDAP, RADIUS or OpenID Connect, until it is successful or all authentic-
ations fail.
2. Either the user is granted access, or all rules failed and the user access to the GUI is denied.
3. When the authentication succeeds, the user rights are based on the group they belong to in
SOLIDserver.
Group Admin
admin@mycompany.corp
support@mycompany.corp
...
Group B
LDAP server user01@mycompany.corp
john.doe@mycompany.corp
...
LDAP authentication
rule enabled
Group A
Group B
john.doe@mycompany.corp
Group C
Figure 92.1. The user connection process when an authentication rule is enabled
To remedy any remote authentication issue, you must have at least one local admin user
configured. With a user in the group admin, you ensure that you have access to SOLIDserver
and can intervene in case of authentication failures, whether a remote directory or server is un-
reachable or a local group of users matching a remote group has insufficient rights or resources.
To set up LDAP or RADIUS remote authentication for SSH connections, refer to the appendix
Using Remote Authentication for SSH Connections to SOLIDserver.
1089
Managing Authentication Rules
AUTHENTICATION
GROUP OF USER
USERS
RESOURCE
SERVICE
By default, the list is empty. Only the rules you add are displayed on the page.
Each rule allows to enable user authentication relying on Active Directory, LDAP, RADIUS and
OpenID Connect. Note that:
• User credentials can be saved in several remote servers.
• SOLIDserver systematically checks all rules. To provide secure authentication, the credentials
of the user requesting access are compared to all the configured remote servers.
• If the user is found in Active Directory, LDAP, RADIUS and/or OpenID, they are granted
access. The rights and resources they have access to depend on the configuration set for
the local group(s) of users they belong to.
• If the user is not found in any server, or rule, they are denied access.
1090
Managing Authentication Rules
• The authentication rules check does not follow any specific order. Therefore, you must
keep your authentication servers up-to-date, with the same data. If a user is in the group A on
a server and in the group B on another server, there is no mean to set a preference for one
authentication rule over the other.
Active Directory (AD) is a technology created by Microsoft that provides a variety of network
services, including LDAP like directory services and other network information. SOLIDserver
supports remote authentication with any AD running on Microsoft Window Server 2008, 2008
R2, 2012 R2, 2016 or 2019.
To successfully authenticate users and take into account existing AD groups, you must
have:
1. At least one group added both on the AD server and among SOLIDserver groups of users
with the exact same name, down to the case. The group name in SOLIDserver must match
the AD group name, the group name is case sensitive.
2. Configured said group with the resources and rights that define the users profile.
3. Add and configure the AD authentication rule with the option Synchronize set to Yes. You can
even configure it to deny access to users that do not belong to an AD group.
With this configuration, AD users are automatically added as resource of the matching local
group when they connect, they are granted the relevant rights and resources.
Note that you can import all your users via CSV, you must choose rule as Authentication method.
For more details, refer to the section Importing Users in the chapter Importing Data from a CSV
File.
Once the rule is added, AD users can connect to SOLIDserver. Note that:
• The changes performed on the AD server are not immediately taken into account by SOLID-
server. To avoid waiting, you can delete the AD users you modified from the page Users, when
they connect again, SOLIDserver contacts the AD server and authenticates them with their
new parameters.
• If several email addresses are available for one user, only the first non-empty value is taken
into account.
The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. In the drop-down list Rule, select (000) AD authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
1091
Managing Authentication Rules
Select Yes if you want to synchronize SOLIDserver database with the AD database and
automatically add the users of the AD group name in the matching local group of users. Said
users are granted the same rights and resources as the local group. The box Expert mode
appears.
13. You can tick the box Expert mode to configure further the synchronization. The configuration
fields appear.
1092
Managing Authentication Rules
Field Description
Use sAMAccountName You can decide to use or not the sAMAccountName field as user login. This
field as login parameter is used for pre-AD installation (basically NTDS) and accepts 8-char-
acters long login names instead of regular longer names. This field is optional.
14. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.
If some users connections fail, some guidelines may help you troubleshoot the authentication.
Lightweight Directory Access Protocol (LDAP) is an application protocol over TCP/IP for querying
and modifying directory services that might hold passwords, addresses, groups, public encryption
keys and other exchange-facilitating data.
To set up authentication for SSH connections, refer to the appendix Using Remote Authentication
for SSH Connections to SOLIDserver.
To successfully authenticate users and take into account an existing LDAP group, before
the first user connection you must:
1. Add a group of users within SOLIDserver matching the relevant LDAP group. This local group
must have the same name as the LDAP group. Therefore, to include the whole LDAP repository
tree structure, it may look as follows: cn=group1,ou=Groups,dc=example,dc=com.
2. Add and configure the LDAP authentication rule with the option Group attribute set to match
this LDAP group.
With this configuration, LDAP users are automatically added as resource of the matching local
group when they connect, they are granted the relevant rights and resources.
If you have clients distributed among several LDAP groups, you can decide to add local groups
that only use the section Common Name (CN) of your LDAP groups. To do so you need to tick
the relevant box during the rule configuration. Keep in mind that if you tick this box, the name of
all LDAP groups you add within SOLIDserver must only use the CN. You cannot mix long and
short group names in the database to authenticate LDAP users.
Note that you can import all your users via CSV, you must choose rule as Authentication method.
For more details, refer to the section Importing Users in the chapter Importing Data from a CSV
File.
Once the rule is added, LDAP users can connect to SOLIDserver. Note that:
1093
Managing Authentication Rules
• The changes performed on the LDAP server are not immediately taken into account by
SOLIDserver. To avoid waiting, you can delete the LDAP users you modified from the page
Users, when they connect again, SOLIDserver contacts the LDAP server and authenticates
them with their new parameters.
• If several email addresses are available for one user, only the first non-empty value is taken
into account.
The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. From the list Rule, select (018) LDAP authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.
8. Click on NEXT . The page Rule parameters opens.
9. Configure the rule parameters as follows.
1094
Managing Authentication Rules
Field Description
strict manner and do not not specify an account with sufficient rights,
standard users might not be able to browse their own attributes.
Password f you specified a Login, type in its account password.
10. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that uses access
servers to provide centralized access management to large networks.
To set up authentication for SSH connections, refer to the appendix Using Remote Authentication
for SSH Connections to SOLIDserver.
You can use FreeRADIUS or RADIUS for Cisco ACS with SOLIDserver. For more details, refer
to the appendix Configuring RADIUS.
The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. In the list Rule, select (017) RADIUS authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.
8. Click on NEXT . The page Rule parameters opens.
9. Configure the rule parameters following the table below:
1095
Managing Authentication Rules
10. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.
OpenID Connect is an authentication protocol, based on the OAuth 2.0 family of specifications.
It uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the
OAuth 2.0 specifications. It is commonly used by external identity providers like Google or Microsoft
Azure.
Note that once users are authenticated and logged in SOLIDserver, when they log out of their
GUI session they are not logged out of their identity provider session.
Prerequisites
1. SOLIDserver system configuration
• Make sure that the appliance is time synchronized using NTP.
• Make sure that the appliance can reach a DNS resolver and resolve domain names.
• Make sure that the appliance can be accessed through a URL.This URL is used to configure
the application on the provider side.
1096
Managing Authentication Rules
2. On the provider side, register and configure an application with the proper tokens
• You must name your application and set it with the URL of your SOLIDserver appliance.
• The identity provider must support the following claims: name, email, given name and family
name. For Azure users, the email address must be specified in the field upn. You can also
include the user image.
All the users that can access the application can also access your SOLIDserver appliance,
but they cannot perform any operation if they do not belong to any group.
3. On SOLIDserver side, configure user access
As OpenID authentication does not rely on any group, you must prepare groups locally:
• Add one or more groups of users, grant them all the relevant rights and resources to set
user profiles.
• Add the application users and configure them with the email address declared.
• Add all users as resource of the relevant group(s).
When users connect for the first time, they are identified using their email address and granted
the rights of the group they belong to. If they are not part of any group of users, they cannot
access any module or perform any operation.
Limitations
• You can only configure one OpenID provider per SOLIDserver appliance.
• You can only add the OpenID authentication rule once.
• You can only configure the authentication details via CLI, through an SSH connection to
SOLIDserver.
• If you configure OpenID authentication on appliances configured in High Availability:
• To be able to access the Hot Standby appliance, users must have logged to the Master ap-
pliance first. Once they do, their user information is saved on the Master and replicated on
the Hot Standby.
• If no VIP is set for the appliances, both appliances must have their own authentication con-
figuration. Therefore, each must have as application on the provider side and a unique au-
thentication configuration file that includes its URL. If a VIP is set, one application can au-
thenticate both appliances, the local configuration file of the Master is replicated on the Hot
Standby.
• There is no user synchronization, you need to manually edit the group(s) of users if you want
to grant or deny access to specific users.
Once you met all the prerequisites and took into account all the limitations, you must:
1. Configure the authentication on the identity provider side.
2. Create the relevant authentication file in SOLIDserver, via CLI.
Keep in mind that if you configure the authentication on appliances in High Availability, you must
perform both operations on each appliance.
1097
Managing Authentication Rules
<IfDefine UseModAuthOpenIDC>
LoadModule auth_openidc_module libexec/apache24/mod_auth_openidc.so
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <client-id>
OIDCClientSecret <secret>
OIDCRedirectURI https://<solidserver>.int.efficientip.com/auth/redirect_uri
OIDCCryptoPassphrase <passphrase>
OIDCScope "openid email"
</IfDefine>
For more details, refer to the section Configuring OpenID Authentication for Google in the ap-
pendix Configuring OpenID Authentication.
<IfDefine UseModAuthOpenIDC>
LoadModule auth_openidc_module libexec/apache24/mod_auth_openidc.so
OIDCProviderMetadataURL
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
OIDCClientID <client-id>
OIDCClientSecret <secret>
OIDCRedirectURI https://<solidserver>.int.efficientip.com/auth/redirect_uri
OIDCCryptoPassphrase <passphrase>
OIDCScope "openid profile email"
</IfDefine>
For more details, refer to the section Configuring OpenID Authentication for Azure in the ap-
pendix Configuring OpenID Authentication.
Once you configured the authentication, you can add the authentication rule from the GUI.
Note that if you configure the authentication on appliances in High Availability, you only need to
add the rule on the Master appliance, the Hot Standby retrieves it.
The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. In the list Rule, select (184) OpenID Connect authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
1098
Managing Authentication Rules
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.
8. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.
Now the login page includes a link External authentication under the default login fields. You
should customize the page to specify the identity provider in the link message or include their
logo.
When the rule is added, you should edit the authentication message on SOLIDserver login page
to let users know which identity provider is now available.You can also include the identity provider
logo. Both the link and the logo allow to access the external authentication.
Note that if you configure the authentication on appliances in High Availability, you only need to
customize the login page of the Master appliance, the Hot Standby retrieves all details.
If you want to include the identity provider image, you must upload it to the Local files listing and
then set the image name as value of the dedicated registry database entry. The image is shrunk
if it exceeds 100x100 pixels.
1099
Managing Authentication Rules
g. Click on OK to complete the operation. The report wizard opens and closes. The image
is listed.
3. Include the image on the login page:
a. In the sidebar, click on Admin Home. The page Admin Home opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. Filter the column Name with login.auth.ext.image.
d. Hit Enter. Only this key is listed.
e. In the column Value, click on <empty>. The wizard Registry database Edit a value
opens.
f. In the field Value, type in the full name of the image, including its extension.
g. Click on OK to complete the operation.The report opens and closes.The page refreshes
and the new value is displayed.
You can disable them and stop authenticating the corresponding remote users. When you enable
it again, the rule is checked again at every user connection.
1100
Managing Authentication Rules
2. In the sidebar, go to Users, Groups & Rights > Authentication rules.The page Authentication
rules opens.
3. Tick the rule(s) of your choice.
4. In the menu, select Edit > Enable or Disable. The corresponding wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The rule is listed and
marked OK or Disabled in the column Status.
1101
Part XIX. Administration
The module Administration should be handled by an administrator as it allows to manage remote appliances
and monitor, maintain or upgrade SOLIDserver. Its homepage, Admin Home, is divided into six sections
that contain links toward all the pages of the module.
Note that from the module Dashboards, you can gather gadgets and charts on System dashboard to
monitor the module data or set up custom shortcuts and search engines. For more details, refer to the part
Dashboards.
Some pages and options of the module Administration are detailed in other parts:
• The link Certificates and keys opens the pages All certificates, detailed in the section Changing the HTTPS
Certificate, All GSS-TSIG keys, detailed in the chapter Implementing Dynamic Update and All database
keys detailed in the chapter Securing.
• The part Configuring SOLIDserver details Network configuration, Services configuration and Licenses.
• The part Rights Management details Users, Groups and Authentication rules.
• The part Customization details the GUI customization options, including Language editor, and the pages
Class Studio, Custom DB and Packager. This part also details Smart Folders and IPv6 labels.
Table of Contents
93. Centralized Management ........................................................................................ 1105
Browsing Centralized Management ...................................................................... 1105
Configuring SOLIDserver to Remotely Manage Other Appliances ........................... 1108
Adding Remote Appliances .................................................................................. 1109
Managing the Services and Network Configuration of Another Appliance ................ 1111
Monitoring the Appliances Managed from the Page Centralized Management ......... 1112
Configuring Two Appliances in High Availability ..................................................... 1115
Editing Remote Appliances .................................................................................. 1118
Managing a High Availability Configuration ............................................................ 1119
Replacing Appliances Managed Remotely ............................................................ 1130
Exporting Remote Appliances .............................................................................. 1132
Deleting Remote Appliances ................................................................................ 1132
94. Managing Licenses ................................................................................................ 1135
Browsing the License and License Metrics ............................................................ 1135
Refreshing the Metrics of a License ...................................................................... 1137
Renewing the Licenses ........................................................................................ 1137
Exporting Licenses .............................................................................................. 1141
95. Monitoring ............................................................................................................. 1142
Managing Reports ............................................................................................... 1142
Managing Alerts .................................................................................................. 1151
Managing the Logs .............................................................................................. 1157
Monitoring the Appliance Statistics ....................................................................... 1160
Monitoring from Session Tracking ......................................................................... 1162
Monitoring from User Tracking .............................................................................. 1162
Forwarding Events ............................................................................................... 1164
Managing SNMP Profiles ..................................................................................... 1168
Monitoring Using SNMP ...................................................................................... 1170
Displaying Netstat Data ....................................................................................... 1170
Sizing the Database Tables .................................................................................. 1171
96. Maintenance .......................................................................................................... 1173
Managing Files from the Local Files Listing ........................................................... 1173
Using the Maintenance mode ............................................................................... 1180
Updating the Macros and Rules ........................................................................... 1180
Clearing the Appliance Cache .............................................................................. 1181
Troubleshooting ................................................................................................... 1181
Managing Backups and Restoring Configurations .................................................. 1184
Shutting Down and Rebooting .............................................................................. 1189
97. Securing ................................................................................................................ 1193
Managing SSL Certificates .................................................................................. 1193
Encrypting the Database ..................................................................................... 1202
98. Upgrading ............................................................................................................. 1209
Prerequisites ....................................................................................................... 1209
Upgrading an Appliance ....................................................................................... 1209
Upgrading Appliances Managed Remotely ............................................................ 1211
Upgrading Appliances in High Availability .............................................................. 1212
Troubleshooting the Upgrade ............................................................................... 1215
1104
Chapter 93. Centralized Management
In the module Administration, the page Centralized Management allows administrators to:
• Monitor appliances, locally and remotely. The page returns system, hardware, licence and
maintenance information. For more details, refer to the section Monitoring the Appliances
Managed from the Page Centralized Management.
• Manage remotely other appliances. From the Management appliance you can manage the
service and network configuration, monitor and upgrade remote appliances.
• Set up high availability between the local appliance and a remote one. In such a configuration
the Master appliance contains all the data you manage and the Hot Standby replicates the
Master database but can have a specific configuration of its services and network.
Whether you want to manage remote appliances or set up a high availability configuration, you
must:
1. Configure the local appliance.
2. Add a remote appliance to the page Centralized Management.
Note that with remote appliances or a high availability configuration, the upgrade can be performed
remotely. For more details, refer to the chapter Upgrading.
Appliances do not have a properties page, all details and properties can be displayed in the
columns. Note that the columns Local and Role provide specific information on the local or remote
appliances. For more details, refer to the next section.
The columns on the page provide details regarding the local appliance and any remote appliance,
whether it is configured in High Availability or not. A set of columns are displayed by default, extra
columns dedicated to more specific data are also available.
1105
Centralized Management
1106
Centralized Management
Column Description
Last write period The last time the Hot Standby replicated the Master database.
Time drift The difference, in seconds, between the Master NTP and the Hot Standby NTP. That drift
should not exceed a minute (60 in the column) as this could have consequences on the
DHCP failover replication.
Replication offset The difference, in kilobytes, between the Master database and the Hot Standby database.
As the replication is almost in real time, the difference should be minimal. A great value
in this column could indicate a network disruption. If the Replication offset is Unknown,
the remote SOLIDserver is in Timeout.
Status The appliance status, for more details refer to the section Understanding the Statuses on
the Page Centralized Management.
In addition to the default columns, you can display columns dedicated to system and hardware
information, among other things.
Table 93.2. The other columns available on the page Centralized Management
Column Description
CPU load (5 min) The load of all the appliances' CPU cores, on an average of 5 minutes. You can monitor
and use the values in this column to return the specific statuses in the column System
State, as detailed in the section Configuring Specific Thresholds to Monitor the Column
System State.
Device OS version The appliance architecture, either amd64 or i386. i386 is only displayed for remotely
managed appliances in version prior to 6.0.x.
Disk I/O load (%) The load of the appliance disk I/O, in percent. You can monitor and use the values in this
column to return the specific statuses in the column System State, as detailed in the section
Configuring Specific Thresholds to Monitor the Column System State.
Fans status OK: the appliance fan(s) is/are up and running.
N/A: no information on the appliance fan(s) is available.
Disabled: the appliance fan(s) is/are set to disabled.
Critical: at least one appliance fan returns an error (not running, on failure...).
Firmware date The software image release date.
HDD space The space used on the partition /data1 of the appliance, in percent. You can monitor and
use the values in this column to return the specific statuses in the column System State,
as detailed in the section Configuring Specific Thresholds to Monitor the Column System
State.
LAGG status OK: the appliance LAGG interface(s) is/are up and running.
N/A: no information can be retrieved from the appliance LAGG interface(s).
Disabled: no LAGG interface is configured as active on the appliance.
Critical: at least one appliance LAGG interface is down.
Last write time The exact time of the last database replication.
Memory usage (%) The memory usage of the appliance, in percent. You can monitor and use the values in
this column to return the specific statuses in the column System State, as detailed in the
section Configuring Specific Thresholds to Monitor the Column System State.
Multi-status The multi-status of the appliance.
Power Supply Units OK: the appliance power supply unit(s) is/are up and running.
status N/A: no information can be retrieved from the power supply unit(s). For instance, on a
virtual appliance or if the appliance has only one PSU.
Disabled: no PSU redundancy is available on the appliance.
Critical: one of the appliances' power supply units is unplugged or defective.
RAID status The status of the RAID disk(s) of SOLIDserver 4th generation hardware appliances (from
SOLIDserver-550) and of all SOLIDserver 5th generation hardware appliances.
1107
Centralized Management
Column Description
OK: the appliance RAID disk(s) is/are up and running.
N/A: no information can be retrieved from the appliance RAID disk(s).
Disabled: no RAID disk is enabled on the appliance.
Critical: the appliance RAID disk(s) is/are enabled but is degraded or offline.
Remote time The time of the remote appliance(s) managed through the local appliance.
Time The appliance date and time.
Not configured The local appliance has not been configured yet.
Upgrading... The Hot Standby appliance is being upgraded from the Master appliance.
Split-brain Two appliances are in Restricted mode due to a split-brain. For more details, refer
to the section Troubleshooting a Split-brain.
Repl. stopped The replication stopped, the connection is lost between the appliances. For more
details, refer to the section Configuring Specific Behaviors if the Replication Takes
a Long Time or Stopped.
Configuring an appliance locally means assigning it an IP address. It sets the grounds for remote
management and differentiates appliances:
• For remote management, it differentiates the Management appliance from the remote appliance.
• For high availability configurations, it differentiates the Master appliance from the Hot Standby
appliance.
1108
Centralized Management
In the column Local, your appliance is marked Yes. It does not have an IP address, which
is why its Status is Not configured.
4. In the menu, select Tools > Configure local SOLIDserver. The wizard Configure local
SOLIDserver opens.
5. In the drop-down list SOLIDserver IP address, select the IP address of the appliance you
are currently configuring.
6. Click on OK to complete the operation. The report opens and closes. On the page Centralized
Management, the local appliance details are now complete. Its Role is Standalone and its
Status OK.
Once the appliance is configured, you need to add other appliances to remotely manage them
from the pages Centralized Management, Network configuration and Services configuration.
The local appliance becomes a management platform where you remotely manage and/or
monitor other SOLIDserver appliances via the drop-down list SOLIDserver available on the pages
Network configuration, Services configuration, Syslog and System statistics of the module Admin-
istration.
Prerequisites
• You must have at least two SOLIDserver appliances.
• You must configure the management platform locally, for more details refer to the section
Configuring SOLIDserver to Remotely Manage Other Appliances.
• The appliances remotely managed must be in software version 5.0.0.P0 or higher.
• The remote management can only be configured from and with appliances using an IPv4 ad-
dress.
• On all appliances, the NTP should be configured to make sure they are all set at the same
time and date. For more details, refer to the section Configuring NTP Servers.
1109
Centralized Management
Note that if no class is set and enabled, the class dedicated page is automatically skipped.
Applying a class on an object can impact the configuration fields available and/or required,
for more information contact your administrator.
6. In the field SOLIDserver IP address, fill in the IP address of the appliance you want to add
to the list.
7. In the field "Admin" account password, you can type in the password of your SSH account.
By default, the default password of the account, admin, is automatically specified in the field.
8. If you want to monitor the remote appliance, tick the box SNMP parameters. The configuration
fields open.
9. Click on OK to complete the operation. The new appliance is listed. Its Role is Standalone
and its Status is Remote (managed).
1110
Centralized Management
All appliances are listed as follows: <hostname> (<IP address>). If an appliance is not
reachable, it is listed as follows: <hostname> (<IP address>) - Timeout.
4. Edit the network configuration according to your needs. For more details, refer to the chapter
Configuring the Network.
Keep in mind that you can edit any service except the source email address of the alert.
The address noreply@efficientip.com that sends you the alert notifications has to be edited locally.
All appliances are listed as follows: <hostname> (<IP address>). If an appliance is not
reachable, it is listed as follows: <hostname> (<IP address>) - Timeout.
4. Edit the service configuration according to your needs. For more details, refer to the chapter
Configuring the Services.
1111
Centralized Management
All appliances are listed as follows: <hostname> (<IP address>). If an appliance is not
reachable, it is listed as follows: <hostname> (<IP address>) - Timeout.
5. In the drop-down list Service, select the service of your choice
6. Filter the column Log according to your needs.
Note that, if your remote appliances are in version 6.0.1 or higher, you can even generate the
statistics reports of a remote appliances. For more details, refer to the section Generating a Report.
You can only display the statistics of a remote appliance in version 6.0.1 or higher, appliances
in lower versions are listed as follows: <hostname> (<IP address>) - Not supported.
For more details regarding each chart, refer to the section Monitoring the Appliance Statistics.
1112
Centralized Management
With high availability configurations, monitoring any time drift between the Master and Hot Standby
is paramount. Both appliances should be set at the same time. To ensure there is no shortage
of data on the Hot Standby appliance in case it needs to become a Master:
1. We strongly recommend that you configure the time and date of both the Master and
Hot Standby appliances via NTP servers. For more details, refer to the section Configuring
NTP Servers.
2. You can configure the alert Member clock drift that monitors the time drift between the Master
and the Hot Standby.
If you do not want to enroll any remote appliance as Hot Standby, the synchronization is optional.
If your local and remote appliances are set at the exact same time, it is useless to configure the
alert Member clock drift; you might even disable it. For more details, refer to the section Enabling
or Disabling Alerts.
The alert Member clock drift monitors the time difference between the Management or Master
appliance and the remote appliance(s) it manages. The alert is triggered if the time of any remote
appliance, whether a Hot Standby or not, has drifted too much from the management appliance
time.
You can edit the alert definition settings to suit your needs. By default:
• The alert is based on a filter of the column Time drift. The filter is set with a 20 seconds threshold
as follows: > 20 || < -20. The alert is raised:
• If the absolute time difference between the remote appliance and the Management or Master
appliance is higher than 20 seconds.
• If the absolute time difference between the remote appliance and the Management or Master
appliance is lower than 20 seconds.
To edit the threshold, refer to the procedure To edit the threshold of the alert Member clock
drift.
• The time difference check is performed every 5 minutes. To edit the frequency, refer to the
procedure To edit the alert Member clock drift default frequency and recipients.
• The alert sends an email alert to the users of the group admin. If you did not configure the
users' email address properly, they are not notified. To edit the recipients, refer to the procedure
To edit the alert Member clock drift default frequency and recipients below.
1113
Centralized Management
8. On the right-end side of the menu, click on . The wizard Quit editing the alert filters opens.
9. Tick the box Save changes before quitting to save your new filter.
10. Click on OK to complete the operation. The report opens and closes. You are redirected
back to the page Alerts Definition.
To edit the alert Member clock drift default frequency and recipients
You can edit some registry database entries to set up thresholds and ensure that the system
state is Warning or Critical based on the value of the columns CPU load (5 min), Disk I/O load
(%), HDD space and Memory usage (%).
Table 93.5. The configurable registry database entries to return Critical and Warning System states
Registry database entry Description
module.system.member_snmp_cpu_crit Returns Critical if the value of the column CPU load (5 min) matches
or exceeds the value you set for the entry. By default, it is set to
150.
module.system.member_snmp_cpu_warn Returns Warning if the value of the column CPU load (5 min)
matches or exceeds the value you set for the entry. By default, it is
set to 100.
module.system.member_snmp_hdd_crit Returns Critical if the value of the column HDD space matches or
exceeds the value you set for the entry. By default, it is set to 90
%.
1114
Centralized Management
The thresholds that you set only apply to the column System State on the appliance where you
configure the registry database. For that reason, if you manage remote appliances or a high
availability configuration, you should edit the entries on the Management or Master appliance.
1115
Centralized Management
With SOLIDserver, High Availability implies that you connect together two appliances where one
local appliance is a Master and the other, a remote one, is a Hot Standby, i.e. a read-only backup
server replicating the content of the Master appliance database.
Hot Standby
Master
The Master and Hot Standby appliances work together to make sure that when the automatic
switch is enabled, if the Master crashes or encounters any problem, the Hot Standby can
replace it immediately and vice versa. Therefore, the Hot Standby must replicate the Master
database as often as possible.
Prerequisites
• You must have two SOLIDserver appliances.
• The HA configuration can only be configured from and with appliances using an IPv4 address.
• The Master appliance should be configured locally as detailed in the section Configuring
SOLIDserver to Remotely Manage Other Appliances.
• The future Hot Standby must be added to the page Centralized Management of the Master as
detailed in the section Adding Remote Appliances.
1116
Centralized Management
Limitations
• The database High Availability is configurable only for two appliances.
• We strongly advise against displaying several HA configurations on the page Centralized
Management. If you add an appliance to this list, it means that you want to manage it.Therefore,
if you decide to add to your managing appliance two appliances configured in High Availability,
it means that you intend to manage them from the managing appliance. On the page Centralized
Management of the appliances in HA, the appliance Status changes from OK to Invalid creden-
tials because the local admin management password overwrites the management password
locally set on the Master appliance of this other HA configuration.
• The HA does not support the configuration of a NAT between the two appliances. Both
appliances send their local IP address when they communicate, therefore the converted IP
address cannot be used in the HA communication. Configuring a NAT might even break the
HA configuration.
• If you encrypted the database, you cannot enroll a remote appliance as Hot Standby if the
Active key of the local appliance, the future Master, is missing or corrupted.
This configuration has to be done from the future Master appliance and can be done on layer 2
or 3 of the network. For more details, refer to the section Frequently Asked Questions.
Keep in mind that for the configuration to be viable and effective the two appliances must:
• Match the prerequisites.
• Be set at the same time. For more details, refer to the section Configuring NTP Servers.
• Have the same version of SOLIDserver.
• Have the same performance rate, to ensure a smooth transition. In the event of a switch, the
former Hot Standby has retrieved all the database information and can actually provide the
same performance and efficiency as the original Master.
• Have the same architecture (32 bits or 64 bits).
1117
Centralized Management
1. The information on the page Centralized Management of the Master is now also available on
the Hot Standby appliance.
2. On the page Centralized Management of the Hot Standby appliance, the only operation
available is switching the appliances role. For more details, refer to the section Switching the
High Availability Configuration.
3. The Hot Standby appliance is now in read-only mode. Every modification made on the Master
appliance is copied in the Hot Standby database almost in real-time.
You can no longer edit the remote appliance database locally but you can still edit the services
and network configuration of both appliances separately. For more details, refer to the sections
Managing the Network Configuration of a Remote Appliance and Managing the Services
Configuration of a Remote Appliance.
4. The Hot Standby appliance replicates the content of the Master appliance database to provide
an efficient backup if it has to replace the current Master appliance.
• From the page Centralized Management of the Master appliance, you should monitor the
columns Time drift and Replication offset, to make sure that the Hot Standby appliance
properly replicates the database. If at some point the replication stops, you can enroll again
the Hot Standby appliance following the procedure To configure High Availability between
two appliances.
• You can, for instance, configure and enable the automatic switch so that, if the Hot Standby
has not replicated the Master database in the last 60 seconds, it should check the Master
status three times in a row, every 4 seconds. If there is no response (timeout, etc.), the Hot
Standby switches to Master. For more details, refer to the section Controlling the Automatic
Switch Mechanisms if the Network is Unreliable.
Note that the automatic switch is not enabled by default. You can manually enable it.
For more details, refer to section Configuring High Availability Advanced Options.
Note that for security purposes, the field "Admin" account password is emptied out in the
edition wizard.
7. Click on OK to complete the operation. The new appliance is listed. Its Role is Standalone
and its Status is Remote (managed).
1118
Centralized Management
This option is useful if any new file on the Master appliance has not been replicated yet on the
Hot Standby or if you intend to manually switch the appliances roles in the configuration, as detailed
in the section Switching the High Availability Configuration
Note that if you enabled the automatic switch, the option is automatically launched before the
switch.
1119
Centralized Management
Via the option Manually switch local SOLIDserver to master you can switch a configuration. Note
that:
• The option must be executed from the Hot Standby as you cannot make a Master change
its role to Hot Standby.
• The switch is no longer automatic by default. If you want to automatically detect potential
problems on the Master (timeout, crash...) and switch the appliances roles, you must enable
this behavior. For more details, refer to the section Configuring High Availability Advanced
Options.
• Even with the automatic switch enabled, you can manually switch the configuration at any time.
The Role of the former Hot Standby appliance is Master (recovered). The former Master
appliance is marked Master (Hot Standby init). For more details, refer to the table The
default columns on the page Centralized Management.
The Hot Standby appliance is unavailable until it has replicated the Master database
Once you configured the high availability, you can set up an automatic switch of the appliances
role. First of all, you need to check if the behavior is enabled.
1120
Centralized Management
To enable it or set custom switch behaviors, refer to the section Controlling the Automatic
Switch Mechanisms if the Network is Unreliable.
If your network is unreliable, you can monitor both appliances thanks to:
• The column Offset replication, it allows to monitor the Hot Standby database reliability.
• Some keys in the registry database that allow to control the switch mechanism, avoid flapping
and ensure that the switch occurs if and only if there is a problem on the Master appliance.
The High Availability dedicated keys each serve a specific purpose and can impact or be impacted
by one another. They allow to:
Control the automatic switch
This key is disabled on fresh installations and the switch is no longer automatic by
default, its value is -1. Note that after an upgrade from a previous version, it can still be en-
abled.
You can edit the key to enable the automatic switch again. Its usual value is 3600 seconds,
if the last write period is greater than an hour, the two appliances cannot switch automatically.
The key can be set with values between -1 and 2^31. Setting the key to 0 or -1 prevents the
automatic switch altogether, regardless of the values set for the other High Availability ded-
icated keys described below. Any value greater than 0 enables the switch.
Keep in mind that if you stop the automatic switch, if your appliances stop communicating
and the Hot Standby stopped replicating the Master database, you must configure the HA
again. For more details, refer to the section Disabling the HA Configuration Without Losing
the Database.
Set the maximum period of time a switch should take
By default, it is set to 1000 seconds, if the Hot Standby initialization stage has not evolved
after 16 minutes, the enrollment or switch stops and the appliance keeps its current role as
Standalone or Master.
Setting a high value for this key is useful if the Master database is very large or if your network
is not reliable.
Set a replication lag period before switching
By default, it is set to 60 seconds, if the Hot Standby has not replicated the database in the
last 60 seconds, it tries to contact the Master appliance n times (n is defined by the key
module.system.hot_standby_switch_retry). If the Master is not responding, i.e. it does not
send its role and status, the Hot Standby switches to Master.
1121
Centralized Management
By default, it is set to 3 attempts, if the Hot Standby appliance cannot connect to the Master
and check its role and status, it tries to get an answer 3 times in a row. If after 3 attempts
there is still no answer, it takes over the Master role.
Keep in mind that the retries check frequency is defined by the key module.sys-
tem.hot_standby_switch_sleep detailed below.
Set a connection timeout between the appliances
By default, it is set to 4 seconds. If after 4 seconds, the connection is not established, the
Hot Standby considers the Master appliance to be down. It then waits for n seconds (the
value of the key module.system.hot_standby_switch_sleep) until it tries establishing a con-
nection again.
Keep in mind that the number of connection retries is defined by the key module.sys-
tem.hot_standby_switch_retry, and that the retry frequency depends on the key module.sys-
tem.hot_standby_switch_sleep.
Set the frequency of the retries
By default, it is set to 4 seconds, if the Hot Standby does not get an answer from the Master,
it tries every 4 seconds n times (depending on the number of retries you set for the key
module.system.hot_standby_switch_retry).
Prevent unexpected switches during minor issues on the network
Among other configurations, the registry database entries can be used to prevent unexpected
switches if the network experiences minor issues. To do so you should increase the switch
lag period (the value of the key module.system.hot_standby_max_replication_lag) and/or
the number of retries (the value of the key module.system.hot_standby_switch_retry). Keep
in mind that a large number of retries might overload the network.
To disable the automatic switch altogether, refer to the section detailing how to control the
automatic switch.
To configure the high availability switch behavior from the registry database
1122
Centralized Management
6. In the field Value, type in the value of your choice. For more details, refer to the high availab-
ility keys.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.
At some point you might plan on disrupting the network or shutting it down for potential repairs,
equipment changes... In this case, we strongly recommend that you disable the HA config-
uration.
Indeed, in any event of a network disruption, the appliances configured in High Availability go in
Timeout or switch their roles. If the switch is unsuccessful, when the appliances start again you
may have two Master appliances and a potential case of split-brain. With no appliance set as
Hot Standby, you need to decide which one should switch to this role. For more details, refer to
the section Troubleshooting a Split-brain.
To prevent any loss of data, we suggest that you follow the procedure in the section Disabling
the High Availability Configuration. Once the network is back on, you must configure the HA
again.
A set of keys in the registry database allow to automatically re-enroll the Hot Standby, that is
to say replicate again the entire database of the Master.You can customize the triggers or disable
the functionality. The automatic re-enrollment applies if:
The database replication stopped
If the replication stopped because the Hot Standby is no longer connected, the Master
automatically re-enrolls it. On the page Centralized Management, the Hot Standby status is
Repl. stopped.
With a large Replication offset a switch could make you lose the latest changes. You can
monitor the offset and set a threshold to automatically re-enroll your Hot Standby.
• The key module.system.warning_replication_lag allows to set the maximum replication
offset before generating a warning message in the logs. By default, it is set to 10240 kB.
• The key module.system.max_replication_lag allows to set the maximum replication offset
before re-enrolling the Hot Standby. By default, it is set to 307200 kB. Note that if the
automatic re-enrollment is disabled, the offset is ignored.
To make sure that the Master does not try re-enrolling the Hot Standby indefinitely, it
automatically tries the re-enrollment a maximum of 3 times over 24 hours. If it does not
succeed, a message is displayed in the GUI and you need to troubleshoot the HA yourself.
For more details, refer to the section Troubleshooting the Messages.
• The key module.system.auto_replication_repair.threshold allows to set how long the
maximum replication offset can be exceeded before re-enrolling the Hot Standby. By default,
it is set to 60 times 10 seconds, i.e. if the module.system.max_replication_lag is exceeded
during 10 minutes or more, the re-enrollment is triggered.
1123
Centralized Management
Note that to be notified of any replication delay before the Hot Standby is automatically re-
enrolled, the value of the key module.system.warning_replication_lag should be lower than
the value of the key module.system.max_replication_lag.
Note that once the key is disabled, the key module.system.max_replication_lag is ignored.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.
1124
Centralized Management
To set how long the maximum replication offset can be exceeded before
re-enrollment
If you do not meet all the requirements listed above, warning messages are displayed on the Hot
Standby appliance GUI.
To help you monitor the High Availability configuration a set of red messages can be displayed
on all the pages of the appliances to inform or warn you.
1125
Centralized Management
The two SOLIDserver appliances you configured in High Availability have DIFFERENT
ARCHITECTURES. They must have the same architecture for the database replication to
work.
• Appliance: Master.
• Problem: The Master and Hot Standby appliances do not have the same architecture version,
therefore the database replication is impossible.
• Solution: Upgrade the Hot Standby appliance from the Master appliance: the Hot Standby is
automatically upgraded to the architecture version of the Master. For more details, refer to the
section Upgrading Appliances Managed Remotely in the chapter Upgrading.
The two SOLIDserver appliances you configured in High Availability have DIFFERENT
VERSIONS. To avoid configuration problems you should upgrade the Hot Standby from
the Master.
• Appliance: Master.
• Problem: The Master and Hot Standby appliances do not have the same version of SOLIDserver,
therefore the database replication may encounter some problems.
• Solution: Upgrade the Hot Standby appliance from the Master appliance: the Hot Standby is
automatically upgraded to the version of SOLIDserver of the Master. For more details, refer to
the section Upgrading Appliances Managed Remotely in the chapter Upgrading.
1
This information is displayed in the gadget System information of the Master appliance Home page.
1126
Centralized Management
• Problem: During the appliances switch, the Hot Standby became Master and the former Master
stayed Master as well.The automated detection could not resolve the situation. For more details,
refer to the section Troubleshooting a Split-brain.
• Solution: Disable the High Availability configuration following the split-brain manual resolution.
You are in Restricted mode. From the page Centralized Management you can go back to
Normal mode: either configure the local SOLIDserver or delete all the remote appliances.
• Appliance: Master and Hot Standby.
• Problem: Either your appliances are in split-brain, one of them is in Timeout or the replication
stopped.
• Solution: Follow the troubleshooting solution of the other message displayed in the GUI. Each
problem has a specific solution.
Troubleshooting a Split-brain
If appliances configured in High Availability did not successfully switch roles and both end up as
Master appliances, they may be in split-brain. In which case, the replication stops and you may
need to intervene.
With two Master appliances, whether they are both Master or one is Master and the other is
Master (recovered), there no longer is a backup appliance and both appliances could potentially
overwrite each other's changes.
To help prevent the split-brain, a set of checks are performed, when the appliances communicate
once again:
1. SOLIDserver starts up in Restricted mode and goes back in normal mode if and only if no High
Availability conflicts are detected.
2. SOLIDserver checks if both appliances share the same version. If not, a message is displayed
on every page of the appliance with the latest version.
3. SOLIDserver checks if both appliances share the same role.
If it turns out that both appliances are Master, the automated detection checks are ran to avoid
staying in Restricted mode.
If the automated resolution cannot reconfigure the High Availability, you need to perform the
manual resolution.
Automated Detection
When a Master appliance detects that the other appliance is also a Master, SOLIDserver performs
three checks to try and avoid a case of split-brain:
1. If no appliance has been edited since the last synchronization: the last appliance that
switched to Master remains Master and enrolls the other appliance as Hot Standby.
1127
Centralized Management
2. If one appliance has been edited since the last synchronization: the last appliance that
was modified becomes Master and enrolls the other appliance as Hot Standby.
3. If both appliances have been edited since the last synchronization: SOLIDserver puts
them in Restricted mode with the status Split-brain, as specified in the red banner message
displayed on every page of both appliances. To configure the appliances in High Availability
again, refer to the manual resolution.
Manual Resolution
The manual resolution is only needed when the appliances in HA are in a case of split-brain that
puts them in Restricted mode, as specified in the red message displayed on every page of both
appliances. This mode implies two behaviors:
1. The synchronization between the appliances stopped, as if you had two Standalone appliances
with the same HA UID.
2. You can still edit the database of both appliances but no changes are actually pushed on the
physical server(s).
In some cases, like in the event of a split-brain, you might want to disable the HA configuration
but keep both appliances database. In this case, you need to switch one appliance to Standalone.
In any other case, disabling the configuration should be done using the standard procedure
detailed in the section Disabling the High Availability Configuration.
2. It is impossible to switch a Master appliance to Standalone if it has a Hot Standby.
3. The Hot Standby appliance must always be the first one to be switched to Standalone.
4. Switching an appliance to Standalone erases the database entirely whether the appliance is
a Hot Standby or a Master. So if you switch both appliances to Standalone, you erase your
entire database.
5. Switching an appliance to Standalone automatically saves a backup file for the appliance.
6. Switching an appliance to Standalone has to be done locally.You must connect to the appliance
via its IP address.
1128
Centralized Management
The appliance Role is now Standalone. During the switch, the appliance might be unavailable.
Once the former Hot Standby appliance has rebooted and is reachable:
• Connect to its GUI via its IP address and log in using the credentials of a user belonging to the
group admin.
• Configure the Internal module setup once again. For more details, refer to the section Defining
the Internal Module Setup.
• Make sure the appliance is a Standalone, either in the General information gadget of the appli-
ance home page or on the page Centralized Management directly.
• You can display or download its backup file from the page Backup & Restore. For more details,
refer to the section Managing Backups and Restoring Configurations.
Yes, you can set an alert on the page Centralized Management to be informed of any change
via email or SNMP trap. For more details regarding the alerts configuration, refer to the
chapter Managing Alerts.
1129
Centralized Management
For instance, filter the appliances through the Status column to detect a Split-brain or any
status different from OK. If your configuration ends up in split-brain, refer to the section
Troubleshooting a Split-brain.
2. Can I set up the HA on any network layer?
Layer 2 configuration: If the appliances are configured on layer 2, they belong to the same
LAN. Therefore you can set up a VIP interface that would allow you to access the current
Master appliance of the configuration through the IP address you set (the original master if
it is acting as a master, or the Hot Standby if the configuration was switched). For more details,
refer to the section Configuring a VIP in the chapter Configuring the Network.
Layer 3 configuration: If the appliances are configured on layer 3, they do not belong to the
same LAN.The HA is still configurable and running perfectly through the routers that connect
them but it is impossible to set a VIP to access the Master appliance.
3. Can I customize the HA mechanism to suit my network?
Yes, if your network is unreliable or experiences frequent disruptions, your administrator can
follow the procedure of the section Configuring High Availability Advanced Options. It details
the registry database key that you can edit to modify the HA number of retries or configure
automatic switch parameters.
4. What can I do from the Hot Standby appliance?
You cannot edit the database as it is replicating the content of the Master database. However,
from the Hot Standby appliance you can:
• Switch the appliances roles and convert the Hot Standby in Master. For more details, refer
to the section Switching the High Availability Configuration.
• Switch the Hot Standby to Standalone. This operation must be performed carefully as it
erases the database entirely and disables the High Availability configuration. This operation
is only recommended in the event of a split-brain. For more details, refer to the section
Disabling the HA Configuration Without Losing the Database.
• Set up the Network configuration page according to your needs. This page is independent
from the database and can therefore be configured differently on the Master and Hot
Standby appliances. For more details, refer to the chapters Centralized Management and
Configuring the Network.
• Set up the System configuration page according to your needs. This page is independent
from the database and can therefore be configured differently on the Master and Hot
Standby appliances. For more details, refer to the chapters Centralized Management and
Configuring the Network.
• Save a backup of the appliance. For more details, refer to the section Managing Backups
and Restoring Configurations.
However, you cannot restore the backup of an appliance in High Availability. You need to
disable the High Availability, restore the backup and then configure the High Availability
again.
1130
Centralized Management
To replace appliances you must take into account if they are simply remotely managed or con-
figured in high availability.
For more details, refer to the section Deleting Appliances Managed Remotely.
2. Add the new appliance to the page Centralized Management of the managing appliance
• First, you need to configure locally the new appliance. For more details, refer to the section
Configuring SOLIDserver to Remotely Manage Other Appliances.
• Second, you need to add the new appliance to the page Centralized Management of the
managing appliance. For more details, refer to the section Adding Remote Appliances.
If you generated a backup of the appliance you need to replace, you must follow the steps below.
1. If the appliance that needs to be replaced is the Master, switch its role to Hot Standby.
For more details, refer to the section Switching the High Availability Configuration.
2. Disable the High Availability configuration from the Master appliance: delete the Hot Standby
from the page Centralized Management. The Hot Standby switches to Standalone. For more
details, refer to the section Disabling the High Availability Configuration.
3. Restore the backup on the Standalone appliance. For more details, refer to the procedure
To restore a backup file.
4. Switch the current Master to Standalone only once when the restoration of the backup on
the other appliance is complete, this ensures your database availability. You now have two
Standalone appliances: one with backup that becomes the Master, and one totally empty that
becomes the Hot Standby.
5. Configure the High Availability again:
• First, connect to the appliance where you restored the backup, the future Master appliance,
and add the future Hot Standby to the page Centralized Management. For more details,
refer to the section Adding a Remote Appliance.
• Second, enroll the Hot Standby. For more details, refer to the procedure To configure High
Availability between two appliances in the section Configuring HA Management.
6. If you restored your backup directly on your Hot Standby, manually switch the appli-
ances' role. If you followed this procedure from step 2, your current Master used to be the
Hot Standby so you may need to switch their role back again. For more details, refer to the
section Switching the High Availability Configuration.
1131
Centralized Management
The replacement of an appliance in HA with no backup must follow the steps below:
1. Put the appliance that needs to be replaced in Hot Standby role, if it is currently the
Master. For more details, refer to the section Switching the High Availability Configuration.
2. Disable the High Availability configuration. For more details, refer to the section Disabling
the High Availability Configuration.
3. Set the network and services configuration of the future Hot Standby appliance according
to your needs. For more details, refer to the sections Configuring the Network and Configuring
the Services.
We strongly recommend that you use an NTP server to set both appliances at the time.
4. Add the new appliance to the page Centralized Management of the Master appliance
and enroll it:
• First, you need to add the new appliance to the page Centralized Management of the Master
appliance. For more details, refer to the section Adding a Remote Appliance
• Second, you need to enroll the new appliance as Hot Standby. For more details, refer to
the procedure To configure High Availability between two appliances.
5. Manually switch the configuration if the new appliance is supposed to be the Master in
the configuration. For more details, refer to the section Switching the High Availability Con-
figuration.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
If the appliance is configured in high availability, refer to the section Disabling the High Availability
Configuration.
1132
Centralized Management
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management.The page Centralized Management
opens.
4. Tick the appliance(s) of your choice.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The appliance is not
listed anymore.
If you want to disable the High Availability and keep the Hot Standby database intact, refer to
the section Disabling the HA Configuration Without Losing the Database.
• The HA UID of the Master appliance changes for two reasons:
1. To prevent any other appliance from managing it as it would delete its database.
2. The HA UID can be used again during the next HA configuration with this appliance as a
Master.
1133
Centralized Management
3. The appliance needs to be configured locally again (Tools > Configure local SOLIDserver).
1134
Chapter 94. Managing Licenses
Licenses define the operations that can be performed on an appliance. They are unique to each
appliance.
The details of each license, include the available configurations and operations as metrics. These
metrics can match the license lifetime or be metric subscriptions that expire after a while.
If you manage remote appliances, you can manage the license and metrics of the remote appli-
ances from the Management appliance.
The local license properties are displayed on the page License, in dedicated panels. This page
is only accessible locally, so if you manage remote appliances you must connect to each appliance
to access the page.
1135
Managing Licenses
specific set of license metrics. These metrics are all displayed on a dedicated line to reflect the
license configuration.
You can sort and filter all the columns on the page All licenses. The columns detail the information
of each license metric, the ones of the local license and of the license of the remote appliance(s).
All columns are displayed by default, except the column Start of license.
1136
Managing Licenses
Not configured The local appliance has not been configured yet.
Upgrading... The Hot Standby appliance is being upgraded from the Master appliance.
Split-brain Two appliances are in Restricted mode due to a split-brain. For more details, refer
to the section Troubleshooting a Split-brain.
Repl. stopped The replication stopped, the connection is lost between the appliances. For more
details, refer to the section Configuring Specific Behaviors if the Replication Takes
a Long Time or Stopped.
It is necessary to renew a license if you are notified, in the gadget System Information or in a
banner above the top bar, that a temporary license, the maintenance period or a metric subscription
is expiring on a local or remote appliance. The banner may indicate that:
1137
Managing Licenses
Requesting a License
To request a license, whether it includes metric subcriptions or not, you must retrieve the request
key of your local or remote appliance and send it to EfficientIP.
From the page License of any appliance, you can retrieve the license request key and send it to
EfficientIP.
1138
Managing Licenses
d. If you selected Permanent, in the field Contract Number (if permanent license), specify
your Maintenance contract number, it looks as follows 221231200101CORP. This field
is required.
The Maintenance contract number is composed of 12 digits and your client name, where
the first 6 digits are the maintenance expiry date (yymmdd) and the next 6 digits are the
maintenance start date (yymmdd).
e. In the field Request Key, paste your request key or the content of your request key file.
This field is required.
f. In the field Number of External Managed Servers (MVSM, if any), specify the total
number of servers - DNS, DHCP... - you intend to manage from SOLIDserver.
g. In the section Optional Module, tick all the optional modules you might need: DNS
1
Guardian, DNS GSLB, NetChange, Device Manager or SPX.
h. If relevant, fill in the field If requester is NOT end customer, please provide your contact
information (Name, Company, Email, Phone): with all the appropriate data.
i. In the drop-down list Language, you can choose to display the content of the panel
Privacy Policy in English, French, German or Spanish. The panel provides a link towards
EfficientIP Privacy Statement.
j. Tick the box I accept the Terms and Conditions.
k. Click on SUBMIT to send us your information.
Once EfficientIP has answered your request and sent you a license key, you can renew your li-
cence as detailed in the section Activating a License.
From the page Centralized Management of a management appliance, you can export the license
request key of all remote appliances and send them at once to EfficientIP.
1
If you do not tick this box, you are using NetChange-IPL, NetChange basic options.
1139
Managing Licenses
c. In the section System, click on Centralized Management. The page Centralized Man-
agement opens.
d. Tick the remote appliances for which you requested a license key.
e. In the menu, select Tools > Export license requests. The wizard opens.
f. Read the License Agreement and click on NEXT . The page Export license requests
opens.
g. Click on OK to complete the operation. The page Report opens.
h. Click on DOWNLOAD to save the file locally. When the file download is complete, the page
Centralized Management is visible again.
3. Send the request key to Efficient IP.
a. Go to the page http://www.efficientip.com/license-request/ and fill out the form Request
Your License.
b. In the fields First Name, Last Name, Email, Phone, Company and Country Name, specify
your contact details. All these fields are required.
c. In the field License Period Request, select the length of your choice: 1 month, 2 months,
3 months, 6 months or Permanent. This field is required.
d. If you selected Permanent, in the field Contract Number (if permanent license), specify
your Maintenance contract number, it looks as follows 221231200101CORP. This field
is required.
The Maintenance contract number is composed of 12 digits and your client name, where
the first 6 digits are the maintenance expiry date (yymmdd) and the next 6 digits are the
maintenance start date (yymmdd).
e. In the field Request Key, paste your request key or the content of your request key file.
This field is required.
f. In the field Number of External Managed Servers (MVSM, if any), specify the total
number of servers - DNS, DHCP... - you intend to manage from SOLIDserver.
g. In the section Optional Module, tick all the optional modules you might need: DNS
2
Guardian, DNS GSLB, NetChange, Device Manager or SPX.
h. If relevant, fill in the field If requester is NOT end customer, please provide your contact
information (Name, Company, Email, Phone): with all the appropriate data.
i. In the drop-down list Language, you can choose to display the content of the panel
Privacy Policy in English, French, German or Spanish. The panel provides a link towards
EfficientIP Privacy Statement.
j. Tick the box I accept the Terms and Conditions.
k. Click on SUBMIT to send us your information.
Once EfficientIP has answered your request and sent you license keys, you can renew your li-
cences as detailed in the section Activating a License.
Activating a License
Once you received the license key(s), you must activate it:
• For local appliances, you can add the license key on the page License or import it on the page
Centralized Management.
• For remote appliances, you can import all the license keys at once on the page Centralized
Management.
2
If you do not tick this box, you are using NetChange-IPL, NetChange basic options.
1140
Managing Licenses
Before activating the license, the appliance should be time synchronized. To make sure the ap-
pliance is on time, we strongly recommend configuring the NTP. For more details, refer to the
chapter Configuring the Time and Date.
If you are activating a license that includes metric subscriptions, note that you can refresh the li-
cense metrics any time. For more details, refer to the section Refreshing the Metrics of a License.
Note that the license you import automatically overwrites the current license on the relevant
appliance(s).
7. Click on OK to complete the operation.
Exporting Licenses
From the page All licenses, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
1141
Chapter 95. Monitoring
There are many ways of monitoring SOLIDserver, for administrators and standard users, from
the resources to the logs and SNMP profiles and more. This chapter gathers the following mon-
itoring possibilities:
• Managing Reports.
• Managing Alerts.
• Managing the Logs.
• Monitoring the Appliance Statistics.
• Monitoring from Session Tracking.
• Monitoring from User Tracking.
• Forwarding Events.
• Managing SNMP Profiles.
• Monitoring Using SNMP.
• Displaying Netstat Data.
• Sizing the Database Tables.
Note that from the page Centralized Management, you can monitor the status, hardware or license
and maintenance information of an appliance, local or remote. For more details, refer to the
section Centralized Management.
Managing Reports
From the modules DHCP, DNS, NetChange and Administration you can generate a number of
reports to HTML or PDF format. These reports can be generated at a given time or scheduled.
All existing reports are detailed in the section Browsing the Reports Database.
DHCP Reports
You can generate advanced reports for DHCP servers and scopes.
All the DHCP server dedicated reports are available in v4 and v6 on the page All servers, on the
server properties page and on all the listing pages displaying the content of a specific server. To
generate these reports, refer to the section Generating a Report.
1142
Monitoring
All the DHCP scope dedicated reports are available in v4 on the page All scopes, on the scope
properties page and on all the listing pages displaying the content of a specific scope. To generate
these reports, refer to the section Generating a Report.
Scopes Summary
1143
Monitoring
DNS Reports
You can generate advanced reports for DNS servers, views and zones.
All the DNS server dedicated reports are available on the page All servers, on the server properties
page and on all the listing pages displaying the content of a specific server. To generate these
reports, refer to the section Generating a Report.
Route 53 Incompatibilities
• Prerequisite: Selecting at least one Amazon Route 53 server.
• Description: Contains a list of all the selected server options and configurations incompatible
with Amazon Route 53. No piece of information listed in the tables can ever be replicated on
the Amazon Route 53 server you are managing via SOLIDserver.
1144
Monitoring
Servers Configuration
• Prerequisite: Selecting at least one server.
• Description: Contains all the server configuration details divided into 4 tables: Settings (all the
options), ACLs (all the access control lists), Keys (all the DNS keys configured) and Groups
(all the group of users that have access to the server).
All the DNS view dedicated reports are available on the page All views, on the view properties
page and on all the listing pages displaying the content of a specific view. To generate these re-
ports, refer to the section Generating a Report.
View Statistics
• Prerequisite: Selecting at least one view.
1145
Monitoring
• Description: Contains two tables for every selected view. The first table displays the number
of zones and indicates how many are Forward zones. The second table details all the zones
1
of the view with: their name, their type and the amount of known records they contain.
All the DNS zone dedicated reports are available on the page All zones, on the zone properties
page and on all the listing pages displaying the content of a specific zone. To generate these
reports, refer to the section Generating a Report.
Route 53 Incompatibilities
• Prerequisite: Selecting at least one Amazon Route 53 server.
• Description: Contains a list of all the selected zone options and configurations incompatible
with Amazon Route 53. No piece of information listed in the tables can ever be replicated on
the Amazon Route 53 server you are managing via SOLIDserver.
Zone Statistics
• Prerequisite: Selecting at least one zone.
2
• Description: Contains tables listing all the selected zones: name, type and amount of known
records they contain. The report contains as many tables as there are managing servers among
the selected zones.
NetChange Reports
All NetChange dedicated reports are available on the page All network devices, on the network
device properties page and on all the listing pages displaying the content of a specific network
device. To generate these reports, refer to the section Generating a Report.
1
By known records, we mean all the record types that have ever been created or managed on the appliance.
2
By known records, we mean all the record types that have ever been created or managed on the appliance.
1146
Monitoring
Administration Reports
From the module Administration, you can generate advanced reports for the appliance statistics
and users.
All the appliance statistics dedicated reports are available on the page System statistics. To
generate these reports, refer to the section Generating a Report.
Statistics chart
• Prerequisite: No selection required. However, only users of the group admin can access the
page.
• Description: Contains all the charts available on the page System statistics. Their content de-
pends on the time of the generation.
Network traffic
• Prerequisite: No selection required. However, only users of the group admin can access the
page.
• Description: Contains charts representing all the ingoing and outgoing traffic on your network
over the last 24 hours, last 7 days, last 30 days and last 12 months.
User Reports
A report allows to export all the permissions of a user from the page Users. To generate this report,
refer to the section Generating a Report.
1147
Monitoring
Generating a Report
From a set of listing and properties pages you can generate and download reports in PDF or
HTML format.
Keep in mind that if the report you are generating contains charts, choosing the HTML format
requires you to be connected to the appliance via its domain name when you open the report,
otherwise the charts are empty.
Note that from the page System statistics, in the drop-down list SOLIDserver, you can select
your local appliance or a remote one, only if the remote appliance is in version 6.0.1 or
higher.
3. In the menu, select
3
Report > <report-of-your-choice> . The corresponding wizard opens.
4. In the list Report format, select an export format, either HTML or PDF. By default, HTML is
selected.
5. Click on NEXT . The next page opens.
6. In the drop-down list Action, select Generate new data. If you already have generated a
report for the same object, the drop-down list allows to select and generate it again.
7. Click on OK to generate the report. The page Report opens and works for a while.
8. You can click on DOWNLOAD to save the report immediately.
When the report is generated, it is available on the page Reports. For more details, refer to
the procedure To list the reports.
9. Click on CLOSE to go back to the page.
3
The reports dedicated to Compare DNS data with IPAM data and Amazon Route 53 are all listed in the submenu of the same name.
1148
Monitoring
7. Click on OK to generate the report. The page Report opens and works for a while.
8. You can click on DOWNLOAD to save the report immediately.
When the report is generated, it is available on the page Reports. For more details, refer to
the procedure To list the reports.
9. Click on CLOSE to go back to the page.
Scheduling a Report
The generation of reports can easily be scheduled for all types of reports through the same wizard
as for immediate generation.
Keep in mind that if the report you are generating contains charts, choosing the HTML format
requires you to be connected to the appliance via its domain name when you open the report,
otherwise the charts are empty.
5. Click on NEXT . The next page opens.
6. In the drop-down list Action, select Schedule the report. The page refreshes and displays
the scheduling fields.
7. Configure the export frequency or date and time of export using the table below.
1149
Monitoring
The scheduled report configuration is available on the page Scheduled reports, refer to the
procedure To list the scheduled reports.
When the report is generated, it is available on the page Reports. For more details, refer to
the procedure To list the reports.
For more details regarding scheduled reports refer to the section Managing Scheduled Reports
Configuration Files.
All the generated reports are listed on this page whether they were generated at a specific time
or scheduled.
1150
Monitoring
2. In the section Monitoring, next to Reports, click on Scheduled. The page Scheduled reports
opens.
3. All the scheduled reports are listed by name, report type and format.
4. Tick the scheduled report you want to delete.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The scheduled report
configuration is no longer listed.
Managing Alerts
SOLIDserver offers a number of customization options that include the alert configuration from
any page. You can be notified of the changes of your choice (new value, status, etc.) either via
email or via an SNMP trap. Alerts provide an extra monitoring system.
Prerequisites
• To properly set an SNMP trap on an alert, make sure the SNMP and SMTP servers are properly
configured. For more details, refer to the chapters Managing the SNMP Service and Configuring
the SMTP Relay.
• To properly set mail notifications on an alert, you need to specify a group of users or specific
mail addresses. Make sure the email addresses of the group members and/or those you spe-
cified in the wizard are valid as incorrect email addresses cannot receive alerts. Also, make
sure the groups you specify is configured with sufficient rights to assess the situation. For more
details, refer to the chapter Managing Users.
Browsing Alerts
The Administration module contains two pages dedicated to alerts. You cannot configure the
columns display on these pages.
• The page Alerts displays the details of all the alerts that have been raised: their priority, when
they were raised and released, their current state, etc.
• The page Alerts Definition contains all the alerts configured in SOLIDserver. It displays the
configuration details of each alert, provides a link to edit the alert filters and allows to enable/dis-
able each alert.
1151
Monitoring
3. To display the alerts related to a specific alert definition, in the column Alert name, click on
the name of your choice. The page Alerts opens and displays only the alerts related to that
specific definition.
4. To display all the alerts, whether they are dismissed or not, under the menu, tick the box
Display all alerts .
By default, the page Alerts Definition displays the configuration details of all the existing alerts
through six columns. You can sort and filter all columns, but you cannot change their layout.
The alert properties page displays extra information that can be configured such as the severity,
priority, recipients of the email, etc.
By default, the page Alerts displays all the details of all the currently raised alerts. You can sort
and filter all columns, but you cannot change their layout.
To display the alerts that were dismissed or set back to monitored, refer to the procedure To
display the page Alerts.
1152
Monitoring
Column Description
Sub Module The name of the page within the module where the alert was created.
Alert Name The name given to the alert upon creation.
Priority The level of priority you set upon creation: Low, Normal, High, Urgent or Immediate.
Begin date The time and date when the alert went from released to raised, i.e. the moment the para-
meters set were met.
End date The time and date when the alert went from raised to released.
Starting since The period of time since the alert has been raised.
Monitoring Monitored: when you have not dismissed an alert or if you have reinstated it.
Dismissed: when you have dismissed an alert.
State Released: when the alert has reached its End date.
Raised: when the parameters set for the alert are met, the alert is raised.
Adding Alerts
From any page within SOLIDserver you can create alerts from the menu Alerts, gadgets &
Smart Folders. Before adding alerts you can filter the list to customize the trigger and create the
alerts that suit your needs. So if you decide to filter the page All zones via the column Status with
!=OK and then add an alert, the alert would be triggered when any zone listed changes status
to a status different from OK and send you an email and/or an SNMP trap depending on what
you configure.
To add an alert
This procedure is an example, it sends an alert if any zone status changes to anything but OK.
1. Go to the page of your choice and filter the list according to your needs.
a. In the sidebar, go to DNS > Zones. The page All zones opens.
b. In the column Server, click on the name of the server of your choice to display the zones
it contains.
c. Double-click in the search engine of the column Status. The filter constructor appears.
d. In the drop-down list, select != (different from).
e. Among the statuses listed, tick OK. OK is now displayed in the field. A new line appears.
f. Click on APPLY . The list is now filtered and only the zones that have a status different
from OK are displayed.
2. In the menu, select Alerts, gadgets & Smart Folders > Add an Alert. The wizard Add
an alert definition opens.
3. In the field Name, name the alert. By default, the alert is named after the module and page
from where you configure it, in our example DNS: Zones.
4. In the field Description, you can type in a description if needed.
5. For alerts added from the DNS page Analytics displaying Guardian data, in the drop-down
list Period, select the overall period of data to retrieve, either the last 1h, 3h or 6h.
6. In the section Expert mode, tick the box to display the expert configuration fields.
7. Through the fields Filter results and Value, you can configure the alert execution parameters.
1153
Monitoring
For instance, if you do not want the alert to be triggered for less than 2 zones with a status
different from OK, you can select Greater than in the drop-down list Filter results and 2 in
the field Value.
8. In the section Triggered by change, tick the box if you want your alert to match your filter
only by change. In the case of our example, if you do not tick the box and three zones already
correspond to the filter (they could be in delayed create, timeout...), the alert is triggered if,
at the next check, the zones are still not set to OK.
9. In the drop-down list Alert Priority, define the alert priority. It can be Low, Normal, High, Urgent
or Immediate.
10. In the drop-down list Alert Severity, define the alert severity. You can choose among Minor,
Major, Crash and Block.
11. In the drop-down list Alert Group Owner, select a group of users among the ones you created.
12. Tick the box Edit scheduling to display the related fields.
By default, the check is scheduled every 5 minutes of every hour, day and month.
13. Tick the box Send mail to display the related fields.
14. Tick the box SNMP Trap to display the related fields.
1154
Monitoring
Parameter Description
SNMP Destination Type in the IP address of the network management platform.
SNMP Community Type in the community string that would act as a password to access the SNMP agent.
Raised alert SNMP Type in a custom OID to be sent when the alert is raised. You can use and extend
OID the default OID 1.3.6.1.4.1.2440.1.6.1.2.0.1.
Released alert SN- Type in a custom OID to be sent when the alert is released. If this field is empty, no
MP OID trap is sent when the alert is released.
15. Click on OK to complete the operation. It is now listed in the page Alerts Definition and
marked as Released.
Editing Alerts
The alerts can be edited in two different ways:
1. You can edit the alert definition: rename it, change the check frequency, add or remove email
recipients, set or remove an SNMP trap...
2. You can edit the filters that were set on the page when the alert was created.
In addition to editing an alert definition, you can edit the filter(s) it uses. This allows you to edit
the alert triggers if the initial alert settings no longer suit your needs.
1155
Monitoring
8. On the right-end side of the menu, click on . The wizard Quit editing the alert filters opens.
9. Tick the box Save changes before quitting to save your new filter.
To enable/disable an alert
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
3. Tick the alert(s) of your choice.
4. In the menu, select Edit > Enable or Disable. The wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again, the alert definition State is marked as Enabled or Disabled.
From the column State, you can also directly click on Enabled or Disabled to, respectively, disable
or enable a definition.
The option Force alert update immediately checks if the selected alert is Raised or Released.
Dismissing an Alert
Once an alert was raised, you can dismiss it in order to make sure that next time it is raised you
actually only see the instances that matter and not old ones. The alert does no longer appear on
the page Alerts unless you tick the box Display All Alerts.
1156
Monitoring
To dismiss an alert
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Alerts. The page Alerts opens.
3. Tick the raised alert(s) that you want to dismiss.
4. In the menu, select Edit > Dismiss. The wizard Dismiss an alert opens.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again, the alert is no longer listed.
6. Under the menu, tick the box Display All Alerts to display all the previous instances.
To monitor an alert
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Alerts. The page Alerts opens.
3. Tick the raised alert(s) that you want to reinstate.
4. In the menu, select Edit > Monitor. The wizard Monitor an Alert opens.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again, the alert is displayed even though the box Display All Alerts is unticked.
Exporting Alerts
From the page Alerts, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting an Alert
For safety measures, you cannot delete an alert instance on its own. However, from the page
Alerts Definition, you can delete an alert completely i.e. delete its configuration details and the
instances of when it was raised.
To delete an alert
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
3. Tick the alert(s) that you want to delete.
4. In the menu, select Edit > Delete an Alert. The wizard Delete an alert opens.
5. Click on OK to complete the operation. The report opens and closes. The alert is no longer
listed on the pages Alerts Definition and Alerts.
1157
Monitoring
Syslog
The page Syslog lists the logs of all the services executed. You can filter the list using the menu
or the columns to display a specific operation. Note that:
• You can display the logs of remote appliances from the management SOLIDserver. For more
details regarding remote management, refer to the chapter Centralized Management.
• The service ipmserver includes the cloud synchronization error messages. For more details,
refer to the chapter Managing Cloud Synchronization.
• You can export the logs in a CSV, HTML, XML, XLS or PDF file. For more details refer to the
chapter Exporting Data.
If you are not managing any remote appliance, the list only displays local.
If you are managing remote appliances, the local appliance is listed using only its hostname,
all remote appliances are listed using their hostname and IP address, as follows: hostname
(IP address).
4. In the drop-down list Service, select the service of your choice:
Service Description
named The DNS log messages.
dns-firewall The log messages related to RPZ processing.
dhcpd The DHCP log messages.
ipmserver The internal transactional engine log messages.
messages All the system log messages.
auth The authentication log messages.
ipmserver-rules The operations executed by rules.
gslb-check The Application log messages regarding initial health check failures and node status
changes.
5. You can tick the box Automatic refresh to automate the refresh of all the logs.
By default, the refresh is scheduled to be executed every 10 seconds. To change the refresh
frequency, refer to the procedure To change the automatic refresh frequency.
6. Two columns allow to narrow down the log search:
Column Description
a
Time Allows to sort and filter the logs based on the date and time of the service execution .
Log Allows to filter the logs based on their description.
a
You can edit the time and date formats via the top bar menu My Account > My Settings.
At any time, you can change the Automatic refresh frequency from the registry database.
1158
Monitoring
You can redirect the logs of a particular service and severity level. The available severity levels
are listed below.
Note that selecting a log level automatically includes the logs with a higher severity, the ones
with a smaller code number. Therefore, if you select Warning (4) logs, you also redirect the Error
(3), Critical (2), Alert (1) and Emergency (0) logs.
Note that the service impserver includes the cloud synchronization error messages. For more
details, refer to the chapter Managing Cloud Synchronization.
1159
Monitoring
2. In the section Monitoring, next to Syslog, click on Configuration. The page Configuration
of network logs opens.
3. In the menu, clcik on Add. The wizard Syslog configuration opens.
4. In the drop-down list Services, select the service of your choice.
5. In the drop-down list Level, select the severity level of your choice. Note that any severity
other than Emergency (0) also redirects higher severity levels, the ones with a lower code.
For more details, refer to the table Syslog severity levels.
6. In the field Target server, specify the IP address and port number of the Syslog server re-
ceiving the logs following the format <ip-address>:<port-number>.
7. Click on OK to complete the operation.The report opens and closes.The page Configuration
of Network Logs is visible again and displays the list of logs redirections.
1160
Monitoring
• The page allows to display the statistics of your local appliance and the statistics of remote
appliances, if they are in version 6.0.1 or higher. For more details regarding remote manage-
ment, refer to the chapter Centralized Management.
• Every chart displaying local data is a gadget in essence and can be displayed on any dashboard
using the dedicated pushpin. For more details, refer to the chapter Managing Gadgets.
• You cannot use the statistics charts of a remote appliance as a gadget.
• You can export all the charts on the page, whether they display local or remote data, in specific
reports. For more details, refer to the section Appliance Statistics Reports below.
• Except for the panel Processes states, on each chart you can zoom in and out of the charts
or decide the period and data to display. For more details, refer to the section Charts.
By default, it displays the local appliance data. To display the statistics of a remote appliance,
refer to the section Monitoring the Statistics of Another Appliance.
1161
Monitoring
For more details regarding the reports and their generation, refer to the section Managing Reports.
You can export user sessions in a CSV, HTML, XML, XLS or PDF file. For more details refer to
the chapter Exporting Data.
You can also track previous sessions on the page Session history.
The different columns and filters on the page allow to track operations and who performed them.
Note that:
• You can grant full access to the page to any group of users. For more details, refer to the
section Allowing Users to Display All the Operations Performed.
• A registry database entry allows to save the operations performed by users in the file ipmserv-
er.log, available on the page Syslog. For more details, refer to the section Sending a Copy of
User Operations to Syslog.
1162
Monitoring
• A rule allows to forward user events. For more details, refer to the section Forwarding Events.
You can grant user access to see the changes performed by all the users, including ipmadmin,
if their group of users has the permission User Tracking Display: changes from all the users.
To grant access to all the changes performed on the appliance to a group of users
Once the permission is granted, all the users of the group can see the operations performed by
anyone who logged in SOLIDserver on the page User tracking and in the panel Audit of the
properties page of an object.
1163
Monitoring
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Forwarding Events
It is possible to forward local user events logs to external devices. Through the rule 412, admin-
istrators can specify a forwarding target and define which events to forward.
1164
Monitoring
4
• A forwarding method, either HTTP or redis .
• A specific device, or host. Note that this device can impact the proper execution of the rule,
if it is not responding or returns any error, the event forwarding stops.
• You can add several instances of the rule, as long as they each forward events to different
URIs.
• You must specify a forward policy, in JSON format, that narrows down the events to forward.
We provide a few policy examples after the procedure.
It can also include service related filters, to find the services name refer to SOLIDserver API
5
Reference guides .
As SOLIDserver can generate many event logs, we recommend that you set a granular for-
warding policy. Otherwise, you may overload the target device or reduce your appliance per-
formances.
Once you added the rule, you can tick it to disable it to stop forwarding events. You can enable
it again later. Note that you can monitor any forwarding errors from the page Syslog.
By default, all the lists are empty, the rule is executed every minute.
4
Via redis, all event messages are sent to a target group, and all its members receive the messages.
5
Available at https://dowloads.efficientip.com/support/downloads/docs/7.3/.
1165
Monitoring
http[s]://[[username:]password@]host[:port][/path]
b. To forward events via redis, specify the URI following the format:
redis[s]://[[username:]password@]host[:port][/database]
13. In the drop-down list Log level, select the severity level of the event logs to forward.
14. In the field Retention, specify a retention period threshold, in hours. Every event log older
than the period you specify is not forwarded.
15. In the field Max. number of events, you can specify the maximum number of event logs to
include in the forwarding message. If there are more events matching the Log level and
Forward policy you set, several messages are sent. By default, the field is empty.
16. In the field Forward policy, specify the events that you want to forward, in JSON format. The
policy defines the forwarding configuration and payload.
The expected format depends on the method set in the Target URI. You can find a few ex-
amples after the procedure.
a. If you forward events via HTTP or HTTPS, specify the policy following the format:
[{
"source": "user_tracking",
"filter": {
},
"method": "<HTTP VERB>",
"query": "<URI query>",
"headers": [
<list of HTTP headers>
],
"content": "<your payload>"
}]
Note that:
• Any module specified in the filter must respect the expected module name in the
policy filter.
1166
Monitoring
• If you do not specify a content, all event details are forwarded, including class para-
meters.You can find these details in the column Description of the page User tracking.
b. If you forward events via redis, specify the policy following the format:
[{
"filter": {
<filters of your choice>
},
"command": "<PUBLISH|RPUSH|LPUSH> <channel>",
"content": "<your payload>"
}]
Note that:
• Any module specified in the filter must respect the expected module name in the
policy filter.
• If you do not specify a content, all event details are forwarded, including class para-
meters.You can find these details in the column Description of the page User tracking.
17. Click on OK to complete the operation. The report opens and closes. The rule is listed.
Here below are some Forward policy examples dedicated to addition, edition and deletion events,
via HTTP(S) and redis.
Example of a Forward policy for DNS addition events via HTTP(S)
[{
"source": "user_tracking",
"filter": {
"Event_Type": "ADD",
"Event_Name": "dns.*"
},
"method": "POST",
"headers": [
{"Content-Type": "application/json"},
}]
Example of a Forward policy for DNS server edition events via HTTP(S)
[{
"source": "user_tracking",
"filter": {
"Event_Type": "EDIT",
"Event_Name": "dns_.*"
},
"method": "POST",
"headers": [
{"Content-Type": "application/json"},
{"Custom-Header": "SomeContent"}],
"content":"{\"ACTION\":${event_type},\"DNS SERVER NAME\":${params[dns_name]}"
}
All DNS editions events are analyzed, but with this content the forwarded message only in-
cludes the name of the DNS server.
Example of a Forward policy for DNS zone deletion events via HTTP(S)
[{
"source": "user_tracking",
"filter": {
"Event_Type": "DELETE",
"Event_Name": "^dns_zone.*"
},
"method": "POST",
"headers": [
{"Content-Type": "application/json"},
}]
1167
Monitoring
Example of a Forward policy for IPv6 block-type network and space deletion events via
redis
[{
"source": "user_tracking",
"filter": {
"Event_Type": "DELETE",
"Event_Name": "ip6.*"
},
"command": "PUBLISH 2",
"content":"{\"ACTION\":${event_type},\"BLOCK NAME\":${params[subnet6_name]},\"SPACE
NAME\":${params[site_name]}"
}]
All IPv6 block-type networks deletion events are analyzed, but with this content the forwarded
message only includes the name of deleted block-type networks and spaces.
By default, SOLIDserver already provides 3 SNMP profiles (standard v1, standard v2c and
standard v3). To edit these profiles, refer to the section Editing an SNMP Profile.
1168
Monitoring
10. Click on OK to complete the operation. The page SNMP profiles configuration is visible
again, your profile is listed in the panel.
1169
Monitoring
Combined with an effective alerting system, it allows to gather and store metrics about key system
health indicators to analyze and correlate information. Based on that data, you can intervene in
case of malfunction, define alert triggers and set up automatic actions that prevent an overall
failure of the system.
6
You can monitor these metrics through an external solution such as Nagios as well as some
related plug-ins.
Once your system is properly configured, you can set various SNMP alerts on SOLIDserver objects
to be notified of any unusual behavior. For more details, refer to the chapter Managing Alerts.
For more details regarding the available metrics, refer to the appendix SNMP Metrics.
1170
Monitoring
Users of the group admin can edit the rule to change the database vacuuming frequency. You
should only edit this rule if a member of an EfficientIP technical team specifically asked
for it.
1171
Monitoring
7. In the field Rule name, you can edit the name of the rule. It is displayed in the column Instance
on the page Rules.
8. In the field Comment, you can type in a comment if you want.
9. Click on NEXT . The page Rule filters opens.
1172
Chapter 96. Maintenance
SOLIDserver needs to be properly maintained over time to run smoothly and reach its maximum
performance. This chapter details the pages and options that allow administrators to manage
local files, troubleshoot SOLIDserver or even enable the Maintenance mode.
All the files are separated among 6 subpages: Local, TFTP, Logs, Config files, Custom images
and Custom WSDL. From each of these pages, you can upload, download and delete local files.
For more details, refer to the section Managing Local Files below.
All subpages, except Custom WSDL, share a common set of columns but contains specific files.
1173
Maintenance
This list displays all the files uploaded locally, available for download, and the files uploaded re-
motely via TFTP. For more details, refer to the section Managing the TFTP Upload Authorizations.
It displays all the appliance log files in alphabetical order. To browse their content, go to the page
Syslog. For more details, refer to the section Syslog.
It displays all the servers configuration files generated from the Services configuration page. For
more details, refer to the section Downloading a DNS or DHCP Configuration File.
It displays all the images that you uploaded to customize SOLIDserver login page and home
page Welcome banner. For more details, refer to the section Uploading an Image.
It displays all the WSDL files available for web services management via SOAP on the appliance.
The page contains a specific set of columns:
1174
Maintenance
Clicking on a WSDL file allows to display all the services it contains. For more details, refer to
the section Managing WSDL Files.
The page Custom WSDL contains a set of specific options detailed in the section Managing
WSDL Files.
Uploading Files
From the pages Local, TFTP and Custom images you can upload files. This upload updates the
appliance local database from the GUI.
Downloading Files
Any file listed on the Local Files Listing can be downloaded to your local computer from the GUI.
Deleting Files
From any page of the Local files Listing you can delete files from the appliance local database.
1
Depending on your browser, you might download the file right away or be offered the possibility to open the file or save it.
1175
Maintenance
3. Under the menu, tick the radio button of your choice. The page opens.
4. Filter the list if need be.
5. Tick the file(s) you want to delete.
6. In the menu, select Edit > Delete file(s). The wizard Delete file opens.
7. Click on OK to complete the operation. The report opens and closes. The file is no longer
listed.
By default a full WSDL file including all the services is available (https://<ip_address>/inter-
faces/wsdl_eip_full.wsdl). Keep in mind that using wsdl_eip_full.wsdl drastically reduces the
performances of the application you develop because it parses all SOLIDserver services one
after the other every time you use it. Therefore, we recommend creating your own files to only
contain the information relevant to the required services.
You can add, edit, dump and delete WSDL files from the page Custom WSDL of the Local files
listing.
You can add as many WSDL files as you need. Each file can contain as many services as you
need. The addition wizard provides an auto-completion field that recognizes all services name.
Once added:
• WSDL files are automatically dumped, you can call the services listed in the WSDL file no
matter what programming language you use.
• WSDL files are saved in the format <WSDL-file-name>.wsdl in the local directory custom_wsdl
accessible at https://<SOLIDserver-ip-address>/interfaces/custom_wsdl/ .
• You must include the files location in your source code to call the services they contain, and
preferably make sure to copy and store your custom files locally on the SOAP client to reduce
the latency of instantiating the SOAP object.
1176
Maintenance
The services that you configured in the file are all listed on a dedicated page.
You can edit the content of a WSDL file, that is to say add services, remove services and/or
change its Endpoint. Keep in mind that editing a WSDL file requires dumping it again.
You can add as many services as you want to an existing custom WSDL file. Once edited, you
must dump the WSDL file to take into account the changes.
1177
Maintenance
If you ticked the box Dump WSDL file(s), the file Status is Dumped and can be used imme-
diately, the changes are saved.
If you did not tick the box Dump WSDL file(s), the file Status is Modified since dump and
you must dump it to take into account your changes. For more details, refer to the section
Dumping an Edited Custom WSDL File.
You can remove one or several services from an existing WSDL file. Once edited, you must dump
the WSDL file to take into account the changes.
If you ticked the box Dump WSDL file(s), the file Status is Dumped and can be used imme-
diately, the changes are saved.
If you did not tick the box Dump WSDL file(s), the file Status is Modified since dump and
you must dump it to take into account your changes. For more details, refer to the section
Dumping an Edited Custom WSDL File.
1178
Maintenance
9. To go back, above the list tick the radio button Custom WSDL. The page opens.
If you edited a WSDL file without dumping it during the edition, you can dump its content.
You can download your WSDL files, as long as you already dumped them on the page Local of
the Local files listing.
1179
Maintenance
3. Above the menu, tick the radio button Custom WSDL. The page opens.
4. In the column Name, filter the list if need be.
5. Tick the file(s) you want to download.
6. Dump the file on the page Local:
a. In the menu, select Tools > Dump in Local Files Listing. The wizard opens and
closes.
b. The file is now listed in the page Local of the Local Files Listing.
7. Download the file from the page Local:
a. Above the menu, tick the radio button Local. The page opens.
b. In the list, the WSDL is listed as follows: <WSDL-file-name>.tar .
2
c. In the column Name, click on the file to download it .
2
Depending on your browser, you might download the file right away or be offered the possibility to open the file or save it.
1180
Maintenance
2. In the section Expert, click on Register new macros & rules. The wizard Register all the
latest macros and rules opens.
3. Click on OK to complete the operation. The report opens and closes. The page Admin Home
is visible again.
Troubleshooting
Troubleshooting is a logical and systematic search for the source of a problem. It is needed to
develop and maintain complex systems where symptoms can have many possible causes.
Before Troubleshooting
There is set of simple checks that might help you avoid troubleshooting. These checks are often
overlooked in times of functional problems when they should be an administrator reflex.
1. Make sure that the appliance and the objects it manages are set at the same time. If they
are not, set the appliance time.
Typically, if your appliances and the servers it manages are not the same time, you can en-
counter management problems: the DHCP should be the first impacted with the leases and
then the DNS, especially if you set time check keys for the zones. We recommend that you
configure NTP servers on the appliance as detailed in the section Configuring NTP Servers.
Besides, we strongly advise against setting the time through CLI because it might make
SOLIDserver crash, disrupt your services, trigger errors in the logs, etc. If you do it anyway,
restart SOLIDserver to make sure that all the services impacted by the time change are restarted
and all set at the same time.
2. Make sure there is no Multi-Management of your DNS and DHCP physical servers.
Through the smart architectures, you can manage the servers of your choice so make sure
you did not add and manage twice the same server in two different smart architectures. Every
minute the smart architecture checks that its configuration is pushed to the physical server, if
not it pushes it again. So if one physical server is managed through two different architectures
every minute a configuration is pushed and then overwritten by the other smart architecture.
1181
Maintenance
Troubleshooting Guidelines
Determining what might be the causes of a dysfunction is often a process of elimination.
Troubleshooting also requires confirmation that the solution restores the system to its working
state.
The following guidelines give a generic overview of troubleshooting, and since each case is dif-
ferent, you might need to vary your approach to the problem.
If the problem remains, do not hesitate to contact the support team with all the information you
have collected. The set of files needed include: the network capture file, the troubleshooting dump
file and the last system backup.
Troubleshooting Tools
SOLIDserver provides users of the group admin with two ways of analyzing the system in case
of a crash:
• The Network Capture, that indicates the DHCP or DNS traffic on a given duration.
• The Troubleshooting Dump, that allows to retrieve key debug information.
Network Capture
Performing a network capture allows to analyze DHCP and DNS traffic packets for a given period
of time, through the interface, port and via the protocol of your choice.
1182
Maintenance
The retrieved data is saved in a .pcap archive file available on the page Local files listing.
4. In the drop-down list Interface, select the name of the network interface for which you want
to capture packets. This field is required.
5. In the field Port, you can specify a port number.
6. In the field IP address, you can specify the IP address of your choice.
7. In the drop-down list Protocol, select either udp, tcp or any (both).
8. In the drop-down list Duration, select the network capture duration, either 10s, 30s, 1mn,
2mn or 5mn.
9. Click on OK to complete the operation. The report opens and closes. The page Admin Home
is visible again.The generated .pcap file is available on the page Local files listing, accessible
from the section Maintenance.
Troubleshooting Dump
The troubleshooting dump is a file containing debug data regarding DNS, DHCP and/or system,
as well as any extra file you consider relevant to troubleshoot the appliance.
Dumping troubleshooting details generates a .tbz archive file containing all the debug information.
This file is available on the page Local files listing.
1183
Maintenance
e. Click on OK to complete the operation. The report opens and closes. The page Admin
Home is visible again.
3. Download the file
a. In the section Maintenance, click on Local files listing. The page opens.
b. Filter the column Name with the keyword DEBUG to only list troubleshooting dump files.
If a DEBUG file does not have the extension .tbz, it means it is not fully generated yet.
c. Click on the name of the file of your choice to download it.
The backup files are stored on the appliance itself, but you can also decide to store the backup
files on a remote FTP server or SFTP server. For ease of use and to prevent confusion, binaries,
system and log files are not included in the backup stored on the appliance. Still, they can be
restored separately, either when you reinstall SOLIDserver or when you update the system.
DNS, DHCP and System logs can be included in the backup created on the remote archive.
Note that, when you save a backup of DNS zones managed via a smart architecture, you can
later chose to restore them while keeping the latest version of the records they contain. You can
also discard the latest changes and restore the records as saved in the backup file.
SOLIDserver automatically generates a new backup before each upgrade to allow reverting
back its data and configuration.
1184
Maintenance
• Remote directory: the directory on the remote server where the backup files are stored.
• Remote login: the login used to connect to the remote FTP server.
• Mode: the protocol and mode used to connect to the remote server, either Active FTP,
Passive FTP or SFTP.
• Log DNS: indicates if the DNS logs are included in the remote backup (yes) or not (no).
• Log DHCP: indicates if the DHCP logs are included in the remote backup (yes) or not (no).
• System Log: indicates if the System logs are included in the remote backup (yes) or not
(no).
• Retention duration: the number of days beyond which a backup is automatically deleted
from the remote server.
If you activated the database encryption on your appliance, you should download your database
keys, or at least the Active one. That way, if you need to restore the backup, you can import the
key(s) when the restoration is over. For more details, refer to the section Downloading Database
Keys in the chapter Securing.
Keep in mind that creating an instant backup during the enrollment of a Hot Standby appliance
in High Availability may trigger an error.
Once generated, you can download your backup if need be. For more details, refer to the section
Downloading a Backup File.
Editing the backup settings can maximize the disk space of your appliance if you schedule a
backup rotation: the automatic deletion of obsolete backup files.
1185
Maintenance
Keep in mind, that if you activated database encryption on your appliance, you should download
your database keys, or at least the Active one. That way, if you need to restore a backup, you
can import the keys when the restoration is over. For more details, refer to the section Downloading
Database Keys in the chapter Securing.
4. In the drop-down list Retention, select the number of days beyond which a backup should
be automatically deleted.
5. Click on OK to complete the operation.
During the configuration of the remote server, you can decide to include the DNS, DHCP and
System logs or even specify a number of days beyond which they should be automatically deleted
from the server. Note that:
• You can archive backups on an FTP server - via Active FTP or Passive FTP - or an SFTP
server. We strongly recommend using SFTP which is far more secure than FTP as it uses an
SSH key instead of a password.
• You can specify the port configured on the remote server. On SFTP servers, usually the same
port than SSH is used.
• If no remote archive is configured, the panel Remote archive contains the message Remote
archive is disabled.
1186
Maintenance
3. In the panel Remote archive, click on EDIT . The wizard Archive server parameters opens.
4. Tick the box Enable remote archive, the wizard refreshes and displays the remote archive
configuration parameters. By default, the box is unticked.
5. Configure the remote archive parameters according to your needs:
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the panel Remote archive displays the configuration you just set.
7. If you selected SFTP, the panel SSH local key displays the SSH public key used. You must
COPY it and paste in on the SFTP server to secure the communication with SOLIDserver.
1187
Maintenance
If the backup file you need is not listed, upload it as detailed in the section Uploading a Backup
File.
• The backup file contains the appliance data and configuration as they were set at the time
of the backup generation. During the restoration, you can choose to include both or only the
data:
• The appliance data includes objects from all modules including the ones of the Local Files
Listing as well as all the rules, notifications and reports, unless you excluded them when you
saved the backup.
• The appliance configuration includes the network configuration (hostname, DNS resolver,
firewall configuration, default gateways, default/static route configuration) and services
configuration (services status, xfer account settings, SNMP communities).
• The records belonging to a smart architecture have a dedicated restoration option. If
your backup file includes zones belonging to a physical server managed via a smart architecture,
you can decide to:
• Overwrite their content with the one saved in the backup file. In this case, you loose all the
latest changes (records added or deleted) between the time of the backup and the time of
the restoration.
• Keep their current content if they are present in the backup file.
In both cases, all the zones that are not part of the backup file, as well as their records, are
lost during the restoration.
• You cannot restore a backup on an appliance set in High Availability. You need to disable
the High Availability, restore the backup on a Standalone appliance and then configure the
High Availability again. For more details, refer to the section Replacing a Hot Standby Appliance
With Backup.
• Restoring objects of the module Application or Guardian leads to a synchronization
between the GUI and the GSLB or Guardian server: The objects that are on the server and
1188
Maintenance
also in the GUI are kept. The objects that are only present on the server are deleted and the
objects only in the GUI are added on the server.
Therefore, if you created, edited or deleted objects since the backup was saved, all changes
are lost and may even not be visible in the GUI. Before restoring a backup, make sure you
saved it when the Application or Guardian database was up-to-date.
• If you activated the database encryption you must ensure you downloaded the database
keys, as you need to import them after you restore your backup. For more details, refer to the
section Downloading Database Keys in the chapter Securing.
Tick it if you are restoring a backup using an NSD or Unbound Hybrid server.
6. Tick the box Overwrite DNS records managed via a smart architecture to restore the records
database as saved during the backup. If you do not tick the box, the restored zones keep
the current version of the records they contain if they are managed via a smart architecture.
In both cases, a restoration includes all and only the zones present in the backup file.
7. Click on OK to complete the operation.
If you restored a backup on an appliance where the encryption database is activated, a banner
above the Top bar notifies you to import your database keys again. You must import them to
synchronize the DHCP and DNS services and enable NetChange discoveries again. For more
details refer to the section Importing Database Keys in the chapter Securing.
Note that once SOLIDserver operating system is stopped, the power supplies are automatically
turned off.
Rebooting SOLIDserver
There are two ways of rebooting SOLIDserver safely, from the GUI and via CLI.
Note that only users with sufficient rights can reboot SOLIDserver.
Only users with sufficient rights can reboot any appliance from the GUI.
1189
Maintenance
Only users with sufficient rights can reboot any appliance through CLI using its IP address,
hostname or a serial port.
1190
Maintenance
Prerequisites
• Only users with sufficient rights can shut down SOLIDserver software.
• Before shutting down a remote SOLIDserver hardware appliance, keep in mind that you must
have physical access to it power it back with the the button . You must plug in again
SOLIDserver-50 appliances to start them back.
Any SOLIDserver appliance can be shut down from the GUI, granted that the user has sufficient
rights.
Any SOLIDserver appliance can be shut down via CLI using its IP address, hostname or a serial
port.
1191
Maintenance
Any SOLIDserver hardware appliance can be shut down for the hardware itself, to avoid an abrupt
shutdown follow the procedure below.
It must be done as a last resort if it is impossible from the GUI or via CLI, note that shutting down
the hardware appliance also shuts down the software.
Note that a long press stops the appliance abruptly and may trigger errors. The appliance
would stop without properly transferring files or stopping the processes as expected.
For SOLIDserver-50 appliances, you must unplug the appliance and plug it again.
3. The appliance stops automatically after synchronizing its buffer on the disk.
1192
Chapter 97. Securing
To secure SOLIDserver, administrators can use SSL certificates to secure access to appliances
and/or encrypt all sensitive data. This chapter gathers the following:
• Managing SSL Certificates.
• Encrypting the Database.
By default, each appliance uses a self-signed certificate to secure connections. As this certificate
is not trusted by your web browser, warning messages appear to inform you that the certificate
is not from a trusted certifying authority, that its hostname is invalid, etc. This connection can be
prone to a man-in-the-middle (MITM) attack.
When you receive such warnings, you can accept the certificate for the current session and save
it in the certificate store of your browser.
To eliminate the warning messages altogether, you can import or create a valid SSL certificate
and use this one instead of the default one to secure connections.
If you are configuring the module Identity Manager on your appliance, you must import the
relevant SSL certificate and its related CA.
• Create X.509 self-signed certificates, CSRs and private keys, as detailed in the section Creating
SSL Objects.
• Download the certificate and CSR details and public keys, as detailed in the section Down-
loading SSL objects.
• Delete certificates, CSRs and private keys, as detailed in the section Deleting SSL Objects.
For more details on how to change the SSL certificate that authenticates the connections to the
appliance, refer to the section Changing the HTTPS Certificate in the chapter Configuring the
Services.
Note that the public key of each certificate is not listed, it is available on the certificate properties
pages.
1193
Securing
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All certi-
ficates opens.
The properties page contains the panels Certificate, Private key and/or Public key. Any configured
Subject Alternative Name is available in the panel Certificate.
The content of every panel can be downloaded, for more details refer to section Downloading
SSL objects.
If you are configuring the module Identity Manager on your appliance, you must import the
relevant SSL certificate and its related CA.
• CSRs (Certificate Signing Request), as detailed in the section Importing CSRs.
• Private keys, as detailed in the section Importing Private Keys.
Note that you cannot edit SSL objects. If you import the wrong object, you can only delete it and
perform the import again for the right one. For more details, refer to the section Deleting SSL
Objects.
Importing Certificates
You can import as many self-signed certificates and CA signed certificates as you need. The
import wizard allows to paste in the certificate details, including any Subject Alternative Names,
and its private key.
1194
Securing
To import a certificate
Once you imported a valid certificate, if it is not a CA certificate, you can use it as HTTPS certi-
ficate for your local appliance. For more details, refer to the section Changing the HTTPS Certi-
ficate.
If you are configuring the module Identity Manager, once you imported the SSL certificate and
the CA certificate, you must configure the service Windows Event Collector as detailed in the
section Configuring SOLIDserver.
If you imported a CA certificate, you must enable two registry database keys to validate the cer-
tificate used during the SSL communications between SOLIDserver appliances.
Once you imported a valid CA certificate and enabled the registry database entries, you can use
it as HTTPS certificate for your local appliance. For more details, refer to the section Changing
the HTTPS Certificate.
1195
Securing
Importing CSRs
You can import as many Certificate Signing Requests (CSR) as you need. The import wizard
allows to paste in the certificate details, including any Subject Alternative Names, and its private
key.
To import a CSR
You can import as many private keys as you need. Any private key can be used to create certi-
ficates and CSRs.
If you imported a private key, you can use it to create a certificate or a CSR. For more details,
refer to the section Creating Self-signed Certificates or Creating CSRs.
1196
Securing
• CSRs (Certificate Signing Request), in PEM format. During the creation you can generate a
private key or use an existing one. For more details, refer to the section Creating CSRs.
• Private keys, as detailed in the section Creating Private Keys.
Note that you cannot edit SSL objects. If you create a misconfigured object, you can only delete
it and create it again. For more details, refer to the section Deleting SSL Objects.
From the page All certificates, you can create as many X.509 self-signed certificates as you need.
As each certificate is unique to a SOLIDserver appliance, you can configure it with Subject Altern-
ative Names for all the DNS names and IP addresses of the appliance.
The certificate creation wizard allows to either configure and generate the certificate private key
or use an existing private key. For more details on private keys import or creation, refer to the
sections Importing Private Keys and Creating Private Keys.
1197
Securing
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
e. Repeat these operations for all the DNS names and IP addresses of the appliance.
13. Click on OK to complete the operation. The report opens and closes. The certificate is listed,
its private key is available on the certificate properties page.
Once you created a valid certificate, you can use it as HTTPS certificate for your local appli-
ance. For more details, refer to the section Changing the HTTPS Certificate.
1198
Securing
e. Repeat these operations for all the DNS names and IP addresses of the appliance.
13. Click on OK to complete the operation. The report opens and closes. The certificate is listed.
Once you created a valid certificate, you can use it as HTTPS certificate for your local appli-
ance. For more details, refer to the section Changing the HTTPS Certificate.
Creating CSRs
From the page All certificates, you can create as many Certificate Signing Requests (CSR) files
as you need. The CSR details can be sent to the Certificate Authority that generates your certi-
ficate. Then you must import the certificate you receive, as detailed in the section Importing
Certificates.
As a CSR is used to generated a unique certificate for a SOLIDserver appliance, you can configure
it with Subject Alternative Names for all the DNS names and IP addresses of the appliance.
The CSR creation wizard allows to either configure and generate the certificate private key or
use an existing private key. For more details on private keys import or creation, refer to the sections
Importing Private Keys and Creating Private Keys.
To create a CSR
1199
Securing
• To update an entry in the list, select it. It is displayed in the field(s) again, you can
edit it and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes made, click on CANCEL .
e. Repeat these operations for all the DNS names and IP addresses of the appliance.
11. Click on OK to complete the operation. The report opens and closes. The CSR is listed, its
private key is available on the CSR properties page.
Once you created a CSR, you can go to its properties page to download the content of the
panel Certificate and send it to the Certificate Authority. For more details, refer to the section
Downloading SSL objects.
1200
Securing
11. Click on OK to complete the operation. The report opens and closes. The CSR is listed.
Once you created a CSR, you can go to its properties page to download the content of the
panel Certificate and send it to the Certificate Authority. For more details, refer to the section
Downloading SSL objects.
From the page All certificates, you can create as many private keys as you need.
Private keys can be used to create certificates or CSRs. For more details, refer to the sections
Creating Self-signed Certificates and Creating CSRs.
Note that the panel Certificate is displayed in PEM format and includes all the configured Subject
Alternative Names.
On the properties page of a CSR, only the content of the panel Certificate needs to be sent
to the Certificate Authority to generate the appliance certificate. Then you must import the
certificate you receive, as detailed in the section Importing Certificates.
1201
Securing
By default, only on fresh installations, a database key is available on the page. You can sort and
filter all the columns on the page but your cannot change their layout.
The panel Database key displays all the properties of the key and allows to download it.
1202
Securing
The column Status provides information regarding the database keys you manage.
! Active (missing) The key should be active but is missing from the key file. The database is not encryp-
ted. To activate the database encryption, you must import the key. For more details,
refer to the section Importing Database Keys.
Inactive The key is inactive and saved, it can be used to encrypt the database. For more
details, refer to the section Activating the Database Encryption.
! Inactive (missing) The key is inactive and missing from the key file. It cannot be used to encrypt the
database. If you want to be able to use it to encrypt the database, you must import
the key. For more details, refer to the section Importing Database Keys.
! Inactive (unsaved) The key is inactive and unsaved, it cannot be used to encrypt the database. All the
keys you add have that status by default. If you want to be able to use the key to
encrypt the database, you must download it. For more details, refer to the section
Downloading Database Keys or Activating the Database Encryption.
1203
Securing
If a banner above the top bar notifies you of any activation error, refer to the section
Troubleshooting the Database Encryption.
Once the database encryption is active, you can use a different database key to encrypt sensitive
data. Note that, in the procedure below, we tick the key that replaces the current active one, but
you can also execute the option Activate encryption without ticking any key and select it on the
last page of the wizard.
1204
Securing
Importing keys is useful if you already have database keys that can be used to encrypt sensitive
data, if the key used to encrypt the database has the Status Active (missing) or after restoring a
backup.
Note that if you configured appliances in High Availability, the Hot Standby automatically replicates
the database keys of the Master.
It is recommended to download the relevant keys before you generate a backup or before upgrad-
ing the appliance.
1205
Securing
The database encryption is deactivated. The key status is Active (unsaved), to activate it
again you must download it. For more details, refer to the section Downloading Database
Keys.
If the active key is missing and you downloaded your database keys
The database encryption is deactivated. The key status is Active (missing), to activate it again
you must import the database key file. For more details, refer to the section Importing Database
Keys.
1206
Securing
If the active key is missing but you did not download your database keys
The encryption is deactivated but all sensitive data has been encrypted and you can no longer
decrypt it. You need to decide if you want to encrypt the database again or if you want to
deactivate the encryption. The procedure differs if you are troubleshooting a Standalone
appliance or appliances in High Availability.
If you manage DHCP servers, DNS servers and/or remote appliances, their status is
Invalid credentials. You must specify again the "Admin" account password of each
server and appliance. For more details, refer to the section Editing a DHCP Server,
Editing DNS Servers and Editing Remote Appliances.
If you have SNMPv3 profiles and/or network devices connection profiles, you must edit
each one of them and specify again the password and access parameters. For more
details, refer to the section Editing an SNMP Profile and Editing Connection Profiles.
2. Add a new database key and activate it. For more details, refer to the sections Adding
Database Keys and Activating the Database Encryption.
• To stop encrypting the database, you must:
1. Specify again the password of all servers, appliances, and relevant profiles of your ap-
pliance to decrypt them:
If you manage DHCP servers, DNS servers and/or remote appliances, their status is
Invalid credentials. You must specify again the "Admin" account password of each
server and appliance. For more details, refer to the section Editing a DHCP Server,
Editing DNS Servers and Editing Remote Appliances.
If you have SNMPv3 profiles and/or network devices connection profiles, you must edit
each one of them and specify again the password and access parameters. For more
details, refer to the section Editing an SNMP Profile and Editing Connection Profiles.
2. Deactivate the database encryption. For more details, refer to the section Deactivating
the Database Encryption.
3. You can delete the database keys. For more details, refer to the section Deleting
Database Keys.
If you manage DHCP servers, DNS servers and/or remote appliances, their status is
Invalid credentials. You must specify again the "Admin" account password of each
server and appliance. For more details, refer to the section Editing a DHCP Server,
Editing DNS Servers and Editing Remote Appliances.
1207
Securing
If you have SNMPv3 profiles and/or network devices connection profiles, you must edit
each one of them and specify again the password and access parameters. For more
details, refer to the section Editing an SNMP Profile and Editing Connection Profiles.
3. Add a new database key on the Master appliance and activate it. For more details, refer
to the sections Adding Database Keys and Activating the Database Encryption.
4. Add and enroll again the Hot Standby appliance. For more details, refer to the sections
Adding Remote Appliances and Configuring Two Appliances in High Availability.
• To stop encrypting the database both appliances, you must:
1. Disable the High Availability as detailed in the section Disabling the High Availability
Configuration.
2. Specify again the password of all servers, remote appliances, and relevant profiles of
your Master appliance to decrypt them:
If you manage DHCP servers, DNS servers and/or remote appliances, their status is
Invalid credentials. You must specify again the "Admin" account password of each
server and appliance. For more details, refer to the section Editing a DHCP Server,
Editing DNS Servers and Editing Remote Appliances.
If you have SNMPv3 profiles and/or network devices connection profiles, you must edit
each one of them and specify again the password and access parameters. For more
details, refer to the section Editing an SNMP Profile and Editing Connection Profiles.
3. Deactivate the database encryption. For more details, refer to the section Deactivating
the Database Encryption.
4. You can delete the database keys. For more details, refer to the section Deleting
Database Keys.
5. Add and enroll again the Hot Standby appliance. For more details, refer to the sections
Adding Remote Appliances and Configuring Two Appliances in High Availability.
1208
Chapter 98. Upgrading
This chapter details the procedures to successfully upgrade SOLIDserver 7.3 to a higher patch.
To upgrade SOLIDserver from a previous minor or major version, refer to the guide SOLIDserv-
1
er_Upgrade_to_Version_7.3.pdf available on our website .
Prerequisites
1. Have an Internet connection and your credentials ready to download the version of
SOLIDserver that suits your needs on our website.
2. If you installed hot-fixes, they are deleted during the upgrade. The upgrade wizard retrieves
a list of all installed hot-fixes that you can download.
Note that hot-fixes are only detected locally. When you upgrade a remote SOLIDserver from
the Management appliance, hot-fixes are deleted but the list of files is not available.
3. Keep the upgrade file as is. You cannot rename SOLIDserver upgrade files, otherwise the
upgrade may fail.
4. If you encrypted the database, make sure you have access to the database encryption key
file before upgrading a Standalone or Management appliance, in case you need to import the
keys again. For more details, refer to the section Downloading Database Keys in the chapter
Securing.
5. Follow the proper upgrade procedure.
• If you want to upgrade an appliance, either managing remote appliances or not, refer to the
section Upgrading an Appliance.
• If you want to upgrade appliances managed remotely, refer to the section Upgrading Appli-
ances Managed Remotely.
• If you want to upgrade appliances configured in High Availability, refer to the section Upgrad-
ing Appliances in High Availability.
6. Save the backup file generated during the upgrade. All backup files are automatically deleted
after the number of days defined in the Retention duration you set. If for any reason you need
to troubleshoot the upgrade beyond that period, you will need the latest backup. For more
details regarding troubleshooting, refer to the section Troubleshooting the Upgrade below.
For more details regarding the backup retention time, refer the section Managing Backups and
Restoring Configurations.
Upgrading an Appliance
If you meet the prerequisites, you can upgrade SOLIDserver to a higher patch, it implies to:
1. Download the image of the latest patch of version 7.3.
2. Upgrade the appliance.
1
At https://downloads.efficientip.com/support/downloads/SOLIDserver/7.3/docs/, log in using your credentials. If you do not have cre-
dentials yet, request them at www.efficientip.com/support-access.
1209
Upgrading
Note that:
• Once the appliance is upgraded, the page Services configuration might display different statuses:
any service that was stopped restarts when SOLIDserver reboots. Only disabled services are
not started after an upgrade.
• If an error occurs during the upgrade, refer to the section Troubleshooting the Upgrade of a
Standalone or Remote Appliance.
If you are upgrading an appliance in High Availability, refer to the section Upgrading Appliances
in High Availability.
If you are upgrading a Management appliance and its remote appliance(s), refer to the section
Upgrading Appliances Managed Remotely.
Once the file retrieved, the fields Current version and Upgrade to appear. They both
indicate the version and architecture as follows: <version> (<architecture>).
If you installed hot-fixes, all related files are listed under Modified files on the page. For
more details, refer to the prerequisites.
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
3. Save the backup file
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
1210
Upgrading
b. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
c. In the panel Local backup file, select the latest backup file. It is named solid-<hostname>-
<year><month><day>-<hour><minutes>.gz.
d. Click on DOWNLOAD to save the file locally. Once the file is downloaded, the page is visible
again.
You can upgrade all remote appliances at once to the same version and architecture as their
Management appliance. Which is why you must:
1. Check the version of your Management appliance.
2. Upgrade the remote appliance(s) to the same version from the Management appliance.
3. Save the backup file of each remote appliance, it is generated during the upgrade.
Note that:
• To upgrade a remote appliance, the Management appliance should already be upgraded.
• When you upgrade remote appliances from the Management appliance, you cannot retrieve
the list of hot-fixes because it is only available locally.
• Once appliances are upgraded, the page Services configuration might display different statuses:
any service that was stopped is started when SOLIDserver reboots. Only disabled services
are not started after an upgrade.
• If an error occurs during the upgrade, refer to the section Troubleshooting the Upgrade of a
Standalone or Remote Appliance.
If you are upgrading a Standalone appliance or only the Management appliance, refer to the
section Upgrading an Appliance.
If you are upgrading appliances in HA, refer to the section Upgrading Appliances in High Availab-
ility.
1211
Upgrading
e. In the menu, select Edit > Upgrade remote SOLIDserver.The wizard Upgrade remote
SOLIDserver opens.
If you installed hot-fixes, you cannot retrieve the list of these files as they are only
available locally.
f. To start the upgrade, click on OK . The report opens and works until the selected appli-
ance(s) version matches the version of the Management appliance.The wizard eventually
closes. The appliance(s) are not accessible for a few minutes.
3. Save the backup file of each remote appliance
a. Connect to the remote appliance appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
d. In the panel Local backup file, select the latest backup file. It is named solid-<hostname>-
<year><month><day>-<hour><minutes>.gz.
e. Click on DOWNLOAD to save the file locally. Once the file is downloaded, the page is visible
again.
f. Repeat steps a to e for each of the remote appliances you upgraded.
Upgrading appliances in High Availability must be performed from the Master appliance. During
the upgrade process:
1. The Hot Standby appliance is upgraded first. As the upgrade requires to stop and restart
an appliance that would imply switching the appliances role, if the Hot Standby is upgraded
first, the Master appliance database is still available and no switch is required.
2. The Master appliance is upgraded once the Hot Standby upgrade is complete. Once the
Hot Standby is upgraded, the Master appliance can be stopped and restarted and no switch
is performed.
This process ensures that the appliances do not switch roles and that the database is available
even during the upgrade. Note that:
• To prevent errors, especially if the upgrade takes too long, the upgrade of appliances configured
in High Availability includes a step to disable the re-enrollment option, and another one to enable
it again when the upgrade is done.
1212
Upgrading
• Once the appliances are upgraded, the page Services configuration might display different
statuses as any service that was stopped is started when SOLIDserver reboots. Only disabled
services are not started after an upgrade.
• If an error occurs during the upgrade, refer to the section Troubleshooting the Upgrade of Ap-
pliances in High Availability.
• Since version 7.1.3, you can no longer manually upgrade appliances from the Hot Standby.
If you are not upgrading an appliance in High Availability, refer to the section Upgrading an Ap-
pliance or Upgrading Appliances Managed Remotely.
1213
Upgrading
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Upgrade. The wizard Upgrade SOLIDserver opens.
d. Click on BROWSE to select the file containing the upgrade image.The name of the selected
file is displayed in the field File name.
Once the file retrieved, the fields Current version and Upgrade to appear. They both
indicate the version and architecture as follows: <version> (<architecture>).
If you installed hot-fixes on the Master appliance, all related files are listed under Modified
files on the page. For more details, refer to the prerequisites.
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
6. Check that both appliances are upgraded
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized Man-
agement opens.
d. In the column Version, the value for the Master should match the one on the Hot
Standby appliance.
e. Connect to the Hot Standby appliance GUI and repeat steps b to d to make sure both
appliances are in the same version of SOLIDserver. If they do not, refer to the section
Troubleshooting the Upgrade of Appliances in High Availability.
7. Save the backup file of both appliances
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
d. In the panel Local backup file, select the latest backup file. It is named solid-<hostname>-
<year><month><day>-<hour><minutes>.gz.
e. Click on DOWNLOAD to save the file locally. Once the file is downloaded, the page is visible
again.
f. Connect to the Hot Standby appliance GUI and repeat the steps b to e if you set a
specific network/services configuration.
8. Enable the automatic re-enrollment from the Master
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Expert, click on Registry database. The page Registry database opens.
d. Filter the column Name with module.system.auto_replication_repair.
1214
Upgrading
Note that you need the backup file of the previous version or patch to be stored locally on the
appliance. It was generated during the upgrade to version 7.3.
If the backup file is not listed, in the menu select Tools > Upload a backup file. Browse
your computer to find it and click on OK to make sure it is listed in the panel.
1215
Upgrading
c. Hit the key T to select T Tools and hit the key Enter. The page Tools opens.
d. The line S Start a shell is selected, hit Enter. The terminal closes.
e. Execute the following command to get root permissions:
sudo -s
Note that only the backup files saved when the previous version was installed are listed,
so if you upgraded a few days ago, none of the backup files saved between the upgrade
and the rollback are listed.
h. Once the backup file of your choice is highlighted, click on Enter. The page WARNING
ROLLBACK WILL RESTORE A BACKUP opens.
i. Hit the key Y to highlight the line ( ) Y CONFIRM ROLLBACK. Press the key Space to
select this option, the * indicates the line is selected: (*) Y CONFIRM ROLLBACK.
j. Hit Enter to confirm.
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
1216
Upgrading
If both appliances were correctly upgraded to the desired version but the High Availability
configuration was broken, you only need to reconfigure it. For more details, refer to the section
Setting a High Availability Configuration.
If an error occurred but both HA appliances were upgraded to the same patch of version
7.3, you can roll back via CLI starting with the Master appliance. This restores the appliances
version and database as they were before the upgrade.
If the backup file is not listed, in the menu select Tools > Upload a backup file. Browse
your computer to find it and click on OK to make sure it is listed in the panel.
f. Connect to the Hot Standby appliance GUI and repeat the steps b to e.
2. Make sure the High Availability is properly disabled
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized Man-
agement opens.
If the High Availability configuration is already disabled, i.e. both appliances have a
Standalone role, go to the next numbered step.
d. Tick the Hot Standby appliance.
e. In the menu, click on Delete. The wizard Delete opens.
f. Click on OK to complete the operation. The report opens and works for a while - the Hot
Standby database is saved before it is erased - and closes. The Hot Standby is no
longer listed on the page. The former Master appliance keeps a Master role.
1217
Upgrading
c. Hit the key T to select T Tools and hit the key Enter. The page Tools opens.
d. The line S Start a shell is selected, hit Enter. The terminal closes.
e. Execute the following command to get root permissions:
sudo -s
Note that only the backup files saved when the previous version was installed are listed,
so if you upgraded a few days ago, none of the backup files saved between the upgrade
and the rollback are listed.
h. Once the backup file of your choice is highlighted, click on Enter. The page WARNING
ROLLBACK WILL RESTORE A BACKUP opens.
i. Hit the key Y to highlight the line ( ) Y CONFIRM ROLLBACK. Press the key Space to
select this option, the * indicates the line is selected: (*) Y CONFIRM ROLLBACK.
j. Hit Enter to confirm.
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
k. Connect to the Hot Standby appliance CLI and repeat the steps b to j.
After the rollback, you might want or need to re-enroll the appliances to make sure there is no
replication delay. For more details, refer to the section Configuring High Availability Advanced
Options.
If both appliances in High Availability were upgraded to two different versions, a banner
above the top bar prompts you to downgrade your software version. You can downgrade each
appliance locally via CLI, starting with the Master appliance.
1218
Upgrading
Note that:
• You need the backup file, generated during the upgrade, to be stored locally on each appliance.
• You need to disable the high availability configuration, if it is enabled, before downgrading both
appliances separately.
If the backup file is not listed, in the menu select Tools > Upload a backup file. Browse
your computer to find it and click on OK to make sure it is listed in the panel.
f. Connect to the Hot Standby appliance GUI and repeat the steps b to e.
3. Make sure the High Availability is properly disabled
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized Man-
agement opens.
If the High Availability configuration is already disabled, i.e. both appliances have a
Standalone role, go to the next numbered step.
d. Tick the Hot Standby appliance.
e. In the menu, click on Delete. The wizard Delete opens.
f. Click on OK to complete the operation. The report opens and works for a while - the Hot
Standby database is saved before it is erased - and closes. The Hot Standby is no
longer listed on the page. The former Master appliance keeps a Master role.
1219
Upgrading
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Upgrade. The wizard Upgrade SOLIDserver opens.
d. Click on BROWSE to select the file containing the upgrade image.The name of the selected
file is displayed in the field File name.
Once the file retrieved, the fields Current version and Upgrade to appear. They both
indicate the version and architecture as follows: <version> (<architecture>).
If you installed hot-fixes, all related files are listed under Modified files on the page. For
more details, refer to the prerequisites.
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
g. Connect to the future Hot Standby appliance GUI and repeat the steps b to f.
5. Restore the backup of both appliances separately via CLI
a. Using a terminal emulator, open a shell session to connect to the Master appliance CLI
using its IP address or hostname.
If the connection cannot be established, it means that SOLIDserver did not finish
downgrading. Wait and open another shell session.
b. Log in using the credentials admin/admin. The CLI Main menu appears.
c. Hit the key B to select B Backup Management and hit the key Enter. The page Backup
Management opens.
d. Select R Restore backup and hit Enter. The page Backup files opens.
e. Using the digit keys, select the backup file generated before the unsuccessful upgrade.
f. Hit Enter to select it. The message Do you also want to restore the configuration of
the system? appears.
g. The answer Yes is selected. Hit Enter to select it.
The message Do you really want to restore <backup-file-name>? Your server will
automatically be rebooted to complete the process if you continue appears and the
answer Yes is selected
h. Hit Enter to confirm.
1220
Upgrading
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
i. Connect to the Hot Standby appliance CLI and repeat steps b to h if you want to restore
the network/services configuration of the future Hot Standby appliance.
Note that, if you do not need to restore the network/services configuration of your Hot
Standby appliance, you can restore only the Master appliance.
6. Enroll the Hot Standby again
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized Man-
agement opens.
d. In the menu, click on Add. The Add/Modify remote SOLIDserver appears.
e. In the field SOLIDserver IP address, specify the IPv4 address of the appliance you want
to add to the list.
f. If the field "Admin" account password is empty, type in the SSH password, i.e. the
default one (admin) or the one you set if you changed it.
g. Click on OK to complete the operation. The report opens and closes. The new appliance
is listed and marked Standalone in the column Role and Managed (remote) in the column
Status.
h. Tick the future Hot Standby.
i. In the menu, select Edit > Enroll SOLIDserver as Hot Standby. The wizard Enroll
SOLIDserver as Hot Standby opens.
j. Click on OK to complete the operation. The report opens and works for a while, until the
Hot Standby appliance database is erased and replaced by the Master appliance
database. The appliance set as Hot Standby is unavailable for a while. Each appliance
role is modified according to the configuration, they both get the same HA UID.
7. Contact your reseller's support team to correct your database and successfully upgrade
SOLIDserver.
After the rollback, you might want or need to re-enroll the appliances to make sure there is no
replication delay. For more details, refer to the section Configuring High Availability Advanced
Options.
1221
Part XX. Customization
There are many ways of customizing SOLIDserver to suit your needs from the GUI to the data you manage.
You can also customize your databases even further following the chapters:
• Configuring Classes details how administrators can manage classes to configure custom properties for
your resources and tailor your database.
• Custom DB details how to create databases tailored to your needs. They can, for instance, be used when
to ease the configuration of your classes.
• Managing Customization Packages details how to install packages to import customized functionalities
from an archive file.
Table of Contents
99. Customizing the GUI .............................................................................................. 1224
Customizing SOLIDserver Login Page .................................................................. 1224
Customizing the Main Dashboard Welcome Banner ............................................... 1227
Customizing the Interface Names and Fields ......................................................... 1229
100. Managing Smart Folders ...................................................................................... 1231
Browsing Smart Folders ....................................................................................... 1231
Adding Smart Folders .......................................................................................... 1232
Editing Smart Folders .......................................................................................... 1233
Sharing Smart Folders ......................................................................................... 1233
Deleting Smart Folders ........................................................................................ 1234
101. Managing IPv6 Labels .......................................................................................... 1235
Limitations .......................................................................................................... 1235
Adding Labels ..................................................................................................... 1235
Displaying or Hiding Labels .................................................................................. 1236
Editing Labels ..................................................................................................... 1236
Deleting Labels ................................................................................................... 1237
102. Configuring Classes ............................................................................................. 1238
Browsing Class Studio Database .......................................................................... 1239
Managing Classes ............................................................................................... 1241
Configuring the Classes Content .......................................................................... 1248
103. Configuring Custom Databases ............................................................................. 1296
Browsing Custom DB .......................................................................................... 1296
Adding a Custom DB ........................................................................................... 1297
Editing a Custom DB ........................................................................................... 1297
Exporting Custom Databases ............................................................................... 1298
Deleting a Custom DB ......................................................................................... 1298
Configuring a Custom DB with Custom Data ......................................................... 1298
104. Managing Customization Packages ....................................................................... 1301
Browsing the Packages Database ........................................................................ 1301
Uploading Packages ............................................................................................ 1302
Creating Packages .............................................................................................. 1302
Editing Packages ................................................................................................. 1304
Installing Packages .............................................................................................. 1304
Uninstalling Packages ......................................................................................... 1304
Downloading Packages ........................................................................................ 1305
Deleting Packages .............................................................................................. 1305
1223
Chapter 99. Customizing the GUI
You can customize the Login page and the Main dashboard, SOLIDserver homepage, with images
and messages or even edit most GUI fields name.
• Customizing SOLIDserver Login Page
• Customizing the Main Dashboard Welcome Banner
• Customizing the Interface Names and Fields
Note that only users of the group admin can perform these changes.
In the Login page backgound, behind the login window and the disclaimer, you can display
an image.
In the login window, above the appliance hostname and credentials fields, you can display
a different logo.
At the bottom of the page, a banner includes the disclaimer and its title.
You can customize the Login page with images, as background and in the login window, or with
a disclaimer:
• Customizing the Login Page With Images
• Customizing the Login Page With a Disclaimer
1224
Customizing the GUI
2. Specify the image name as value of the dedicated registry database entry.
Uploading an Image
You can upload as many images as you need to the page Local files listing. Keep in mind that:
• Uploading images with a transparent background allows to fully integrate them to the graphical
interface.
• The image used to customize the logo must not exceed 373x74 pixels.
To display an image as a background on the login page, you have to set its name as value of
the appropriate registry database entry.
If you have not uploaded an image yet on Local files listing, refer to the section Uploading an
Image.
To change the background image, upload the new image and click on the Value of the registry
database entry to specify the name of the other image.
1225
Customizing the GUI
To stop displaying the image, click on the Value of the registry database entry and empty the
field. The default background is displayed again.
To display an image as a new logo in the login window, you have to set its name as value of the
appropriate registry database entry.
If you have not uploaded an image yet on Local files listing, refer to the section Uploading an
Image.
To change the login window logo, upload the new image and click on the Value of the registry
database entry to specify the name of the other image.
To stop displaying the logo, click on the Value of the registry database entry and empty the field.
The default logo is displayed again.
The disclaimer is saved in the appliance backup. If you have appliances configured in High
Availability, the disclaimer configured on the Master is also visible from the Hot Standby login
page.
1226
Customizing the GUI
To edit the disclaimer or its title, click on the Value of the relevant registry database entry to
specify the new information.
To stop displaying the disclaimer or its title, click on the Value of the relevant registry database
entry and empty the field. It is no longer displayed.
You can edit the welcome banner message, display an image or hide it altogether:
• Editing the Welcome Banner Message
• Displaying an Image on the Welcome Banner
• Hiding the Welcome Banner
Only users of the group admin can edit the welcome banner.
1227
Customizing the GUI
If you want to display a different image, follow the procedure and select another image.
Keep in mind that the selected image(s) is saved on the page Local files listing and listed on the
sub-page Custom images. For more details, refer to the section Managing Files from the Local
Files Listing.
1228
Customizing the GUI
1229
Customizing the GUI
label and rename it as well. For more details on how to display the interface in another language,
refer to the chapter Understanding the GUI in the section Configuring the User Display Settings.
• All labels, fields, columns and page titles can be renamed except:
• The title of the page Language editor itself.
• The disclaimer on the login page. To change it, refer to the section Customizing the Login
Page With a Disclaimer.
• The Main dashboard welcome banner message. To edit it, refer to the section Customizing
the Main Dashboard Welcome Banner.
1230
Chapter 100. Managing Smart Folders
Smart folders are a customization tool that allow to organize your items in a different way than
what you find on listing pages.
Smart folders provide a view of your database that helps you organize data into a tree-like hier-
archy. This display is completely virtual and does not affect in any way your data.
You can add, edit, delete and/or share smart folders with other users based on data available
from the modules IPAM, DHCP (only in v4), DNS, NetChange, Device Manager and Identity
Manager.
Each smart folder organization can have as many levels as you need and be composed of any
of the columns from the page it is added from, including meta-data (class parameters).
Like the gadgets, smart folders can either be personal or shared with other users. For more details,
refer to the section Sharing Smart Folders.
Note that:
• If a level does not appear when you expand the hierarchy of the smart folder, it means there
is no data to display.
• If a level is called N/A, it represents a level not relevant to the resource at the lowest level. For
instance, if you create a smart folder from the page All addresses and include a level "pool
name", if some IP addresses are not managed by a pool, they are listed under N/A.
1231
Managing Smart Folders
Once created, the smart folder is listed in the Tree view. If you do not see it use the button.
1232
Managing Smart Folders
Once edited, the smart folder new configuration can be displayed in the Tree view. Click on
to refresh the display.
The same procedure allows you to make a smart folder visible only to you.
1233
Managing Smart Folders
1234
Chapter 101. Managing IPv6 Labels
Labels provide a visual aid for IPv6 addresses management that allows to display the letters and
colors of your choice above a defined part of the addresses.
They allow to gather at a glance IP addresses belonging to a common container in the modules
IPAM, DHCP, Application and NetChange.
In the example above, the labels are named after the block-type and subnet-type networks. The
colors reflect the hierarchy. Also, the label goes above, and therefore hides, the configured ad-
dress, whether it is a full IP address or part of an address.
Limitations
• When configuring a label, you must type in the uncompressed version of the IP address. For
instance, to create a label for a network starting with the address 12:: , you must specify 0012::
• A label applies to IPv6 addressing regardless of the module, once set it applies to IPAM, DHCP,
Application and/or NetChange. Within the IPAM, if you have common network start addresses
among several spaces or networks, they all have the same label (see the East Coast and NYC
network labels in the example above).
Adding Labels
The labels are all managed from the same wizard, accessible in the menu Extra options.
You can add as many labels as you need on the following pages:
Ancienne taille de la page
• In the module IPAM, you can manage labels on the IPv6 pages All networks, All pools and All
addresses.
• In the module DHCP, you can manage labels on the IPv6 pages All scopes, All ranges, All
leases and All statics.
• In the module Application, you can manage the labels on the page All nodes.
• In the module NetChange, you can manage the labels on the IPv6 pages All addresses and
All routes.
To add a label
1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DHCP > Scopes, Ranges, Leases or Statics. The page opens.
c. Go to Application > Nodes. The page opens.
1235
Managing IPv6 Labels
4. In the field IPv6, type in or paste the uncompressed address you want to label, or part of it.
5. In the field Label Name, type in the label name of maximum 3 characters, letters or numbers.
Editing Labels
You can edit existing labels directly in their creation wizard.
To edit a label
1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DHCP > Scopes, Ranges, Leases or Statics. The page opens.
c. Go to Application > Nodes. The page opens.
d. Go to NetChange > Addresses or Routes. The page opens.
1236
Managing IPv6 Labels
2. If you accessed IPAM, DHCP or NetChange, make sure the button V6 is black, otherwise
click on it. The page refreshes and the button turns black.
3. In the menu, select Extra options > Configure IPv6 labels. The wizard Configure IPv6
labels opens.
Ancienne taille de la page
4. In the field List of labels, select the label you want to edit.
5. Edit the label IPv6, Label Name and/or Color.
6. Click on UPDATE to save the changes. The label is no longer listed in the field.
Keep in mind that the labels need to be displayed manually. For more details, refer to the section
Displaying or Hiding Labels.
Deleting Labels
Like for the edition, you can delete existing labels directly in their creation wizard.
To delete a label
1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DHCP > Scopes, Ranges, Leases or Statics. The page opens.
c. Go to Application > Nodes. The page opens.
d. Go to NetChange > Addresses or Routes. The page opens.
2. If you accessed IPAM, DHCP or NetChange, make sure the button V6 is black, otherwise
click on it. The page refreshes and the button turns black.
3. In the menu, select Extra options > Configure IPv6 labels. The wizard Configure IPv6
labels opens.
Ancienne taille de la page
4. In the field List of labels, select the label you want to delete. You can only delete labels one
at a time.
5. Click on DELETE . The label is no longer listed in the field.
1237
Chapter 102. Configuring Classes
Classes allow to configure properties and behaviors that change the addition and edition wizard
of the resources of your choice, they allow to tailor databases to their needs.
From the page Class Studio, users of the group admin can add, edit, rename, duplicate or move
classes, to another directory or resource.
When a class is selected, its parameters are available for configuration in the addition/edition
wizard of the resource. If the class is added empty, the wizard is unchanged.
Class parameters can be inherited and/or propagated from one module level to another. For
more details, refer to the section Inheritance and Propagation.
Within SOLIDserver, you can apply existing classes to resources from their addition/edition wizard.
You can edit but not delete global classes. For more details, refer to the section Editing Classes.
• Customized classes are all the classes you add from the page Class Studio. These classes
must be manually selected and applied to resources in their addition and edition wizard. The
wizard automatically detects that a custom class is enabled for the type of resource and provides,
before anything else, the list <resource> class, where you select the class of your choice or
None.
You can manage customized classes. For more details, refer to the section Managing Classes.
1238
Configuring Classes
Note that customized classes can be set as resource of groups of users. If users have man-
agement rights over objects configured with a customized class but the class is not among
their resources, they cannot display or edit the class parameters and they clear the value of
all the class parameters when they edit a resource. For more details regarding user resources,
refer to the section Assigning Resources to a Group.
Applying an enabled class may change the fields available in the addition/edition wizard of the
resource. In the example below, an administrator configured a network class called location in-
cluding an input field labeled City. When editing the network internal, a user selected this class,
and can now specify that the network is located in the City of Chicago.
Note that applied classes can also be used to set automatic templates to display specific columns
on a page based on the class applied to the container of the resources listed. For more details,
refer to the procedure To add an automatic template.
The classes are all listed on the page, while their content must be listed and managed from a
dedicated window, Class Editor.
Browsing Classes
To display the list of classes
By default, Class Studio displays as many global and default classes as there are resources
within SOLIDserver.
1239
Configuring Classes
Class Editor opens when you click on the name of any class on the page Class Studio.
1240
Configuring Classes
The information banner. It displays the edition state and allows to save or cancel the latest
changes.
The search bar allows to filter class objects.
This button allows to close Class Editor. If you exit the window without saving your
changes, they are lost.
This button allows to drag and drop, reorder, the class objects.
The left section is the class content, it displays the Label of the class objects you added. Its
name in the wizard where the class is applied.
This icon indicates the class object was set as Required.
The right section displays the list of available class objects.
Note that the information banner is gray by default, it changes color depending on the class edition
state:
• If the banner is blue, you must save your configuration.
• If the banner is green, your configuration is successfully saved or canceled.
• If the banner is red, an error occurred.
Class Editor allows to edit any of your own classes and the class global of any resource.
Managing Classes
From Class Studio, you can add, edit, rename, duplicate, move, stop using and/or delete classes.
Once added you can apply classes to the type of resource they were configured for.
Keep in mind that two types of class are available by default but their management is more limited:
• Default classes: you cannot edit or delete any default class. However, you can choose the
advanced properties you want to use, for more details refer to the chapter Managing Advanced
Properties.
• Global classes: you can edit each global class from the menu Extra options > Meta-data
but you cannot delete them. For more details, refer to the section Editing Classes below.
Ancienne taille de la page
This section only describes the classes themselves, to configure their content, or class objects,
refer to the section Configuring the Classes Content.
You can add and manage classes for the following resources, the columns correspond to the
drop-down lists available in the class addition wizard.
1241
Configuring Classes
Module Type
DHCP DHCP server, DHCPv6 server, DHCP scope, DHCPv6 scope, DHCP range, DHCPv6
range, DHCP group, DHCPv6 group, DHCP static, DHCPv6 static.
DNS DNS server, DNS view, DNS zone.
Device Manager Device, Port/Interface.
IPAM Space, Network, Network (v6), Pool, Pool (v6), Address, Address (v6).
NetChange Network device, port.
Rights & delegation Group, User. The groups of users are managed from the module Administration.
SPX Autnum. The Autnums are managed from the module IPAM.
VLAN manager VLAN domain, VLAN range, VLAN. Each type can be applied to VLAN and VXLAN objects.
VRF VRF.
Workflow Request. The resource Requests only applies to outgoing requests.
Adding Classes
You can add as many classes as you need. The customized classes must then be applied to the
resources of your choice, when you add or edit them.
Class Studio is case sensitive, therefore, even if the name of each class must be unique, you
can add classes with the same name if they have different cases.
To add a class
5. Click on OK to complete the operation. The report opens and closes. The class is listed.
1242
Configuring Classes
• A class must be enabled to be used. If a customized class is not enabled, it is not available
in the addition and edition wizards of the resource. For more details, refer to the section Applying
Classes.
Only global classes are enabled by default and can be edited and automatically integrated to
the wizards of the resources they are set for.
Applying Classes
Once at least one customized class is added and enabled, the addition and edition wizard of the
resource it can be applied to displays a dedicated page <resource> class.
This page allows to select and apply a class, that is to say load and configure its class objects
in the wizard.
Note that in some modules, you can configure and apply classes at many levels. When you are
adding resources at low levels without filtering the page to display the content of a specific con-
tainer, you need to select the resource container(s). If classes are applied at container levels,
you need to select a <resource> class for each container level, this does not load class objects
in the wizard, it allows to filter the list of potential containers for the resource you are adding.
To apply a class
1243
Configuring Classes
Option Description
<class-name> Select a class to apply it on the resource and load its content in the wizard. Classes
belonging to a directory are listed as follows: <directory>/<class-name>.
b. If you need to select a container and at least one class was applied at higher level:
4. Click on NEXT . The next page opens. All the class object fields are displayed in addition to
the standard fields, you can or must configure them. They may be displayed on several
pages.
If you are adding a low level resource and did not filter the list, you need to select its contain-
er(s) and potential classes set at higher level before getting to the page <resource> class.
5. Click on OK to complete the operation. The report opens and closes.
Editing Classes
You can edit the content of a customized class or the class global, that is to say edit the class
objects it contains or edit their order.
To edit a class
Keep in mind that you can also edit the configuration of the class global of a specific resource
directly from its management page, except for the following objects:
• DHCP groups, leases, ACLs, ACL entries, option definitions and failover channels.
• DNS views, DNSSEC keys, RRs, RPZ zones and RPZ rules.
• NetChange configurations, routes, addresses, VLANs and discovered items.
• VRF Route Targets.
• SPX policies.
1244
Configuring Classes
4. Edit the class object according to your needs following the procedure that suits your needs
in the section Adding Class Objects.
5. Click on OK to complete the operation. The object is updated in the left side of the window.
Renaming Classes
You can rename customized classes from their properties page. Renaming a class does not affect
the class objects it contains. Once a class has been renamed, it is updated on the properties
page of the concerned resources.
To rename a class
Duplicating Classes
You can duplicate customized classes. These duplicates can then be edited and renamed to
manage them more easily, for instance you might need to apply them to other types of resource
or even move them.
Duplicating classes can be useful since object values set for a resource are automatically inherited
by the resources it contains. For instance, if the value "Chicago" is set for a block-type network
through an input field "city", it is automatically inherited by the subnet-type networks it contains
if said subnet-type network also has an input field named "city".
To duplicate a class
1245
Configuring Classes
5. Click on OK to complete the operation. The duplicated class is listed and named as such:
copy_<original class name>.
Moving Classes
You can move customized classes from a directory to another or from a type of resource to an-
other. For instance, a class added for DNS servers can be moved and made available for a
completely different type of resource, like the DHCP ranges.
To move a class
There are two ways to enable a class, either from Class Studio or from a listing page.
1246
Configuring Classes
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. Tick the class(es) of your choice.
4. In the menu, select Edit > Enable class or Disable class. The wizard opens.
5. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The class is marked as Enabled or Disabled in the column Status.
3. In the list Classes library, select a class and click on to enable it. The class is moved to
the list Enabled classes. You can enable as many classes as you need.
4. In the list Enabled classes, the classes enabled for this type of object are listed. You can
select the classes one by one and click on to disable them. Each class is moved back to
the list Classes library.
5. Click on OK to complete the operation. The report opens and closes, the listing page is visible
again.
As classes must not be used at all in SOLIDserver to be deleted, the following procedure might
come in handy. Keep in mind that the columns layout on the page can help you find the resources
using a class. For more details, refer to the section Customizing the List Layout.
Deleting Classes
Only customized classes can be deleted. Keep in mind that:
• You can delete customized classes if and only if they are not used by any resource within
SOLIDserver. Therefore, you might need to stop using the class before deleting it. For more
details, refer to the section Changing or Stop Using Classes.
1247
Configuring Classes
• Deleting a class deletes the class objects it contained and displayed on the resources properties
page. You might simply want To enable/disable a class from Class Studio or To enable/disable
a class from a listing page to use it again later.
To delete a class
Granting access to a class as a resource also grants access to its class parameters, so users
can configure them when they add or edit the objects configured with the class. If a group does
not have a customized class in its resources, editing objects configured with it empties the value
of all the class parameters. For more details, refer to the section Assigning Resources to a Group
in the chapter Managing Groups.
Once set, a class customizes addition and edition wizards of the resource with extra pages,
comments, boxes, lists, input fields etc. that can be prefilled with a value retrieved automatically
or set manually.
You need to add class objects within a class to configure its behavior. Keep in mind that:
• Customized classes only affect the addition and edition wizard of a resource if they are enabled.
Whereas global classes automatically affect them.
• The object values set for a resource are automatically inherited by the objects it contains. For
instance, if the value Chicago is set for a block-type network through an input field city, it is
automatically inherited by the subnet-type networks it contains if said subnet-type network also
has an input field named city.
You can tick several objects to set the inheritance or propagation property of their class para-
meters. For more details, refer to the section Inheritance and Propagation.
For each class, Class Editor includes a large library of class objects listed in alphabetical order:
1248
Configuring Classes
1249
Configuring Classes
Note that you can display on any listing page a column matching each of your customized classes
to order and filter the list based on the classes or class parameters applied on certain resources.
For more details, refer to the section Customizing the List Layout.
Autocompletion
The class object Autocompletion allows to display an autocompletion field in the wizard. It config-
ures an input field that allows to SEARCH for values matching what users type in. The available
values in the drop-down list depend on your configuration and can be based on:
• SOLIDserver services. All services and parameters are described in the API reference guide
1
on our website .
• A custom database. For more details, refer to the chapter Custom DB.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Manual.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
• In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
1
At http://www.efficientip.com/services/support/, in the section Products & Documentation. Log in using your credentials. If you do not
have credentials yet, request them at www.efficientip.com/support-access.
1250
Configuring Classes
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
11. Click on NEXT . The next page opens.
12. Configure the autocompletion based on services:
a. In the field Service name, type in the name of the listing service to call, for example
ip_subnet_list.
b. In the field Parameter name, type in the name of the input parameter that should be
used to pass the searched value. By default, it is WHERE.
c. In the field Search condition, type in a search condition, i.e. a variable, to display in the
Autocompletion drop-down list followed by like '%#%' . In our example, you can type in
subnet_name like '%#%' to format the display of all the IPv4 subnet-type networks name.
You can also filter the list by replacing the hash symbol (#) by a specific matching value.
d. In the field Parameter name for reverse search, type in the input parameter name, used
to do reverse searches. Indeed, if a user chose a network name for instance, the system
only has its ID. With this parameter you can pass the ID of the object instead of a string-
like parameter. By default, the parameter name is WHERE.
e. In the field Reverse search condition, type in a second variable to associate with the
one to display in the drop-down list, in our example subnet_id='#' .You can also filter
the list by replacing the hash symbol (#) by a specific matching value.
f. In the field Key, type in the key of the second variable, in our example subnet_id .
g. In the field Display format, type in the value that corresponds to the final display of the
data in the autocompletion drop-down list. You can format this value with as many
variables (preceded by $) or literal symbols as needed. For instance, the $subnet_name
(in $block_name > $site_name) - id = $subnet_id value displays the selected networks
in the following format: subnet_name (in block_name > site_name) - id = subnet_id.
h. Tick the box Allow non-matching values if you want to allow the input field to accept
values that are not part of the database.
i. Tick the box Automatic accept if you want the field to provide a list of matching Custom
DB entries when the user types in values.
13. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1251
Configuring Classes
6. In the field Name, type in the name of the class object in the database. That name is never
displayed in Class Editor. Note that names must be unique and in lowercase.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Custom DB.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
• In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
11. Click on NEXT . The next page opens.
12. Configure the autocompletion based on a custom database:
a. In the field Custom DB name, type in the name of the Custom database of your choice.
The field autocompletes and the wizard refreshes. For more details on Custom data-
bases, refer to the chapter Custom DB.
b. In the drop-down list Key column, select the column containing the values to retrieve.
The values to save in SOLIDserver database (string of characters: _a-z0-9 only). To
prevent GUI conflicts, avoid names that are already used in the code such as: site, mac-
addr, gateway, vlan, domain, user, port, password...
c. In the drop-down list Label column, select the column containing the information you
want to display in the wizard, the label of the values.
d. Tick the box Allow non-matching values if you want to allow the input field to accept
values that are not part of the database.
e. Tick the box Automatic accept if you want the field to provide a list of matching Custom
DB entries when the user types in values.
13. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Checkbox
The class object Checkbox allows to insert a box in a wizard. This box is configured using the
true and false value of your choice, the true value is applied when the box is ticked. You can use
checkboxes alone or in combination with other class objects and parameters to validate complex
regular expressions.
1252
Configuring Classes
To add a checkbox
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. In the field "TRUE" value, type in the value you want to set for your box when it is ticked
(value yes or 1).
9. In the field "FALSE" value, type in the value you want to set for your box when it is not ticked
(value no or 0).
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
c. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
d. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
1253
Configuring Classes
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
11. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Comment
The class object Comment allows to include your own information, notice or warning message
in the wizard. The Comment is always placed after the wizard standard fields.
To add a comment
Value Description
None The message is a comment displayed in a gray area.
Warning The message is a warning displayed in an orange area entitled WARNING.
Notice The message is informational and displayed in a blue area entitled INFO.
8. In the drop-down list Expert mode, you can select Yes to further configure the class object.
• In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
9. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. The selected comment style is displayed.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1254
Configuring Classes
Note that the Comment is displayed on one line. You can hover over it to display the entire
message.
Counter
The class object Counter allows to count the number of times the class was applied to a resource.
Its value automatically increments and displays a read-only field in the wizard.
To add a counter
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Padding to display all the digits of the counter, including the zeros.
9. In the field Number of digits, you can type in the number of digits for your counter.
10. In the field Min value, you can type in the counter start value. It appears when the page is
accessed for the first time.
11. In the field Max value, you can type in the maximum value you want to set for your counter.
PNG
12. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
DHCP options
The class object DHCP options allows to include the DHCP option configuration fields in the
wizard. That way, you can configure DHCP options when adding or editing servers, groups,
scopes, ranges and statics, instead of relying on the dedicated wizard only available on the
properties page of each object. For more details regarding the options, refer to the appendix
DHCP Options.
1255
Configuring Classes
You can set multiple conditions but they must be separated by boolean connectors.
PNG
7. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
The class object DHCP shared network allows to display a drop-down list containing all the DH-
CPv4 scopes that can be used as shared networks in the wizard.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
1256
Configuring Classes
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Force VLSM
The class object Force VLSM is used to prevent the addition of terminal networks. It allows to
untick and hide the box Terminal network in the subnet-type network addition wizard. For more
details, refer to the section Adding Networks Manually.
With this class object, at the network level of your choice, any new network can be forced to non-
terminal, and contain other networks. For more details on network-based VLSM organizations,
refer to the chapter Using VLSM to Manage Your IPAM Network.
If you add the object Force VLSM, you cannot set the predefined variable NO_VLSM_SUBNET.
For more details, refer to the appendix Class Studio Pre-defined Variables.
1257
Configuring Classes
6. Tick the box Force non-terminal networks creation if you want to always untick and hide
the box Terminal network in the addition and edition wizard of subnet-type networks.
If set at space level or on a block-type network, the box is not displayed or left unticked.
7. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
8. In the drop-down list Network level, select a value between 0 (block-type networks) and 15
(subnet-type networks). This value defines at which level of network organizations the Force
VLSM is applied. By default, None is selected.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. Select in the list Spaces, one of your existing spaces. In a space-based VLSM organiz-
ation where two sub-spaces are at the same level, this allows to favor the space you
select and set up the delegation within the space of your choice.
Click on . The space in moved to the list Spaces. Only the spaces of this second list
are available in the list VLSM space, at the end of the wizard, when you add a non ter-
minal subnet-type network in a parent space and the corresponding block-type network
in a child space.
b. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Force class
This class object Force class allows to determine which classes are available at a lower level.
For instance at space level, it allows to decide that only two classes can be configured at network
level; even if ten network classes exist, only the ones you set are available in the addition and
edition wizard of the networks that space. Note that:
• The classes you force on lower level resources must be configured and enabled.
• You can force several classes on the same resource, so make sure they do not have conflicting
class object names.
1258
Configuring Classes
If you are forcing a class on IPAM objects, selecting Networks displays the drop-down list
Network level. In that list you can select a level between 0 (block-type networks) and 15
(subnet-type networks). This value defines at which level of network organizations the Force
class is applied. By default, None is selected.
10. Select the class(es) to force at lower level:
a. In the list Class, double-click on the class of your choice. The available classes depend
on the Module and Type set for the class. The class is moved to the list Classes.
b. In the list Classes, you can select any class and reorder the classes using and or
remove any class using .
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
• In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
12. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Force prefix
The class object Force prefix allows to force a specific prefix on a network and can be applied
on the subnet-type network itself or on the block-type network or space it is belongs to.
This object can also be set as the Pre-defined variable, it corresponds to FORCE_SUBNET_PRE-
FIX.
1259
Configuring Classes
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Force prefix.
5. In the class objects list, click on Force prefix or drag and drop it among the class objects. The
wizard Force prefix opens.
6. In the field Name, FORCE_SUBNET_PREFIX is displayed. You cannot edit it.
7. In the drop-down list Network level, select a value between 0 (block-type networks) and 15
(subnet-type networks). This value defines at which level of network organizations the Force
prefix is applied. By default, None is selected.
8. In the field Value, type in the prefix you want to force for the resource. By default, it is set to
24.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
• In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
10. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Hidden data
The class object Hidden data allows to configure a resource with a parameter that is not displayed
in the wizard. It allows to set a class object that does not require any configuration from the user
or to hide another class object of the class.
This non-displayed data string could be used as a hidden signature for a class or to populate
other fields if you configure the field Constructor, via the Expert mode.
You can also configure the class object to force a value and overwrite a preexisting content, for
instance if its value is inherited from a parent. Note that all class object values, inherited or
overwritten, are visible on the properties pages of the resource configured with the class.
1260
Configuring Classes
If you specify another class object, once the Hidden data is fully configured the class object
should no longer be displayed in the wizard.
7. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Constructor, you can type in the value of other class objects of the class
and use them as variables to automatically overwrite the Name of the field with the data
of your choice in the wizard.
For example, you could type in %v{<value1>}, %v{<value2>} where <value#> is the
value of an existing class object in the class. If <value1> is a city and <value2> is a
state, the field Name would be replaced with Chicago, Illinois in the wizard.
b. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
c. You can tick the box Force the object value to force the value of your choice when you
apply the class. The field Value to force appears.
In the field Value to force, specify a value or leave it empty. The vaIue you set is applied
without being displayed in the wizard. If you specified the Name of another class object
in the field Name, it overwrites the value of that object.
If you do not tick the box, the hidden data you create is configured for the class but has
no value to apply.
PNG
8. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Hide IP alias
The class object Hide IP alias allows to shorten the IP address addition wizard and skip the page
Aliases configuration. For more details, refer to the section Configuring and Managing IP Address
Aliases.
This object can also be set as the Pre-defined variable, it corresponds to HIDE_IP_ALIAS.
1261
Configuring Classes
You can set multiple conditions but they must be separated by boolean connectors.
PNG
9. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Horizontal separator
The class object Horizontal separator allows to display a line to structure and divide the class
objects in the wizard.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
7. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Icon
The class object Icon allows to display an image next to the name of a class applied to Device
Manager devices, in the column Class.
1262
Configuring Classes
Before configuring an Icon for a device class, you must upload it to the page Custom images.
For more details, refer to the section Uploading an Image.
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
9. To display the icon next to the class name, in the sidebar, go to Device Manager > Devices.
The page All devices opens. Display the column Device class name. For more details, refer
to the section Customizing the List Layout.
Include class
The class object Include class allows to embed another class and the objects it contains. That
way, if you configure a class X to include the class Y, that already includes the class Z, when
users apply the class X they actually have the class objects of all three classes in the wizard.
To include a class
1263
Configuring Classes
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
10. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Input
The class object Input allows to display an input field in the wizard that users can fill in with a
data string.
Note that an Input is different from a Multiple input. For more details, refer to the section Multiple
input.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the field Input field maximum length, type in the maximum number of characters, including
spaces, that users can type in the field. By default, the maximum field length is 64.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Not editable to prevent users from editing the class object's value.
If you tick the box, the object appears in gray in the addition and edition wizards.
b. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
c. In the field Constructor, you can type in the value of other class objects of the class
and use them as variables to automatically overwrite the Name of the field with the data
of your choice in the wizard.
1264
Configuring Classes
For example, you could type in %v{<value1>}, %v{<value2>} where <value#> is the
value of an existing class object in the class. If <value1> is a city and <value2> is a
state, the field Name would be replaced with Chicago, Illinois in the wizard.
d. In the drop-down list Predefined format, you can select a format for the Name to be
valid. It can either be an IP address (v4), IP address (v6), Text, Unsigned integer, Signed
Integer, Domain name, FQDN Host, MAC address or Email address.
e. In the field Default value, you can type in a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
f. In the field Regex match, you can type in a regular expression that checks the syntax
of the value specified in the field. Some basic regular expression symbols are detailed
after the procedure.
g. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
h. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
i. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
11. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required and displayed in
gray, as a read-only field, if you made it Not editable.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
In the field Regex match you can enforce the format of data accepted in the Input field using
regular expressions. For instance, you could allow alpha characters in lower and uppercase using
[a-zA-Z], limit numbers to the range [1-99] or set a maximum string length using {}.
1265
Configuring Classes
Jump to page
The class object Jump to page allows to display class objects on the new page of the wizard,
you can name this page and include a message above the class objects if you want.
Any class object located after the Jump to page is moved to a new page, users have to click on
NEXT to display them.
1266
Configuring Classes
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
9. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. The new page Title is listed in a bigger font size than the other class objects.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Multiple input
The class object Multiple input allows to include a list under an Input field of the class and
therefore configure several values for the field. Under the Input field, a button ADD and a list are
displayed to configure the list of values.
Note that a Multiple input is different from an Input. For more details, refer to the section Input.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
8. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
9. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
10. In the field Input object name, type in the name of the Input class object associated with the
Multiple input.
11. If you set the Expert mode to Yes, you can:
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
1267
Configuring Classes
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
12. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
13. Make sure the multiple input is located right under the input field. To reorder the list, refer to
the section Reordering Class Objects.
Multiple select
The class object Multiple select allows to include a list under a Select of the class and therefore
configure several values of the list. The first list provides the button , to move one by one the
selected values in the second list. The data listed can be:
• Fixed values added to the list directly from the wizard.
• CSV values retrieved from a CSV file using a semi-colon ; to separate values.
• Service list values picked from the SOLIDserver services. All services and parameters are
2
described in the API reference guide on our website . Note that this type of data can help you
display custom databases in the wizard.
2
At http://www.efficientip.com/services/support/, in the section Products & Documentation. Log in using your credentials. If you do not
have credentials yet, request them at www.efficientip.com/support-access.
1268
Configuring Classes
Note that a Multiple select is different from a Select. For more details, refer to the section Select.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. This name is used for
both lists. Only this name is seen by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Fixed values. The wizard refreshes.
10. Configure the content of the multiple select:
a. In the field Key, type in an object name for the database using only the string of charac-
3
ters _a-z0-9 . The key is displayed in the field Label/Key.
b. In the field Label, type in the label of the Key to display in the wizard. The label and the
key are displayed in the field Label/Key as follows: <Label>#<Key>.
c. Click on ADD . The value is moved to the list Options.
d. Repeat these actions for as many values as needed. You can use to remove one by
one values from the list, or and to reorganize them.
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Have none label if you want to include the value None to the drop-
down list.
b. In the field Default value, you can type in a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
c. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
3
To prevent GUI conflicts, avoid names that are already used in SOLIDserver database like site, mac-addr, gateway, vlan, domain,
user, port, password...
1269
Configuring Classes
d. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
e. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
12. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. This name is used for
both lists. Only this name is seen by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select CSV values. The wizard refreshes.
10. Configure the content of the multiple select:
a. In the field CSV file, type in the complete path of the file stored in the appliance. This
file must separate values with a semi-colon.
b. In the field Value column, type in the number of the column in the CSV file containing
the values to retrieve.
1270
Configuring Classes
c. In the field Label column, type in the number of the column in the CSV file containing
the values to display in the wizard, the label of each value.
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Have none label if you want to include the value None to the drop-
down list.
b. In the field Default value, you can type in a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
c. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
d. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
e. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
12. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1271
Configuring Classes
5. In the class objects list, click on Multiple select or drag and drop it among the class objects.
The wizard Multiple select wizard.
6. In the field Name, type in the name of the class object in the database. That name is never
displayed in Class Editor. Note that names must be unique and in lowercase.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. This name is used for
both lists. Only this name is seen by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Service list values. The wizard refreshes.
10. Configure the content of the multiple select:
a. In the field Service, start typing in the name of a service. The matching services are
listed, select the one that suits your needs.
b. In the field Key, type in the object name as it should be saved in SOLIDserver database
(string of characters: _a-z0-9 only). To prevent GUI conflicts, avoid names that are
already used in the code such as: site, mac-addr, gateway, vlan, domain, user, port,
password...
c. In the field Label, type in the name of the input parameter, the label of the value to display
in the wizard.
d. In the field Where, type in an SQL condition to filter the retrieved values if need be.
e. In the field Order by, type in an SQL condition to sort the results if need be.
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Have none label if you want to include the value None to the drop-
down list.
b. In the field Default value, you can type in a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
c. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
d. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
1272
Configuring Classes
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
e. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
12. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Object name
The class object Object name allows to build an automatic naming rule for a resource, such as
%v{city}-%v{store code} where city and store code are the names of objects belonging to the
same class. By convention, an Object name and the class objects used to build it should be
placed in the first page of the wizard.
For example, you could type in %v{<value1>}, %v{<value2>} where <value#> is the value
of an existing class object in the class. If <value1> is a city and <value2> is a state, the field
Name would be replaced with Chicago, Illinois in the wizard.
7. In the drop-down list Expert mode, you can select Yes to further configure the class object.
• In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
8. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
1273
Configuring Classes
PNG
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Owner
The class object Owner allows to display the name of the user who added the resource and applied
the class, no matter who edits it later.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
7. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Pre-defined variable
The class object Pre-defined variable allows to apply specific behaviors and configurations in
classes dedicated to IPAM objects, DHCP statics, DNS zones, Workflow requests, Device Manager
devices and Administration users.
Most IPAM pre-defined variables and the DNS zone pre-defined variable are dedicated to
Workflow requests.
Each variable can be enabled with a specific Value. For more details, refer to the appendix Class
Studio Pre-defined Variables.
Select
The class object Select allows to display a drop-down list in the wizard returning:
• Fixed values added to the list directly from the wizard.
• CSV values retrieved from a CSV file using a semi-colon ; to separate values.
1274
Configuring Classes
• Service list values picked from the SOLIDserver services. All services and parameters are
4
described in the API reference guide on our website .
• Custom DB values retrieved directly from your custom databases. We strongly recommend
using this type rather than a CSV file. For more details, refer to the chapter Custom DB.
Note that a Select is different from a Multiple select. For more details, refer to the section Multiple
select.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Fixed values. The wizard refreshes.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
4
At http://www.efficientip.com/services/support/, in the section Products & Documentation. Log in using your credentials. If you do not
have credentials yet, request them at www.efficientip.com/support-access.
1275
Configuring Classes
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
f. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
g. In the field Default value, you can type in a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
11. Click on NEXT . The last page opens.
12. Configure the content of the select based on fixed values:
a. In the field Key, type in the object name as it should be saved in SOLIDserver database
(string of characters: _a-z0-9 only). To prevent GUI conflicts, avoid names that are
already used in the code such as: site, mac-addr, gateway, vlan, domain, user, port,
password... The field Label/Key autopopulates.
b. In the field Label, type in the word string, corresponding to the key, as it should be dis-
played in the list. The field Label/Key autopopulates following the format <Label>#<Key>.
c. Click on . The value is moved to the list Options.
d. Repeat these actions for as many values as needed. You can use to remove one by
one values from the list, or and to reorganize them.
13. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1276
Configuring Classes
7. In the field Name, type in the name of the class object in the database. That name is never
displayed in Class Editor. Note that names must be unique and in lowercase.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
8. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
9. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
10. In the drop-down list Select type, select CSV values. The wizard refreshes.
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
f. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
g. In the field Default value, you can type in a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
1277
Configuring Classes
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Service list values or Manual. The wizard refreshes.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
1278
Configuring Classes
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
f. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
g. In the field Default value, you can type in a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
11. Click on NEXT . The last page opens.
12. Configure the content of the select based on services:
a. In the field Services, start typing in the name of the service to call. The matching services
are listed, select the one that suits your needs.
b. In the field Key, type in the name of the input parameter corresponding to the values to
retrieve.
c. In the field Label, type in the name of the input parameter corresponding to the label of
the values to display in the wizard.
d. In the field Where, type in an SQL condition to filter the retrieved values if need be.
e. In the field Order by, type in an SQL condition to sort the results if need be.
f. In the field Limit, type in the maximum number of results to display.
g. In the field Tags, type in an SQL condition to filter the retrieved class parameters if need
be. You might need assistance from Efficient IP support team to fill in this field.
13. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1279
Configuring Classes
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Custom DB. The wizard refreshes.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
1280
Configuring Classes
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
f. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
g. In the field Default value, you can type in a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
11. Click on NEXT . The last page opens.
12. Configure the content of the select based on a custom database:
a. In the field Custom DB name, type in the name of the Custom database of your choice.
The field autocompletes and the wizard refreshes. For more details on Custom data-
bases, refer to the chapter Custom DB.
b. In the drop-down list Key column, select the column containing the values to retrieve.
The values to save in SOLIDserver database (string of characters: _a-z0-9 only). To
prevent GUI conflicts, avoid names that are already used in the code such as: site, mac-
addr, gateway, vlan, domain, user, port, password...
c. In the drop-down list Label column, select the column containing the information you
want to display in the wizard, the label of the values.
13. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
The class object Select DHCP range allows to display a drop-down list containing all the DHCPv4
ranges in the wizard.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
1281
Configuring Classes
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
The class object Select DHCP scope allows to display a drop-down list containing all the DHCPv4
scopes in the wizard.
1282
Configuring Classes
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select DHCP scope.
5. In the class objects list, click on Select DHCP scope or drag and drop it among the class objects.
The wizard Select DHCP scope opens.
6. In the field Name, type in the name of the class object in the database. That name is never
displayed in Class Editor. Note that names must be unique and in lowercase.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1283
Configuring Classes
The class object Select DHCP server allows to display a drop-down list containing all the DHCPv4
servers in the wizard.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
1284
Configuring Classes
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
The class object Select DHCP static allows to display a drop-down list containing all the DHCPv4
statics in the wizard.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
1285
Configuring Classes
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
The class object Select DNS domain allows to display a drop-down list containing all the domains,
or DNS Master Name zones, in the wizard.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, Domain name is displayed. You can set a different name for the object
that will be displayed in the GUI. Only this name is seen by the user in the wizards.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. Set the value of the field Order by, type in a value to filter the selected domain by a key.
This key must respect the format: dz.{your_value}.
1286
Configuring Classes
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
The class object Select DNS server allows to display a drop-down list containing all the DNS
servers in the wizard.
1287
Configuring Classes
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
The class object Select DNS zone allows to display a drop-down list containing all the DNS zones
in the wizard.
1288
Configuring Classes
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
1289
Configuring Classes
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Select class
The class object Select class allows to include a drop-down list containing existing classes in the
wizard. It can only return classes that apply to IPAM spaces, IPv4 networks, pools and addresses;
DNS servers and zones; DHCPV4 servers, scope, ranges and statics; and Administration groups
and users.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Type, select the resource to which apply the classes you want to display:
Space, Network, Pool, Address, DNS server, DNS zone, DHCP server, DHCP scope, DHCP
range, DHCP static, User or Group.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
1290
Configuring Classes
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
c. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
d. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
11. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
PNG
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Text area
The class object Text area allows to display an input area in the wizard.
In Class Editor, it looks like an input with a black square at the right-end of the field, as illustrated
in the image The window Class Editor in the section Browsing the Class Objects.
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
1291
Configuring Classes
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Rows, you can specify the number of rows to display in the text area.
b. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
c. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:
Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.
For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
d. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:
Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.
For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
e. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG
part of the class content. It is followed by if you ticked the box Required.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Time stamp
The class object Time stamp allows to include the exact time and date of addition of a resource
in a dedicated field of the wizard. It respects the format mm/dd/yyyy regardless of the date format
on your Settings.
1292
Configuring Classes
Note that if you edit a resource that was not configured with this class object, the time stamp
matches the moment you apply the class and not its actual addition date and time.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
7. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Upload file
The class object Upload file allows to include an upload tool in the wizard. It displays a field File
name and a button BROWSE to upload any file. Keep in mind that:
• Uploaded files cannot exceed 300 MB.
• Uploaded files are stored temporarily in the directory /tmp of the appliance and deleted shortly
after. The upload tool can therefore be used to import CSV files or other types of files to be
processed straight away by other class objects.
1293
Configuring Classes
You can use hexadecimal characters and underscores "_", but no spaces. To prevent GUI
conflicts, avoid names that are already used within the appliance such as: site, mac-addr,
gateway, vlan, domain, user, port, password...
7. In the field Label, type in the name of the class object in the wizards. Only this name is seen
by the users.
8. In the drop-down list Expert mode, you can select Yes to further configure the class object.
• In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
9. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left side of the window.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1294
Configuring Classes
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1295
Chapter 103. Configuring Custom
Databases
You can add custom databases on the page Custom DB.These databases are directly embedded
in SOLIDserver and can contain a maximum of 10 pieces of information, columns, named Label
#.
Keep in mind that the custom databases can come in handy when configuring classes with
parameters like select, multiple select or autocompletion. For more details, refer to the chapter
Configuring Classes.
Browsing Custom DB
Custom DB provides two pages, one for the databases and the other one for the custom data,
the content of each custom database.
On the properties page, the panel Main properties displays the Custom database name, Type,
Description and labels it contains.
1296
Configuring Custom Databases
3. In the column Name, click on the name of the custom database of your choice. The page
Custom data opens, it only displays the data of the custom database you chose.
On the properties page, the panel Main properties displays the name of the Custom database
it contains to and its defined labels and their value.
Adding a Custom DB
You can add as many custom databases as you need. Each custom DB can contain up to 10
columns to structure its custom data.
To add a custom DB
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the menu, click on Add. The wizard Create a custom DB opens.
4. Fill in each field as describe below:
Editing a Custom DB
You can edit a custom database, however keep in mind that:
• You can rename it, if you do, make sure that this name is unique and not already used by an-
other custom DB.
• You cannot edit the default custom database Vendor, it is in Read-only.
To edit a custom DB
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the column Name, right-click on the name of the database you want to edit. The contextual
menu opens.
4. Click on . The wizard Create a custom DB opens.
5. Edit each field according to your needs following the table below:
1297
Configuring Custom Databases
6. Click on OK to complete the operation. The wizard refreshes and closes. The changes are
displayed in the list.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
Deleting a Custom DB
You can delete your custom databases.
To delete a custom DB
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the list, tick the custom database that you want to delete.
4. In the menu, click on Delete. The wizard opens.
5. Click on OK to complete the operation.
Once your database contains everything you need, you can use it within classes and apply it to
the resource that suits your needs. For more details, refer to the chapter Configuring Classes.
You can also import custom data. For more details, refer to the section Importing Custom Data
in the chapter Importing Data from a CSV File.
1298
Configuring Custom Databases
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
1299
Configuring Custom Databases
3. In the column Name, click on the custom database of your choice. The page Custom data
opens.
4. Tick the custom data entries that you want to remove.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation.
1300
Chapter 104. Managing Customization
Packages
From the Administration module, you can import archive files, or packages, containing a set of
customized functionalities from the page Packager.
Once imported and uploaded, installing these packages can affect interfaces, databases, system
files, etc. depending on what they contain. These functionalities can take the form of classes,
services (also called macros), reports or rules.
Packager is composed of two pages: All Packages and All package files. From the page All
Packages, you can import or create, install, uninstall and delete your packages. The page All
package files simply provides the content of the packages.
Packager reuses the principle of the module of the same name in 3.0.1, however, it uses different
services. Therefore, packages created or used in previous versions of SOLIDserver cannot be
used with the current version.
The page All packages contains seven columns: Name, Description, Version, Vendor, Creation
time, Install time and Status. You cannot edit the page listing template.
To display all the information in one panel, open the package properties page.
1301
Managing Customization Packages
3. Click on the name of the package of your choice. The page All package files of the selected
package opens.
The page All package files contains five columns: filename, Directory, Type, Package version
and Version. You cannot edit the page listing template.
Uploading Packages
From the page All packages, you can upload your own packages in a .tar archive file.
To upload a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. In the menu, click on Add. The wizard Upload a package opens.
4. Click on BROWSE to search for the .tar file to import. A window opens to help you browse
through folders.
5. Double-click on the needed file. The window closes and the file is visible in the field File
name of the wizard.
6. Click on OK to complete the operation. The report opens and closes. The page All Packages
is visible again. The package is listed but it is not installed yet.
Creating Packages
If you want you can create your own packages from the page All packages. In this case, you can
configure it with existing rules, services, reports and classes.
To create a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. In the menu, select Tools > Expert > Create a package. The wizard Create a package
opens.
1302
Managing Customization Packages
1303
Managing Customization Packages
11. Click on OK to complete the operation. The report opens and closes. The page All Packages
is visible again. The package is listed but it is not installed yet.
Editing Packages
You cannot edit a package. If one of your packages contains files that you no longer require or
if it misses files, you need to replace it.
1. Uninstall the useless package.
2. Upload the package that replaces it or create another package. To make sure you do not forget
any file, you can look at the list All package files of the package you want to replace.
3. Delete the useless package.
4. Install the new package.
Installing Packages
Installing a package pushes its files to the relevant parts of the appliances. When uploading or
creating a package, it is simply listed in the GUI. If you do not install it, the files it contains are
simply stored locally but not used.
To install a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. Tick the package(s) you want to install.
4. In the menu, select Edit > Install. The wizard Install a package opens.
5. Click on OK to complete the operation. The report opens and works until all the files are
pushed. The page is visible again. In the column Status the package is marked installed.
Uninstalling Packages
Uninstalling a package allows to revert all the changes that the files it contains were performing.
It also allows to delete a package: you cannot delete a package if it is installed, i.e. used.
To uninstall a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. Tick the package(s) you want to uninstall.
4. In the menu, select Edit > Uninstall. The wizard Uninstall a package opens.
5. Click on OK to complete the operation. The report opens and closes. The page is visible
again. In the column Status the package is marked uninstalled.
1304
Managing Customization Packages
Downloading Packages
At any time you can download a package, whether it is installed or not. Keep in mind that you
can only download one package at a time.
To download a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. Tick the package you want to download.
4. In the menu, select Edit > Download. The wizard Downloading a package opens.
5. Click on OK to complete the operation. The report opens and displays the package which is
an archive .tar file that can be downloaded from the page Local files listing available from
the page Admin Home.
6. Click on DOWNLOAD to download the file before closing the wizard.
7. Click on CLOSE . The wizard closes and the page All packages is visible again.
Deleting Packages
Once you no longer need a package, you can delete it as long as it is no longer used. This means
that if the package you want to delete is currently installed, you need to uninstall it before following
the procedure below. For more details, refer to the section Uninstalling Packages.
To delete a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. Tick the package(s) you want to delete.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The package is no
longer listed.
1305
Appendix A. Matrices of Network Flows
Table of Contents
SOLIDserver ............................................................................................................... 1308
IPAM .......................................................................................................................... 1309
DHCP ......................................................................................................................... 1310
DNS ........................................................................................................................... 1311
NetChange ................................................................................................................. 1314
Identity Manager ......................................................................................................... 1315
Remote Management .................................................................................................. 1316
This appendix maps out in a set of tables the networks flows that you must open to manage your
SOLIDserver appliance or remotely manage servers.
Each flow detail includes its Source IP, Port, Destination IP, Port, Protocol, Service used and
Notes, when relevant. The Source IP and Destination IP may contain the following:
1306
Matrices of Network Flows
1307
Matrices of Network Flows
SOLIDserver
Basic Configuration
Source IP Port Destination IP Port Protocol Service Notes
administrator any SOLIDserver 80 TCP HTTP Graphic User Interface (GUI)
administrator any SOLIDserver 443 TCP HTTPS Graphic User Interface (GUI)
administrator any SOLIDserver 22 TCP SSH Command Line Interface (CLI)
SOLIDserver any DNS server 53 UDP DNS DNS resolution, DDNS update
SOLIDserver any DNS server 53 TCP DNS DNS resolution, DNS zone transfer
SOLIDserver any NTP server 123 UDP NTP Time synchronization
SOLIDserver any FTP server 21 TCP FTP Remote archive on an FTP or SFTP
SOLIDserver any SFTP server 22 TCP SFTP server
External Authentication
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver any LDAP/AD 389 TCP LDAP LDAP or AD authentication
SOLIDserver any LDAPS/AD 636 TCP LDAPS LDAPS or AD authentication
SOLIDserver any RADIUS 1812 UDP RADIUS RADIUS authentication
iDRAC
Source IP Port Destination IP Port Protocol Service Notes
administrator any iDRAC 22 TCP SSH iDRAC SSH
administrator any iDRAC 80 TCP HTTP iDRAC GUI
administrator any iDRAC 443 TCP HTTPS iDRAC GUI
administrator any iDRAC 5900 TCP VNC Virtual Console
1308
Matrices of Network Flows
IPAM
SPX
RIPE
APNIC
1309
Matrices of Network Flows
DHCP
EfficientIP DHCP Servers
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Required to manage an EfficientIP DH-
any DHCP server 443 TCP HTTPS
Management CP server on a SOLIDserver appliance
Failover channel port on the backup
DHCP master any DHCP backup 647 TCP Failover
server
Failover channel port on the master
DHCP backup any DHCP master 847 TCP Failover
server
DHCP client 68 DHCP server 67 UDP DHCP Required by the service DHCP
DHCP server 67 DHCP client 68 UDP DHCP Required by the service DHCP
DHCP client 546 DHCP server 547 UDP DHCP Required by the service DHCPv6
DHCP server 547 DHCP client 546 UDP DHCP Required by the service DHCPv6
Broadcast ad- Required by the DHCP protocol on the
DHCP client 68 67 UDP DHCP
dress local segment
a
DHCP server - any - ICMP ICMP Only if the option ping-check is enabled
a
For more details, refer to the section Preventing IP Address Duplication.
Linux Packages
Prerequisite before configuring a Linux Package: configuring DHCP network flows as detailed
in the section EfficientIP DHCP Servers.
DHCP Statistics
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver SNMP v1, v2c and v3 to retrieve the
any DHCP server 161 UDP SNMP
Management server statistics
1310
Matrices of Network Flows
DNS
EfficientIP DNS Servers
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Required to manage an EfficientIP DNS
any DNS server 443 TCP HTTPS
Management server on a SOLIDserver appliance
SOLIDserver DNS resolution, DDNS update, DNS
any DNS server 53 UDP/TCP DNS
Management zone transfer
DNS resolution, DDNS update, DNS
DNS server any DNS server 53 UDP/TCP DNS
zone transfer
DNS client any DNS server 53 UDP/TCP DNS DNS resolution
10000
SOLIDserver a
DNS server - 2053 UDP DNS DNS notify (optional)
Management
65535
a
The port 2053 allows to speed up zone transfers between SOLIDserver Management and its managed DNS servers.
Keep in mind that not all DNS engines support this functionality, for instance Microsoft DNS engines do not support it.
1311
Matrices of Network Flows
Linux Packages
Prerequisite before configuring a Linux Package: configuring the DNS network flows as detailed
in the section EfficientIP DNS Servers.
DNS Statistics
Source IP Port Destination IP Port Protocol Service Notes
SNMP v1,v2c or v3 to retrieve the stat-
SOLIDserver
any DNS server 161 UDP SNMP istics of DNS servers on SOLIDserver
Management
appliances or Linux Packages
GSS-TSIG
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Kerberos serv-
any 88 Protocol Kerberos Kerberos authentication
Management ers
Guardian
Cache Sharing via Unicast
DoT
1312
Matrices of Network Flows
DoH
HSM
Source IP Port Destination IP Port Protocol Service Notes
DNS server any HSM 9004 UDP/TCP Thales HSM Required for DNSSEC signing with HSM
HSM any RFS 9004 TCP RFS
DNS server any RFS 9004 TCP RFS
1313
Matrices of Network Flows
NetChange
Source IP Port Destination IP Port Protocol Service Notes
Network
NetChange any 161 UDP SNMP SNMP v1, v2c, v3
device
NetChange any DNS server 53 UDP DNS DNS resolution
Network
NetChange any 22 TCP SSH
device
Save the configuration
Network
NetChange any 23 TCP SNMP
device
1314
Matrices of Network Flows
Identity Manager
Source IP Port Destination IP Port Protocol Service Notes
Windows AD
any SOLIDserver 5986 TCP WEF Required to retrieve sessions.
Controller
1315
Matrices of Network Flows
Remote Management
High Availability
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver SOLIDserver
any 443 TCP HTTPS
Hot Standby Master
Health check
SOLIDserver SOLIDserver
any 443 TCP HTTPS
Master Hot Standby
SOLIDserver SOLIDserver
any 5432 TCP PostgreSQL
Hot Standby Master
Replication
SOLIDserver SOLIDserver
any 5432 TCP PostgreSQL
Master Hot Standby
1316
Appendix B. Multi-Status Messages
Table of Contents
DHCP Multi-Status Messages ...................................................................................... 1317
DNS Multi-Status Messages ........................................................................................ 1317
Application Multi-Status Messages ............................................................................... 1318
This appendix provides a list of messages returned in the column Multi-status. For more details,
refer to the section Understanding the Column Multi-Status.
1317
Multi-Status Messages
1318
Appendix C. Default Gadgets
SOLIDserver offers gadgets by default in the Gadgets Library. Among them, 12 are displayed
by default on the Main dashboard, NetChange dashboard and Device Manager dashboard.
1319
Default Gadgets
Gadget Description
NetChange network Displayed On NetChange dashboard.
devices vendor Type Chart.
Description A pie chart representing NetChange network devices repartition per
vendor.
NetChange active ports Displayed On NetChange dashboard.
speed (bps)
Type Chart.
Description A pie chart representing NetChange Active ports repartition per
speed. The Inactive and Disabled ports are not represented.
NetChange port status Displayed On NetChange dashboard.
Type Chart.
Description A pie chart representing NetChange ports repartition per status.
Number of interfaces used Displayed On Device Manager dashboard.
per device Type Chart.
Description A pie chart representing Device Manager used ports repartition per
device.
Number of ports used per Displayed On Device Manager dashboard.
device Type Chart.
Description A pie chart representing Device Manager used interfaces repartition
per device.
Number of RIPE assigned Displayed No.
networks allocated per year Type Chart.
Description A pie chart representing the RIPE assigned networks repartition
per year.
Sum of allocated RIPE as- Displayed No.
signed networks size per Type Chart.
year
Description A pie chart representing the RIPE allocated networks repartition
per size over the years.
Shortcuts Displayed On the Main dashboard.
Type Shortcut.
Description A gadget containing shortcuts toward the IPAM, DNS and DHCP
most commonly used pages.
Networks Displayed No.
Type Top list.
Description The 10 first networks sorted by start IP address with their start ad-
dress and prefix, name, proportion of used IP addresses and status.
System Information Displayed On the Main dashboard.
Type Descriptive.
Description A gadget gathering the appliance basic information: user connected,
version, time and date, license type and expiration, manufacturer
and product.
My account preferences & Displayed On the Main dashboard.
configuration Type Shortcut.
Description A gadget gathering user dedicated shortcuts, toward the Gadgets
Library and the wizard Change Language.
SOLIDserver Configuration Displayed On the Main dashboard.
Checklist Type Configuration.
Description A gadget gathering appliance configuration shortcuts.
1320
Appendix D. DHCP Options
Table of Contents
Most Used Options ...................................................................................................... 1322
Basic .......................................................................................................................... 1322
Server Parameters ...................................................................................................... 1323
Lease Information ....................................................................................................... 1324
WINS/NetBIOS ........................................................................................................... 1324
Host IP ....................................................................................................................... 1325
Interface ..................................................................................................................... 1325
Servers ....................................................................................................................... 1327
BootP Compatible ....................................................................................................... 1328
DHCP Packet Fields .................................................................................................... 1329
Microsoft DHCP Client ................................................................................................. 1330
NetWare Client ............................................................................................................ 1331
NIS/NISplus ................................................................................................................ 1331
Miscellaneous ............................................................................................................. 1332
Vendor Nwip ............................................................................................................... 1334
Vendor MSFT .............................................................................................................. 1335
This appendix describes all the DHCP options that you can configure at server, group, scope
range and static level.
From either level, you can access the wizard Configure DHCP options from the properties page.
The DHCP and DHCPv6 options are described in sections that correspond to the Option category
of the V4 wizard.
1321
DHCP Options
Basic
Table D.2. Basic DHCP options
Name Code Value type Description
auto-configure 116 boolean Allows to ask whether, and be notified if, auto-
configuration should be disabled on the local
subnet.
1322
DHCP Options
Server Parameters
These options concern the technical parameters on the server side.
1323
DHCP Options
Lease Information
These options concern the technical mechanisms on the client side of SOLIDserver DHCP protocol.
WINS/NetBIOS
Table D.5. WINS/NetBIOS options
Name Code Value type Description
netbios-dd-server 45 list of IP addresses List of NetBIOS datagram distribution servers
(NBDD), defined by RFC1001 and RFC1002.
These servers are sorted by order of preference.
netbios-name-servers 44 list of IP addresses List of WINS servers or of Net-BIOS name
servers (NBMS). These servers are sorted by
order of preference.
1324
DHCP Options
Host IP
Table D.6. Host IP options
Name Code Value type Description
default-ip-ttl 23 duration in seconds Default lifetime that the client must use to send
a datagram on the network. Valid values
between 1 and 255.
ip-forwarding 19 boolean Allows to enable or disable IP forwarding, accord-
ingly the client should configure its IP layer for
packets forwarding.
Interface
Table D.7. Interface options
Name Code Value type Description
all-subnets-local 27 boolean Specifies if the IP interface must demand that
all subnets with which it communicates use the
same MTU as that used by the physical inter-
face.
arp-cache-timeout 35 duration in seconds The timeout in seconds for ARP cache entries.
auto-configure 116 boolean Allows to ask whether, and be notified if, auto-
configuration should be disabled on the local
subnet.
1325
DHCP Options
1326
DHCP Options
Servers
Table D.8. Server options
Name Code Value type Description
cookie-servers 8 list of IP addresses Lists the cookie servers available for this client.
These servers are listed by order of preference.
1327
DHCP Options
BootP Compatible
Table D.9. BOOTP compatibility options
Name Code Value type Description
boot-size 13 number Length in block of 512 bytes of the boot image
file for this client.
bootfile-name 67 number Name of the boot file to use when the File field
is used to carry options.
cookie-servers 8 list of IP addresses List the Cookie servers available. These servers
are sorted by order of preference.
1328
DHCP Options
1329
DHCP Options
1330
DHCP Options
NetWare Client
Table D.12. NetWare client options
Name Code Value type Description
nds-context 87 text Specifies the initial NDS context the client should
use.
nds-servers 85 IP address Specifies one or more NDS servers for the client
to contact for access to the NDS database.
Servers should be listed in order of preference.
nds-tree-name 86 name Specifies the initial NDS context the client should
use.
nwip-domain 62 name Allows to convey the NetWare/IP domain name
used by the NetWare/IP product.
autoretries 8 provided by the Specifies a list of Quote of the Day servers
vendor available to the client. The servers should be
listed in order of preference.
autoretry-secs 9 provided by the Specifies a list of LPR servers available to the
vendor client. The servers should be listed in order of
preference.
nearest-nwip-server 7 provided by the Specifies a list of MIT-LCS UDP servers avail-
vendor able to the client. The servers should be listed
in order of preference.
nsq-broadcast 5 provided by the Specifies a list of Name servers available to the
vendor client. The servers should be listed in order of
preference.
nwip-1-1 10 provided by the Specifies a list of Imagen Impress servers
vendor available to the client. The servers should be
listed in order of preference.
preferred-dss 6 provided by the Specifies a list of DNS servers available to the
vendor client. The servers should be listed in order of
preference.
primary-dss 11 provided by the Specifies a list of RLP servers available to the
vendor client. The servers should be listed in order of
preference.
Slp-directory-agent 78 address IP Specifies the location of one or more SLP Direct-
ory Agents.
Slp-service-scope 79 scope Indicates the scopes that a SLP Agent is con-
figured to use.
NIS/NISplus
Table D.13. NIS/NISplus options
Name Code Value type Description
nis-domain 40 name Specifies the name of the client's NIS domain.
The domain is formatted as a character string
consisting of characters from the NVT ASCII
character set.
nis-servers 41 list of IP addresses Lists the IP of NIS servers available for the client.
The servers can be sorted by order of prefer-
ence.
nisplus-domain 64 name Specifies the name of the client's NIS+ domain.
The domain is formatted as a character string
1331
DHCP Options
Miscellaneous
Table D.14. Miscellaneous DHCP options
Name Code Value type Description
Avaya-96xxx 242 ascii string Private use options - Useful for Avaya 96xxx
(Refer to vendor documentation)
Mitel-DSCP-Priority 133 unsigned integer Allows to set the IEEE 802.1D/P Layer 2 Priority,
between 1 and 6 useful for Mitel IP phones. For more details, refer
to vendor documentation.
Mitel-IP-PHONE 130 ascii string Allows to set a discrimination string, useful for
Mitel IP phones. For more details, refer to vendor
documentation.
Mitel-RTC-Controller 129 IP address Allows to set the IP address of the call server,
useful for Mitel IP phones. For more details, refer
to vendor documentation.
Mitel-TFTP-Server 128 IP address Allows to set the IP address of the TFTP server,
useful for Mitel IP phones. For more details, refer
to vendor documentation.
Mitel-VLAN-ID 132 unsigned integer Allows to set the VLAN ID, useful for Mitel IP
between 1 and 4094 phones. For more details, refer to vendor docu-
mentation.
default-url 114 ascii string Specifies the default URL to present in a web
browser.
1332
DHCP Options
1333
DHCP Options
Vendor Nwip
All NetWare/IP Domain Name options below apply to servers, so when configuring these options,
make sure to list all the servers in order of preference. For more details, refer to the RFC2242
available on IETF website at https://tools.ietf.org/html/rfc2242.
1334
DHCP Options
Vendor MSFT
Table D.16. Vendor MSFT options
Name Code Value type Description
default-routers-ttl 3 list of IP addresses A list of 32 bit IP addresses for routers on the
client's subnet. The routers should be listed in
order of preference.
disable-netbios 1 provided by the The subnet mask for the network segment to
vendor which the client is connected.
release-on-shutdown 2 provided by the The offset of the client's subnet in seconds from
vendor Coordinated Universal Time (UTC).
1335
Appendix E. MAC Address Types
References
This appendix lists all the MAC address types used in SOLIDserver that you can display on the
page DHCP All statics both in IPv4 and IPv6. There is a set of 31 different types of MAC addresses
that you can specify when adding or editing DHCP statics. Each type corresponds to a protocol
that has been assigned a reference number defined in the IANA Address Resolution Protocol
(ARP). In the GUI, this reference adds an extra byte at the beginning of the MAC addresses listed
in the column MAC address on the page All statics. Typically, the MAC addresses listed in this
column look as follows: <1_byte_MAC_type_reference>:<6_bytes_MAC_address>.
The different types of MAC addresses can be listed separately from the MAC address itself using
the DHCP static MAC type column. This column displays two columns: the column MAC type
that displays the MAC type code (except for Ethernet that is listed in full letters) and the column
MAC address that displays the MAC address in its traditional format.
Note that every reference is listed in hexadecimal form in the wizard. Therefore, the ARP
parameter 10 (for Autonet) is listed as 0a and so forth.
1336
MAC Address Types References
1337
Appendix F. DNS Resource Records
Related Fields
This appendix provides a record per record description of the different fields to configure when
adding a resource record to a master zone. For more details regarding each record, refer to the
section Adding Resource Records.
Note that all the records supported are not supported by all DNS servers. For more details, refer
to the section Adding Resource Records.
1338
DNS Resource Records Related
Fields
1339
DNS Resource Records Related
Fields
1340
DNS Resource Records Related
Fields
1341
DNS IPAM DHCP
DHCP properties DNS properties IPAM properties
DNS IPAM properties DHCP
SPACE DHCP cluster: failover-dhcp1.mycorp.com DNS server: ns1.mycorp.com Push leases to IPAM: yes
SERVER Update IPAM: yes SERVER
America DNS view: intranet Use client name (FQDN): yes
ns1.mycorp.com Update DNS: yes dhcp1.mycorp.com DNS properties
Update DNS: yes
DNS properties
VIEW NETWORK Create a DNS reverse zone for every terminal network created: yes
BLOCK USA Default domain: mycorp.com
intranet 10.6.0.0/15 DNS server for reverse zone: ns1.mycorp.com
DNS view for reverse zone: intranet
NEW SCOPE
NEW IPAM properties NEW NETWORK SUBNET Name: New York
REVERSE NEW NETWORK SUBNET NETWORK Name: New York
ZONE ZONE 10.6.0.0/24 Gateway offset: -1 10.6.0.0/24 SCOPE
ZONE SUBNET 10.6.0.0/24 DHCP option
mycorp.com Name: routers: 10.6.0.254
0.6.10.in-addr.arpa
1342
DHCP properties NEW POOL NEW RANGE
POOL Create DHCP range: yes Name: Manhattan Name: RANGE
10.6.0.1-10.6.0.50 10.6.0.1-10.6.0.50
NEW IP ADDRESS
IP ADDRESS IP address: 10.6.0.42 NEW LEASE
RECORD RECORD TWO NEW IP Address: 10.6.0.42 ADDRESS IP address: 10.6.0.42 MAC: ab:ba:12:34:ab:ba LEASE
RECORDS Name: laptop.mycorp.com MAC: ab:ba:12:34:ab:ba Name: laptop.mycorp.com
Name: laptop.mycorp.com
Type: A Type: PTR IP: 10.6.0.42
Name: laptop.mycorp.com
NEW IP ADDRESS
NEW IP ADDRESS DHCP properties IP Address: 10.6.0.100
TWO NEW IP Address: 10.6.0.100 ADDRESS NEW STATIC
RECORD RECORD RECORDS Create DHCP static MAC address: be:ef:00:00:be:ef STATIC
Name: client.mycorp.com Name: client.mycorp.com
Type: A Type: PTR IP: 10.6.0.100 IPAM advanced properties
IP Address: 10.6.0.100 Push leases to IPAM: yes
Name: client.mycorp.com DHCP advanced properties DHCP advanced properties
On EfficientIP DHCP servers, if IPAM to DHCP, DHCP to IPAM and IPAM to DNS advanced
properties are configured, DHCP statics do not update the DNS until the client connects to the
network. When clients with static reservation connect to the network, they are allocated a lease
and that lease information is sent to the DNS to create the matching record when the IPAM is
updated.
RANGE POOL
10.6.0.1-10.6.0.50 Manhattan
10.6.0.1-10.6.0.50
NEW
STATIC IP Address: 10.6.0.10
IP Address: 10.6.0.10 MAC address: be:ef:00:00:be:ef
MAC address: be:ef:00:00:be:ef Name: <empty>
Name: <empty>
NEW IP
The client connects ADDRESS
to the network
Figure G.2. The replication of DHCP statics in the DNS for EfficientIP DHCP servers
1343
Appendix H. Configuring OpenID
Authentication
Table of Contents
Configuring OpenID Authentication for Google .............................................................. 1344
Configuring OpenID Authentication for Azure ................................................................ 1346
To authenticate external users via OpenID Connect, you must configure the authentication details
on either Google or Azure side and then on SOLIDserver side.
This configuration requires to take into account prerequisites and limitations all detailed in the
section Adding OpenID Authentication of the chapter Managing Authentication Rules.
Keep in mind that if you configure the authentication on appliances in High Availability, you must
perform both operations on each appliance.
Now that you have configured the application and retrieved the client ID and secret, you can
configure the authentication on SOLIDserver.
1344
Configuring OpenID Authentication
Users with administrative rights over SSH connections to SOLIDserver must create and configure
the file ext-identity.inc, it incorporates authentication details directly in the configuration of the
service Apache, or httpd.
Keep in mind that there is a validation check for this file, and any invalid configuration may prevent
the service from running properly or prevent you from accessing the GUI altogether.
<IfDefine UseModAuthOpenIDC>
LoadModule auth_openidc_module libexec/apache24/mod_auth_openidc.so
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <client-id>
OIDCClientSecret <secret>
OIDCRedirectURI https://<solidserver>.int.efficientip.com/auth/redirect_uri
OIDCCryptoPassphrase <passphrase>
OIDCScope "openid email"
OIDCSessionInactivityTimeout 900
OIDCCacheType file
</IfDefine>
3. Make sure the whole configuration file is still viable using the command:
apachectl configtest
If no errors are returned and the file syntax is OK, go to the next step. If not, you must edit
the content of the included file(s) because you might no longer be able to access or GUI or
prevent the service from running.
4. Once the configuration is OK, restart the Apache daemon to take into account your changes
with the command:
apachectl restart
1345
Configuring OpenID Authentication
When the file is ready, you can add the OpenID authentication rule and complete the authentic-
ation. For more details, refer to the section Adding the OpenID Authentication Rule in the chapter
Managing Authentication Rules.
Keep in mind that if you configure the authentication on appliances in High Availability, you must
perform both operations on each appliance.
Now that you have configured the application and retrieved the tenant ID, client ID and client
secret, you can configure the authentication on SOLIDserver.
1346
Configuring OpenID Authentication
Users with administrative rights over SSH connections to SOLIDserver must create and configure
a file ext-identity.inc, that you must name it incorporates authentication details directly in the
configuration of the service Apache, or httpd.
Keep in mind that there is a validation check for this file, and any invalid configuration may prevent
the service from running properly or prevent you from accessing the GUI altogether.
<IfDefine UseModAuthOpenIDC>
LoadModule auth_openidc_module libexec/apache24/mod_auth_openidc.so
OIDCProviderMetadataURL
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
OIDCClientID <client-id>
OIDCClientSecret <secret>
OIDCRedirectURI https://<solidserver>.int.efficientip.com/auth/redirect_uri
OIDCCryptoPassphrase <passphrase>
OIDCScope "openid profile email"
OIDCSessionInactivityTimeout 900
OIDCCacheType file
</IfDefine>
3. Make sure the whole configuration file is still viable using the command:
apachectl configtest
If no errors are returned and the file syntax is OK, go to the next step. If not, you must edit
the content of the included file(s) because you might no longer be able to access or GUI or
prevent the service from running.
4. Once the configuration is OK, restart the Apache daemon to take into account your changes
with the command:
apachectl restart
When the file is ready, you can add the OpenID authentication rule and complete the authentic-
ation. For more details, refer to the section Adding the OpenID Authentication Rule in the chapter
Managing Authentication Rules.
1347
Appendix I. User Tracking Services Filter
This appendix provides a list of the available filters of the drop-down list Services on the page
User Tracking. For more details regarding this page, refer to the section Monitoring from User
Tracking.
1348
User Tracking Services Filter
Service Description
Add: IPv4 networks All the IPv4 network additions and editions.
Add: IPv6 networks All the IPv6 network additions and editions.
Delete: IPv4 networks All the IPv4 network deletions.
Delete: IPv6 networks All the IPv6 network deletions.
Pool All the pool related operations.
Add: IPv4 pools All the IPv4 pool additions and editions.
Add: IPv6 pools All the IPv6 pool additions and editions.
Delete: IPv4 pools All the IPv4 pool deletions.
Delete: IPv6 pools All the IPv6 pool deletions.
Address All the IP address related operations.
Add: IPv4 addresses All the IPv4 address additions and editions.
Add: IPv6 addresses All the IPv6 address additions and editions.
Delete: IPv4 addresses All the IPv4 address deletions.
Delete: IPv6 addresses All the IPv6 address deletions.
Alias All the aliases related operations.
Add: aliases to IPv4 addresses All the IPv4 alias additions and editions.
Add: aliases to IPv6 addresses All the IPv6 alias additions and editions.
Delete: Pv4 addresses aliases All the IPv4 alias deletions.
Delete: IPv6 addresses aliases All the IPv6 alias deletions.
DNS All the DNS related operations
DNS server All the DNS server related operations.
Add: DNS servers All the DNS server additions and editions.
Delete: DNS servers All the DNS server deletions.
DNS zone All the DNS zone related operations.
Add: DNS zones All the DNS zone additions and editions.
Delete: DNS zones All the DNS zone deletions.
DNS RR All the DNS record related operations.
Add: DNS RRs All the DNS record additions and editions.
Delete: DNS RRs All the DNS record deletions.
Guardian All the Guardian related operations
Policy All the policy related operations.
Add: policies All the policy additions and editions.
Delete: policies All the policy deletions.
Trigger All the trigger related operations.
Add: triggers All the trigger additions and editions.
Delete: triggers All the trigger deletions.
Guardian parameters All the guardian parameter additions.
Application All the Application related operations
Application All the application related operations.
Add: applications All the application additions and editions.
Delete: applications All the application deletions.
Pool All the pool related operations.
Add: pools All the pool additions and editions.
1349
User Tracking Services Filter
Service Description
Delete: pools All the pool deletions.
Node All the node related operations.
Add: nodes All the node additions and editions.
Delete: nodes All the node deletions.
NetChange All the NetChange related operations
Network device All the network device related operations.
Add: network devices All the network device additions.
Edit: network devices All the network device editions.
Delete: network devices All the network device deletions.
Edit: ports properties All the port property editions.
VLAN All the VLAN related operations.
Add: VLANs All the VLAN additions.
Delete: VLANs All the VLAN deletions.
Add: a VLAN to a port All the additions of VLAN to a port.
Delete: a VLAN from a port All the deletions of VLAN from a port.
Identity Manager All the Identity Manager related operations
Add: directories All the directory additions and editions.
Delete: directories All the directory deletions.
Rule All the rule related operations
Add: rules All the rule additions and editions.
Delete: rules All the rule deletions.
Group All the group of users related operations
Add: groups All the group of users additions and editions.
Delete: groups All the group deletions.
Add: user as group resource All the additions of users as resource of a group.
Remove: user from group resource All the deletions of users from the resources of a group.
User All the users related operations
Add: users All the user additions and editions.
Delete: users All the user deletions.
System All the system related operations
Install: Packages All the operations related to package installation.
Uninstall: Packages All the operations related to package uninstallation.
Generate: SSL certificates All the operations related to SSL certificates generation.
Delete: files uploaded to Local Files Listing All the deletion operations of files uploaded to Local Files Listing.
Upload: files to Local Files Listing All the upload operations of files to Local Files Listing.
Edit: Remote archive All the remote archive editions.
Activate: database key All the database key activations.
Deactivate: database key All the database key deactivations.
Generate: database key All the database key generations.
Import: database keys All the database keys imports.
Download: database key file All the database key file downloads.
License All the license related operations
Add: license All the license additions and editions.
1350
User Tracking Services Filter
Service Description
Delete: license All the license deletions.
Class All the Class Studio related operations
Add: classes All the class additions and editions.
Delete: classes All the class deletions.
Gadgets All the gadgets related operations
Add: gadgets to dashboards All the additions of gadgets to dashboards.
Delete: gadgets from dashboards All the deletions of gadgets from dashboards.
Bookmarks All the bookmarks related operations
Add: bookmarks All the bookmark additions and editions.
Delete: bookmarks All the bookmark deletions.
Alert Definition All the alert definition related operations
Add: alert definitions All the alert definition additions and editions.
Delete: alert definitions All the alert definition deletions.
Workflow All the workflow related operations
Add: requests All the request additions and editions.
Delete: requests All the request deletions.
Custom DB All the custom DB related operations
Custom database All the custom database related operations.
Add: custom databases All the custom database additions and editions.
Delete: custom databases All the custom database deletions.
Custom data All the custom data related operations.
Add: data to a custom database All the additions of data to a custom database.
Delete: data from a custom database All the deletions of data from custom database.
1351
Appendix J. SNMP Metrics
Table of Contents
Prerequisites ............................................................................................................... 1352
Understanding the SNMP Metrics Presentation ............................................................. 1353
Retrieving SNMP Metrics via CLI .................................................................................. 1353
Monitoring the Hardware .............................................................................................. 1354
Monitoring the System ................................................................................................. 1356
Monitoring the DHCP Service ...................................................................................... 1360
Monitoring the DNS Service ......................................................................................... 1361
Monitoring DNS Guardian ............................................................................................ 1364
This appendix provides a list of the most relevant indicators, the SNMP metrics, you can monitor
from an external solution.
The SNMP metrics are detailed in Management Information Bases (MIB) that formally describe
the network objects you can monitor. The MIB content is hierarchized thanks to a suite of numbers
called Object IDentifiers (OID). All the OIDs of a MIB are organized like a tree of information with
common trunks appended by unique ends that refer to a specific node, a unique set of information.
Each OID node can therefore match a network object, such as the status of a power supply, or
a specific property of the network object, like a variable name or values.
This appendix includes proprietary, IANA, IEEE and IETF managed MIBs:
• IDRAC-MIB
• UCD-SNMP-MIB
• HOST-RESOURCES-MIB
• IF-MIB
• EIP-STATS
• EIP-DNSGUARDIAN
• EIP-MON-MIB
Prerequisites
• Have an Internet connection and your credentials ready to download the files *.mib on our
website, at https://downloads.efficientip.com/support/downloads/MIBs/. If you do not have
credentials yet, request them at www.efficientip.com/support-access.
• From SOLIDserver, you must configure the SNMP agent with an access list using either
community strings in SNMP v1/v2c, or authentication credentials in SNMP v3.
By default, a v1/v2c profile exists with the community string public. For more details, refer
to the section Managing the SNMP Service.
1352
SNMP Metrics
• From the SNMP collector's side, you must use SNMP v2c or v3 and configure the external
monitoring solution to ensure it can access SOLIDserver SNMP agent and leverage the
metrics that you need.
Once your system is properly configured, you can set various SNMP alerts on SOLIDserver objects
to be notified of any unusual behavior. For more details, refer to the chapter Managing Alerts.
The asterisk represents subsets, for which, the default value of the first object can be 0 or 1. In
the case of the OID 1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.*, if you have two power supply units:
• You can specify 1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.0 to retrieve the status of the first
supply unit, or
• You can specify 1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1 to retrieve the status of the second
one.
In the following example, we execute the command snmpget via SNMP v2c with the community
string public to retrieve the OID .1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1 (the status of the first
power supply) and the value 3 (the status ok). This OID is described the IDRAC-MIB:
snmpget -v2c -c public -On<host-IP-address>
.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1 = INTEGER: 3
You can also use the command snmpwalk to search and list information of all the objects in a
particular subset. Here, requesting .1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1 returns the status of
two power supplies:
snmpwalk -v2c -c public -On<host-IP-address>
.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1 = INTEGER:
3.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.2 = INTEGER: 3
1353
SNMP Metrics
Power Unit
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
Power Redundancy
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
Power Supply
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
CPU
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
1354
SNMP Metrics
Memory
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
Virtual Disk
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
Physical Disk
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
Temperature
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
Fan
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.
1355
SNMP Metrics
CPU(s) Load
All the OIDs described in this section are part of the MIB extension UCD-SNMP-MIB.
Memory Usage
All the OIDs described in this section are part of the MIB extension UCD-SNMP-MIB.
1
https://github.com/centreon/centreon-plugins
1356
SNMP Metrics
Swap Usage
All the OIDs described in this section are part of the MIB extension UCD-SNMP-MIB.
Disk IO
SOLIDserver is deployed on top of the physical RAID controller. In the ucdDiskIOMIB, diskIOTable
lists all available devices.
The RAID virtual drive should be identified by the following names: ad[0-9], ada[0-9], mfid[0-9].*.
Other listed devices should be ignored.
All the OIDs described in this section are part of the MIB extension UCD-SNMP-MIB.
1357
SNMP Metrics
.1.3.6.1.4.1.2021.13.15.1.1.6.*
Variable name: diskIOWrites Type: integer
Description: The number of write accesses to the device(s) since boot.
Disk Usage
Usage should remain under 80% for each mount point's total disk size entry, i.e. the system paths
/, /dev, /tmp, /var, /proc or /data1.
All the OIDs described in this section are part of the MIB extension HOST-RESOURCES-MIB.
Network Traffic
Any NIC with ifAdminStatus set to up (i.e. 1) should also have an ifOperStatus set to up (i.e. 1).
Any sudden and rapid increase in the metrics of discard or error packet count should be noticed.
All the OIDs described in this section are part of the MIB extension IF-MIB.
1358
SNMP Metrics
Description: The NIC operational status, i.e. the current operational state of the interface. The testing state
(i.e. 3) indicates that no operational packets can be passed.
Expected values: Should be down (i.e. 2) if ifAdminStatus is down (i.e. 2). If ifAdminStatus is up (i.e. 1),
ifOperStatus should be up (i.e. 1) when the interface is ready to transmit or receive network traffic, and
dormant (i.e. 5) when the interface is waiting for external actions (such as a serial line waiting for an incoming
connection). The NIC remains down (i.e. 2) only if there is a fault that prevents it from being up (i.e. 1): it
should be in the notPresent (i.e. 6) state if the interface has missing, usually hardware, components.
.1.3.6.1.2.1.2.2.1.10.*
Variable name: ifInOctets Type: integer
Description: The total traffic received through the interface, including framing characters, in bytes.
.1.3.6.1.2.1.2.2.1.16.*
Variable name: ifOutOctets Type: integer
Description: The total traffic transmitted out of the interface, including framing characters, in bytes.
.1.3.6.1.2.1.2.2.1.13.*
Variable name: ifInDiscards Type: integer
Description: The number of inbound packets which were chosen to be discarded even though no errors
had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for
discarding such a packet could be to free up buffer space.
.1.3.6.1.2.1.2.2.1.19.*
Variable name: ifOutDiscards Type: integer
Description: The number of outbound packets which were chosen to be discarded even though no errors
had been detected to prevent their being transmitted. One possible reason for discarding such a packet
could be to free up buffer space.
.1.3.6.1.2.1.2.2.1.14.*
Variable name: ifInErrors Type: integer
Description: The number of inbound packets that contained errors preventing them from being deliverable
to a higher-layer protocol. For character- oriented or fixed-length interfaces, the number of inbound trans-
mission units that contained errors preventing them from being deliverable to a higher-layer protocol.
.1.3.6.1.2.1.2.2.1.20.*
Variable name: ifOutErrors Type: integer
Description: The number of outbound packets that could not be transmitted because of errors. For char-
acter-oriented or fixed-length interfaces, the number of outbound transmission units that could not be
transmitted because of errors.
Running Processes
SOLIDserver relies on several processes to operate:
• IPMServer, Postgres and HTTPd should always be running on the monitored SOLIDserver.
• DHCPd should be listed in the hrSWRunName table when running the DHCP service on the
monitored SOLIDserver.
• Named should be listed in the hrSWRunName table when running the DNS service on the
monitored SOLIDserver. Exception is made for the Hybrid DNS engine where Named (both
authoritative and recursive) can be replaced by NSD (authoritative) or Unbound (recursive).
All the OIDs described in this section are part of the MIB extension HOST-RESOURCES-MIB.
1359
SNMP Metrics
Description: The process name, i.e. a textual description of the process, including the manufacturer, revision,
and the name by which it is commonly known.
.1.3.6.1.2.1.25.4.2.1.4.<PID>
Variable name: hrSWRunPath Type: octetstring
Description: The process binary path, i.e. a description of the location on long-term storage, e.g. a disk
drive, from which the process was loaded.
The EfficientIP proprietary MIB EIP-STATS references values as Integers, yet, they represent
counters. As in any counter, when the previous value is greater than the current one, this means
that the counter has either looped or has been reset.Therefore, itâ s necessary to interpret these
values properly:
DHCP service
All the OIDs described in this section are part of the MIB extension EIP-STATS.
2
MAX Signed INT = 2147483647
3
MIN Signed INT = -2147483648
1360
SNMP Metrics
.1.3.6.1.4.1.2440.1.3.2.22.1.3.7.114.101.113.117.101.115.116
Variable name: request Type: integer
Description: The number of REQUEST messages received.
.1.3.6.1.4.1.2440.1.3.2.22.1.3.8.100.105.115.99.111.118.101.114
Variable name: discover Type: integer
Description: The number of DISCOVER messages received.
The EfficientIP proprietary MIB EIP-STATS references values as Integers, yet, they represent
counters. As in any counter, when the previous value is greater than the current one, this means
that the counter has either looped or has been reset.Therefore, itâ s necessary to interpret these
values properly:
4
MAX Signed INT = 2147483647
5
MIN Signed INT = -2147483648
1361
SNMP Metrics
Description: The number of queries sent to external forwarder or authoritative servers using IPv6 for res-
olution.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.9.114.101.99.117.114.115.105.111.110
Variable name: recursion Type: integer
Description: The number of queries requiring recursion.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.10.114.101.99.117.114.115.101.114.101.106
Variable name: recurserej Type: integer
Description: The number of rejected queries requiring recursion.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.9.100.117.112.108.105.99.97.116.101
Variable name: duplicate Type: integer
Description: The number of duplicate queries received.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.100.114.111.112.112.101.100
Variable name: dropped Type: integer
Description: The number of dropped queries.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.9.114.101.115.95.114.101.116.114.121
Variable name: res_retry Type: integer
Description: The number of queries retried on external forwarder or authoritative servers.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.8.114.101.115.112.111.110.115.101
Variable name: response Type: integer
Description: The number of responses sent.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.14.114.101.115.95.114.101.115.112.111.110.115.101.118.52
Variable name: res_responsev4 Type: integer
Description: The number of responses from external forwarder or authoritative servers using IPv4.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.14.114.101.115.95.114.101.115.112.111.110.115.101.118.54
Variable name: res_responsev6 Type: integer
Description: The number of responses from external forwarder or authoritative servers using IPv6.
1362
SNMP Metrics
Description: The number of recursive queries with latency >= 800ms & < 1600ms.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.13.114.101.115.95.113.117.101.114.121.114.116.116.53
Variable name: res_queryrtt5 Type: integer
Description: The number of recursive queries with latency >= 1600ms.
1363
SNMP Metrics
Each section describes OIDs regarding DNS Guardian cache and the cache of the its views. The
only way of monitoring DNS Guardian views is to know their identifier (ID). In the tables below
we provide the OIDs until the <view-ID> that you must provide as it depends on your configuration.
<view-ID> is an integer between 0 and 7.
DNS Guardian metrics should be graphed over time for troubleshooting purposes.
Cache Size
All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.
Client Size
All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.
1364
SNMP Metrics
Cache Statistics
All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.
1365
SNMP Metrics
.1.3.6.1.4.1.2440.1.11.2.3.1.37.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheHitQuarantine Type: counter64
Description: The total number of cache hits in Quarantine mode in the cache of the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.34.0
Variable name: eipDNSGUARDIANStatCacheMissQuarantine Type: counter64
Description: The total number of cache misses in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.34.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissQuarantine Type: counter64
Description: The total number of cache misses in Quarantine mode in the cache of the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.35.0
Variable name: eipDNSGUARDIANStatCacheMissExistQuarantine Type: counter64
Description: The total number of queries that did not hit the cache because the related entry has expired
in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.35.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissExistQuarantine Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry has expired in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.4.36.0
Variable name: eipDNSGUARDIANStatCacheMissNotExistQuarantine Type: counter64
Description: The total number of queries that did not hit the cache because the related entry doesn't exist
in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.36.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissNotExistQuarantine Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry doesn't exist in Quarantine mode.
1366
SNMP Metrics
.1.3.6.1.4.1.2440.1.11.2.3.1.41.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissExistRescue Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry has expired in Rescue mode.
.1.3.6.1.4.1.2440.1.11.2.4.42.0
Variable name: eipDNSGUARDIANStatCacheMissNotExistRescue Type: counter64
Description: The total number of queries that did not hit the cache because the related entry doesn't exist
in Rescue mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.42.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissNotExistRescue Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry doesn't exist in Rescue mode.
Filters Statistics
All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.
1367
SNMP Metrics
1368
SNMP Metrics
1369
SNMP Metrics
Description: The number of successful queries, returning the message NOERROR (RCODE: 0).
.1.3.6.1.4.1.2440.1.11.2.3.1.101.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNOERROR Type: counter64
Description: The number of successful queries matching the specified view, returning the message NO-
ERROR (RCODE: 0).
.1.3.6.1.4.1.2440.1.11.2.4.102.0
Variable name: eipDNSGUARDIANStatReplyFORMERR Type: counter64
Description: The number of queries with a wrong format, returning the message FORMERR (RCODE: 1).
.1.3.6.1.4.1.2440.1.11.2.3.1.102.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyFORMERR Type: counter64
Description: The number of queries matching the specified view with a wrong format, returning the message
FORMERR (RCODE: 1).
.1.3.6.1.4.1.2440.1.11.2.4.103.0
Variable name: eipDNSGUARDIANStatReplySERVFAIL Type: counter64
Description: The number of queries the server failed to complete, returning the message SERVFAIL
(RCODE: 2).
.1.3.6.1.4.1.2440.1.11.2.3.1.103.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplySERVFAIL Type: counter64
Description: The number of queries matching the specified view the server failed to complete, returning
the message SERVFAIL (RCODE: 2).
.1.3.6.1.4.1.2440.1.11.2.4.104.0
Variable name: eipDNSGUARDIANStatReplyNXDOMAIN Type: counter64
Description: The number of queries where the domain name does not exist, returning the message
NXDOMAIN (RCODE: 3).
.1.3.6.1.4.1.2440.1.11.2.3.1.104.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNXDOMAIN Type: counter64
Description: The number of queries matching the specified view where the domain name does not exist,
returning the message NXDOMAIN (RCODE: 3).
.1.3.6.1.4.1.2440.1.11.2.4.105.0
Variable name: eipDNSGUARDIANStatReplyNOTIMP Type: counter64
Description: The number of queries for which the server did not implement the function, returning the
message NOTIMP (RCODE: 4).
1.3.6.1.4.1.2440.1.11.2.3.1.105.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNOTIMP Type: counter64
Description: The number of queries matching the specified view for which the server did not implement
the function, returning the message NOTIMP (RCODE: 4).
.1.3.6.1.4.1.2440.1.11.2.4.106.0
Variable name: eipDNSGUARDIANStatReplyREFUSED Type: counter64
Description: The number of queries the server refused to answer, returning the message REFUSED
(RCODE: 5).
1.3.6.1.4.1.2440.1.11.2.3.1.106.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyREFUSED Type: counter64
Description: The number of queries matching the specified view the server refused to answer, returning
the message REFUSED (RCODE: 5).
.1.3.6.1.4.1.2440.1.11.2.4.107.0
Variable name: eipDNSGUARDIANStatReplyYXDOMAIN Type: counter64
Description: The number of queries for which the name exists when it should not, returning the message
YXDOMAIN (RCODE: 6).
1370
SNMP Metrics
.1.3.6.1.4.1.2440.1.11.2.3.1.107.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyYXDOMAIN Type: counter64
Description: The number of queries matching the specified view for which the name exists when it should
not, returning the message YXDOMAIN (RCODE: 6).
.1.3.6.1.4.1.2440.1.11.2.4.108.0
Variable name: eipDNSGUARDIANStatReplyYXRRSET Type: counter64
Description: The number of queries for which the RR set exists when it should not, returning the message
YXRRSET (RCODE: 7).
.1.3.6.1.4.1.2440.1.11.2.3.1.108.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyYXRRSET Type: counter64
Description: The number of queries matching the specified view for which the RR set exists when it should
not, returning the message YXRRSET (RCODE: 7).
.1.3.6.1.4.1.2440.1.11.2.4.109.0
Variable name: eipDNSGUARDIANStatReplyNXRRSET Type: counter64
Description: The number of queries for which the RR set should exist but does not, returning the message
NXRRSET (RCODE: 8).
.1.3.6.1.4.1.2440.1.11.2.3.1.109.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNXRRSET Type: counter64
Description: The number of queries matching the specified view for which the RR set should exist but
does not, returning the message NXRRSET (RCODE: 8).
.1.3.6.1.4.1.2440.1.11.2.4.120.0
Variable name: eipDNSGUARDIANStatReplyNOTAUTH Type: counter64
Description: The number of queries for which the server is not authoritative for the zone, returning the
message NOTAUTH (RCODE: 9).
.1.3.6.1.4.1.2440.1.11.2.3.1.120.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNOTAUTH Type: counter64
Description: The number of queries matching the specified view for which the server is not authoritative
for the zone, returning the message NOTAUTH (RCODE: 9).
.1.3.6.1.4.1.2440.1.11.2.4.121.0
Variable name: eipDNSGUARDIANStatReplyNOTZONE Type: counter64
Description: The number of queries for which the name is not in the zone, returning the message NOTZONE
(RCODE: 10).
.1.3.6.1.4.1.2440.1.11.2.3.1.121.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNOTZONE Type: counter64
Description: The number of queries matching the specified view for which the name is not in the zone,
returning the message NOTZONE (RCODE: 10).
1371
Appendix K. Class Studio Pre-defined
Variables
This appendix details how to configure a class with pre-defined variables. For more details re-
garding classes and all other class objects, refer to the chapter Configuring Classes.
1372
Class Studio Pre-defined Variables
• In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington'", that allows
to only display the class object if your condition is matched. Note that the condition can
only be taken into account if the value of the class object has already been saved in the
wizard, either via inheritance or because it is located after a Jump to page.
You can set multiple conditions but they must be separated by boolean connectors.
PNG
8. Click on OK to complete the operation. The object is now embedded into the class and listed
in the creation panel.
original
Now you must click on to save the class configuration or to undo the object addition.
You can keep adding other class objects to the same class but if you exit Class Editor without
saving, your changes are lost.
1373
Class Studio Pre-defined Variables
1374
Class Studio Pre-defined Variables
Note that if you set this variable on a non-terminal subnet-type network, it only applies to the network itself, it
does not apply to the networks it contains.
Module IPAM
Type Network, Network (v6). Only for subnet-type networks.
Configuration details
Network level Select a value between 0 (block-type networks) and 15 (subnet-type networks). It defines
at which level of network organizations you force the prefix set in the Value.
Value <number> to specify the prefix of your choice, 0 to disable it.
1375
Class Studio Pre-defined Variables
1376
Appendix L. Configuring RADIUS
Table of Contents
Configuring FreeRADIUS ............................................................................................. 1377
Configuring RADIUS with Cisco ACS ............................................................................ 1378
Configuring OneTime Password with Token Authentication ............................................. 1379
Configuring FreeRADIUS
If you intend to authenticate users via RADIUS, you can configure FreeRadius to retrieve your
groups of users. Once FreeRadius is configured, do not forget to add the RADIUS users authen-
tication rule as detailed in the section Adding RADIUS Authentication Rules.
1377
Configuring RADIUS
dictionary.efficientip
#Dictionnary for efficientip
BEGIN-VENDOR efficientip
END-VENDOR efficientip
clients.conf
client SDS-1000 {
ipaddr = 192.168.100.100
secret = abc123
}
users
localuser Cleartext-Password := "Password123"
efficientip-groups = "mygroup",
In this command, the number 5 is an unused ACS RADIUS vendor slot number and efficien-
tip.ini is the name of the EfficientIP RADIUS vendor/VSA import file you created earlier.
4. Press Enter. A CSUtil.exe confirmation prompt appears.
5. Confirm that you want to add the RADIUS vendor and halt all ACS services during the pro-
cess, type in Y and press Enter. CSUtil.exe halts ACS services, parses the vendor/VSA input
file, and adds the new RADIUS vendor and VSAs to ACS. This process may take a few
minutes. After it is complete, CSUtil.exe restarts ACS services.
Example of an import file "efficientip.ini" for RADIUS vendor/VSA where EfficientIP is set
as a vendor and 2440 is the IETF code number:
[User Defined Vendor] Name=EfficientIP IETF Code=2440
VSA 1=efficientip-version
1378
Configuring RADIUS
VSA 2=efficientip-service-class
VSA 3=efficientip-identity-type
VSA 16=efficientip-first-name
VSA 17=efficientip-last-name
VSA 18=efficientip-pseudonym
VSA 19=efficientip-ip-host
VSA 20=efficientip-email
VSA 32=efficientip-first-login-path
VSA 33=efficientip-maintainer-group
VSA 34=efficientip-groups
VSA 35=efficientip-admin-group
VSA 64=efficientip-extra-blob
[efficientip-version]
Type=INTEGER
Profile=OUT
[efficientip-service-class]
Type=INTEGER
Profile=OUT
[efficientip-identity-type]
Type=INTEGER
Profile=OUT
[efficientip-first-name]
Type=STRING
Profile=OUT
[efficientip-last-name]
Type=STRING
Profile=OUT
[efficientip-pseudonym]
Type=STRING
Profile=OUT
[efficientip-ip-host]
Type=STRING
Profile=OUT
[efficientip-email]
Type=STRING
Profile=OUT
[efficientip-first-login-path]
Type=STRING
Profile=OUT
[efficientip-maintainer-group]
Type=STRING
Profile=OUT
[efficientip-groups]
Type=STRING
Profile=MULTI OUT
[efficientip-admin-group]
Type=STRING
Profile=OUT
[efficientip-extra-blob]
Type=STRING
Profile=OUT
SOLIDserver caches the credentials to authenticate every user operation. When the cache expires,
SOLIDserver uses the cached credentials to generate and send a new authentication request to
the RADIUS server. If this request fails, the user is disconnected.
1379
Configuring RADIUS
To control when the client is disconnected, a set of registry database entries allow to define for
how long SOLIDserver should cache the data:
1. You can either define for how long SOLIDserver should cache passwords, as detailed in the
section Caching OTP Credentials For a Certain Time.
2. Or you can make sure that the cache does not expire while the user is active, as detailed in
the section Renewing Cached OTP Credentials for Logged Users.
Prerequisites
• Configuring RADIUS authentication rule. For more details, refer to the section Adding RADIUS
Authentication Rules.
• Belonging to a group admin, the only group that can access to the page Registry database.
If you would rather edit one key and ensure your users are not disconnected while their session
is active, refer to the section Renewing Cached OTP Credentials for Logged Users.
1380
Configuring RADIUS
To edit the registry key that renews cached credentials while the session is active
1381
Appendix M. Using Remote
Authentication for SSH Connections to
SOLIDserver
Table of Contents
Configuring LDAP Authentication for SSH Connections .................................................. 1382
Configuring RADIUS Authentication for SSH Connections .............................................. 1387
EfficientIP allows to configure SOLIDserver to use LDAP authentication for Secure Shell connec-
tions. This configuration allows to grant existing LDAP users access to as many SOLIDserver
appliances as you want.
Prerequisites
• An LDAP server properly configured and running.
• The LDAP server and SOLIDserver must be set at the same time.
• Make sure the LDAP server is on time.
• Configure NTP servers on SOLIDserver. If you want LDAP authentication for several
SOLIDserver appliances, the NTP must be configured on every appliance. For more details,
refer to the section Configuring NTP Servers.
• To set up the LDAP authentication for several appliances, you must:
1. Configure the authentication from the managing SOLIDserver.
2. Once the configuration is complete, apply it the remote appliance(s).
Specificities
The configuration of LDAP authentication for SSH connections:
• Must be done via CLI.
• Must be done locally from a SOLIDserver Management appliance. When the configuration is
complete, you can apply it to the remote SOLIDserver appliance(s) you manage.
1382
Using Remote Authentication for
SSH Connections to SOLIDserver
On appliances configured in High Availability, the Hot Standby automatically replicates the
configuration.
• Allows to grant access to SOLIDserver to existing LDAP users, there is no need to edit
SOLIDserver local user or group of users database. That way, if your LDAP server is not re-
sponding, local users with sufficient rights can still access the appliance via SSH.
# Specify for the following attributes the name of the LDAP user class that can access SOLIDserver.
pam_filter objectclass=<userclass>
nss_map_objectclass posixAccount <userclass>
# Specify for the following attributes the name of the attribute of the selected user class
# that contains the user login.
pam_login_attribute <login-attribute>
nss_map_attribute uid <login-attribute>
# If the specified user class is not already set with the attributes: uidNumber, gidNumber,
# loginShell, homeDirectory.
# You must specify for the following attributes the name of the attribute of the selected user
# class that contains the users uidNumber and gidNumber.
nss_map_attribute uidNumber <UnixUID-attribute>
nss_map_attribute gidNumber <UnixGID-attribute>
# You can specify for the following attributes the name of the attribute of the selected user
# that contains the loginShell and homeDirectory used to connect to your appliance.
# These attributes are optional, so if you do not want to set them either comment the lines or
# do not include them at all. These attributes cannot be declared without value.
nss_map_attribute loginShell <attribute-containing-the-shell-you-connect-to>
nss_map_attribute homeDirectory <attribute-containing-the-path-to-the-directory-"home">
# Set the level of permissions of the LDAP users accessing SOLIDserver via SSH.
# If you set the value of the example below, you grant administrative rights to all the users
# belonging to the classes specified with "pam_filter" and "nss_map_objectclass".
nss_override_attribute_value uidNumber 1001
nss_override_attribute_value gidNumber 1000
nss_override_attribute_value homeDirectory /data1/users/admin
nss_override_attribute_value loginShell /bin/csh
4. Edit the file /data1/etc/ldap.secret to insert your own LDAP password for the account root-
binddn using the following command:
% emacs /data1/etc/ldap.secret
1383
Using Remote Authentication for
SSH Connections to SOLIDserver
# Edit the value of "passwd" to retrieve LDAP data. Initial value: "passwd: compat"
passwd: files ldap
# Comment the line "passwd_compat: nis"
# passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
# Add the following line to specify that LDAP is used for authentication.
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth sufficient pam_unix.so no_warn try_first_pass
1384
Using Remote Authentication for
SSH Connections to SOLIDserver
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
# Add the following line to specify that you want the credentials to be verified via LDAP.
account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail
ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Once you edited the files ldap.conf, nsswitch.conf and pam.d/sshd, follow the procedure below.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
BEGIN-VENDOR efficientip
1385
Using Remote Authentication for
SSH Connections to SOLIDserver
END-VENDOR efficientip
Once you edited the the LDAP communication settings, you need to make sure the configuration
is properly set.
This command returns the list of all the users that can connect via SSH. All local, LDAP
and/or RADIUS users are listed as follows:
<username>:*:1001:1000:admin:/data1/users/admin:/bin/csh
Once you edited the made sure the configuration is properly set, you need to apply the configur-
ation to remote appliances.
Before applying the configuration, refer to the section Making Sure the Configuration is Properly
Set to ensure you are not pushing an erroneous configuration on your network. If the configuration
is incorrect, pushing it might prevent you from connecting to the remote appliance(s) via SSH.
To apply the local LDAP authentication configuration for SSH to remote appliances
1. Open a browser.
2. Connect to the SOLIDserver management appliance you configured using its IP address or
hostname.
3. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
4. In the section System, click on the button Centralized Management. The page Centralized
Management opens.
5. Tick the remote appliance(s) to which you want to apply the local LDAP authentication.
6. In the menu, select Tools > Push local LDAP/RADIUS configuration. The wizard Push
the local LDAP/RADIUS authentication opens.
7. Click on OK to complete the operation. The report opens and closes. The page Centralized
Management is visible again.
1386
Using Remote Authentication for
SSH Connections to SOLIDserver
Prerequisites
• A RADIUS server properly configured and running.
• The RADIUS server and SOLIDserver must be set at the same time.
• To set up the RADIUS authentication for several appliances, you must:
1. Configure the authentication from the managing SOLIDserver.
2. Once the configuration is complete, apply it the remote appliance(s).
• The user must exist on SOLIDserver.
Specificities
The configuration of RADIUS authentication for SSH connections:
• Must be done via CLI.
• Must be done locally from a SOLIDserver Management appliance. When the configuration is
complete, you can apply it to the remote SOLIDserver appliance(s) you manage.
On appliances configured in High Availability, the Hot Standby automatically replicates the
configuration.
• If your RADIUS server is not responding, local users with sufficient rights can still access the
appliance via SSH.
The edited file should include the RADIUS server IP address, secret key, timeout in seconds
and the maximum number of attempts, as follows: <radius_server_ip>:<port> <secret_key>
1
For more details, refer to the radius.conf Linux man page available at https://linux.die.net/man/5/radius.conf.
1387
Using Remote Authentication for
SSH Connections to SOLIDserver
<timeout> <maximum_attempts>. Not indicating the port, as in the example below, automat-
ically sets it to the default RADIUS port:
#radius_server_ip:port secret_key timeout maximum_attempts
1.2.3.4 RadiusSecretKey 3
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
# Radius authentication
auth sufficient pam_radius.so
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
If you want a user to connect in SSH only via RADIUS authentication, make sure that his password
is empty. Such user cannot log in using SSH any other way than using RADIUS since, by default,
the server does not allow login to accounts with an empty password.
Any user added to the list will be able to connect SOLIDserver using the secret key configured
in the section Editing the RADIUS Configuration for SSH Daemon.
1388
Using Remote Authentication for
SSH Connections to SOLIDserver
Note that, as a best practice, setting a uid above 10000 allows to easily identify "Radius-only
users".
Once you edited the RADIUS users list, you need to make sure the configuration is properly set.
This command returns the list of all the users that can connect via SSH. All local, LDAP
and/or RADIUS users are listed as follows:
<username>:*:1001:1000:admin:/data1/users/admin:/bin/csh
Once you edited the made sure the configuration is properly set, you need to apply the configur-
ation to remote appliances.
Before applying the configuration, refer to the section Making Sure the Configuration is Properly
Set to ensure you are not pushing an erroneous configuration on your network. If the configuration
is incorrect, pushing it might prevent you from connecting to the remote appliance(s) via SSH.
1389
Using Remote Authentication for
SSH Connections to SOLIDserver
5. Tick the remote appliance(s) to which you want to apply the local RADIUS authentication.
6. In the menu, select Tools > Push local LDAP/RADIUS configuration. The wizard Push
the local LDAP/RADIUS authentication opens.
7. Click on OK to complete the operation. The report opens and closes. The page Centralized
Management is visible again.
1390
Appendix N. Configuring Non-Supported
Options
Table of Contents
Prerequisites ............................................................................................................... 1391
Limitations .................................................................................................................. 1392
Configuring Non-Supported Firewall Rules .................................................................... 1393
Configuring Non-Supported Apache Settings ................................................................ 1396
Configuring Non-Supported Unbound Settings .............................................................. 1398
Configuring Non-Supported NSD Settings .................................................................... 1400
Configuring Non-Supported BIND Settings ................................................................... 1402
Configuring Non-Supported SNMP Settings .................................................................. 1406
Configuring Non-Supported DHCP Configurations ......................................................... 1408
Configuring Non-Supported NTP Settings ..................................................................... 1410
Configuring Non-Supported syslog-ng Settings ............................................................. 1411
Configuring Non-Supported PostgreSQL Settings ......................................................... 1412
Administrators can incorporate options - configurations, settings - that are not supported by
SOLIDserver via CLI.
You can set non-supported configurations for: firewall rules and options for the services Apache,
Unbound, NSD, BIND, SNMP, DHCP, NTP, syslog-ng and PostgreSQL.
Prerequisites
• SOLIDserver in version 6.0.1 or greater.
• Configuring local servers: DHCP EfficientIP servers, DNS EfficientIP servers or Hybrid DNS
servers.
• The service you want to configure must be running.
• The user configuring the non-supported options must have:
• Administrative rights over SSH connections to SOLIDserver.
• A good understanding of the environment and of the services configuration file, syntax and
options.
• Checking the changes before applying them to the production environment.
1391
Configuring Non-Supported Options
Limitations
• All changes must be performed via SSH, you cannot configure or display non-supported options
from the GUI.
• The configuration of non-supported options can only be done in a specific sections of the files
and nowhere else.
• You can only configure locally non-supported options.
• You can only configure non-supported options on physical servers EfficientIP DNS or DHCP
servers, you cannot set them on a smart architecture.
If you want to add non-supported options on several physical servers managed via the same
architecture, you must set them on each server configuration file individually.
• The non-supported options that you configure overwrite the current configuration. So make
sure that the options you incorporate are not already set in the configuration because the GUI
might not reflect these changes. Besides, configuring options twice may prevent the service
from running properly.
1392
Configuring Non-Supported Options
By default, both files exist in the directory /ipfw. Note that the current firewall mode of your appli-
ance, Restricted and Open, is visible in the GUI on the page Network configuration, for more
details refer to the section Setting the Firewall.
Before configuring non-supported rules, keep in mind that there is no validation check for these
files, so if you misconfigure either you can lose access to your appliance, via SSH or other-
wise.
ipfw.rules
#!/bin/sh
/sbin/ipfw -q flush
if [ -f /etc/ipfw.rules.stats ]; then
. /etc/ipfw.rules.stats
fi
if [ -f /etc/ipfw.rules.sourcerouting ]; then
. /etc/ipfw.rules.sourcerouting
fi
Before configuring non-supported rules, keep in mind that there is no validation check for these
files, so if you misconfigure either you can lose access to your appliance, via SSH or other-
wise.
1393
Configuring Non-Supported Options
5. In the directory /usr/local/nessy2/etc/ipfw/, edit the file ipfw.rules.inc to incorporate the non-
supported firewall rules of your choice.
Keep in mind that if you misconfigure this file you can lose access to your appliance.
6. Restart the firewall daemon to take into account your changes with the command:
service ipfw restart
ipfw_open.rules
#! /bin/sh
/sbin/ipfw -q flush
if [ -f /etc/ipfw.rules.stats ]; then
. /etc/ipfw.rules.stats
fi
if [ -f /etc/ipfw.rules.sourcerouting ]; then
. /etc/ipfw.rules.sourcerouting
fi
Before configuring non-supported rules, keep in mind that there is no validation check for these
files, so if you misconfigure either you can lose access to your appliance, via SSH or other-
wise.
1394
Configuring Non-Supported Options
Keep in mind that if you misconfigure this file you can lose access to your appliance.
6. Restart the firewall daemon to take into account your changes with the command:
service ipfw restart
1395
Configuring Non-Supported Options
By default, each directory contains a file httpd.conf.inc that you can edit to specify the settings
of your choice.
Note that you can add as many *.inc files as you need in the directories /pre and /post.
httpd.conf
## Include files for customizations
## USE WITH CAUTION
IncludeOptional /usr/local/nessy2/etc/httpd/pre/*.inc myhttpconf.inc
#
# This is the main Apache HTTP server configuration file. It contains the
Listen 81
# configuration directives that give the server its instructions.
...
ServerRoot "/usr/local"
...
Listen 80
Include etc/apache24/Includes/*.conf
<VirtualHost 10.10.10.10:81>
DocumentRoot /data1/customer-portal
ServerName portal.customer.com
ErrorLog "/var/log/httpd-portal_error_log"
<Directory /data1/customer-portal>
AllowOverride All
Order deny,allow
allow from all
</Directory>
</VirtualHost>
1396
Configuring Non-Supported Options
Before configuring non-supported settings, keep in mind that there is a validation check for these
files but any invalid configuration may prevent the service from running properly or prevent
you from accessing the GUI altogether.
If no errors are returned and the file syntax is OK, go to the next step. If not, you must edit
the content of the included file(s) because you might no longer be able to access or GUI or
prevent the service from running.
7. Once the configuration is OK, restart the Apache daemon to take into account your changes
with the command:
apachectl restart
1397
Configuring Non-Supported Options
unbound.conf
server:
verbosity: 1
interface: 0.0.0.0
interface: ::0
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
chroot: ""
directory: "/etc/unbound/"
pidfile: "/var/run/unbound/unbound.pid"
hide-identity: yes
hide-version: yes
msg-cache-size: 128m
username: named
# include: /usr/local/nessy2/etc/unbound/global_include.conf global_include.conf
remote-control:
control-enable: yes
control-interface: 127.0.0.1 log-time-ascii: yes
server-key-file: /etc/unbound/unbound_server.key
server-cert-file: /etc/unbound/unbound_server.pem
control-key-file: /etc/unbound/unbound_control.key
control-cert-file: /etc/unbound/unbound_control.pem
# include: /usr/local/nessy2/etc/unbound/remote_include.conf remote_include.conf
control-interface: 192.168.3.4
Before configuring non-supported settings, keep in mind any invalid option is ignored.
1398
Configuring Non-Supported Options
unbound-checkconf /etc/unbound/unbound.conf
If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations are ignored.
7. Once the configuration is OK, restart the Unbound daemon to take into account your changes
with the command:
service ipmdns.sh restart
1399
Configuring Non-Supported Options
nsd.conf
remote-control:
control-enable: "yes"
control-interface: ::1
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/data1/etc/nsd/nsd_server.key"
server-cert-file: "/data1/etc/nsd/nsd_server.pem"
control-key-file: "/data1/etc/nsd/nsd_control.key"
control-cert-file: "/data1/etc/nsd/nsd_control.pem"
# include: /usr/local/nessy2/etc/nsd/remote_include.conf remote_include.conf
server:
include: /data1/etc/nsd/ip-address.conf
database: "/data1/etc/nsd/nsd.db" control-interface: 192.168.3.4
pidfile: "/var/run/nsd/nsd.pid"
difffile: "/data1/etc/nsd/ixfr.db"
xfrdfile: "/data1/etc/nsd/xfrd.state"
server-count: 4
zonesdir: "/data1/etc/namedb/zones"
port: 53
hide-version: yes
verbosity: 0
username: named
ipv4-edns-size: 4096
ipv6-edns-size: 4096
# include: /usr/local/nessy2/etc/nsd/global_include.conf global_include.conf
identity: "myserver"
Before configuring non-supported settings, keep in mind any invalid option is ignored.
1400
Configuring Non-Supported Options
6. Make sure the whole configuration file is still viable using the command:
nsd-checkconf /etc/nsd/nsd.conf
If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations are ignored.
7. Once the configuration is OK, restart the NSD daemon to take into account your changes
with the command:
service ipmdns.sh restart
1401
Configuring Non-Supported Options
Before configuring non-supported settings, keep in mind any invalid option is ignored.
Allows to incorporate options. In this file, no need to specify the statement "options", only
its values.
named.conf
acl "admin" {
any;
};
options {
listen-on-v6 { any; };
directory "/etc/namedb";
...
include "/usr/local/nessy2/etc/named/options_include.conf"; options_include.conf
};
1402
Configuring Non-Supported Options
Before configuring non-supported settings, keep in mind any invalid option is ignored.
5. Incorporate non-supported BIND settings for the server in the file that suits your needs:
• To configure settings in the section global, edit in the file global_include.conf according to
your needs. The full path to the file is /usr/local/nessy2/etc/named/global_include.conf
• To configure settings in the section options, edit in the file options_include.conf according
to your needs. The full path to the file is /usr/local/nessy2/etc/named/options_include.conf
6. Make sure the whole configuration file is still viable using the command::
If no errors are returned and the configuration file is OK, go to the next step. If not, you must
edit the content of the included file because incorrect configurations are ignored.
7. Once the configuration is OK, restart the DNS daemon to take into account your changes
with the command:
service ipmdns.sh restart
If you installed Linux packages, you must stop and start the daemon using the commands:
service ipmdns stop service ipmdns start
If you installed Linux packages, you must use the following command:
service ipmdns status
1403
Configuring Non-Supported Options
named.conf
key "rndc_key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb34gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
controls {
inet 127.0.0.1 port 953 allow {
localhost;
};
};
acl "admin" {
any;
};
view "intranet" {
match-clients {
key myview;
192.168.0.0/24;
};
match-destinations {
!external;
!42.42.42.0/24;
192.168.100.15
};
zone "mycorp.com"{
type slave;
file "zones/slave/mycorp.com/mycorp.com";
masters {
10.0.3.30;
};
include "/data1/etc/named/view_intranet_include.conf"; view_intranet_include.conf
};
cleaning-interval 120;
max-journal-size 1m;
empty-zones-enable no;
Figure N.7. Example of non-supported BIND settings configured for a view called "intranet"
Before configuring non-supported settings, keep in mind any invalid option is ignored.
1404
Configuring Non-Supported Options
If no errors are returned and the configuration file is OK, go to the next step. If not, you must
edit the content of the included file because incorrect configurations are ignored.
7. Once the configuration is OK, restart the DNS daemon to take into account your changes
with the command:
service ipmdns.sh restart
If you installed Linux packages, you must stop and start the daemon using the commands:
service ipmdns stop service ipmdns start
If you installed Linux packages, you must use the following command:
service ipmdns status
Keep in mind that if any option is invalid, the included configuration is ignored until you correct
what needs to be changed. As for conflicting options, they overwrite your configuration.
1405
Configuring Non-Supported Options
By default, the directory /snmpd contains a file custom.conf that you can edit to specify the settings
of your choice.
Note that you can add as many files as you need in the directory /snmpd.
snmpd.conf
trapcommunity public
trapsess -v 2c -c public 10.0.11.3
authtrapenable 1
Before configuring non-supported settings, keep in mind that there is no validation check for
this file. Any invalid configuration may prevent the service from running properly.
5. In the directory /usr/local/nessy2/etc/snmpd, edit the file custom.conf according to your needs
or create a file to incorporate the non-supported SNMP options of your choice.
6. Once the configuration is OK, restart the SNMP daemon to take into account your changes
with the command:
service snmpd restart
1406
Configuring Non-Supported Options
1407
Configuring Non-Supported Options
Before configuring non-supported options, keep in mind any invalid option is ignored.
ddns-update-style none;
ddns-updates off;
option server.log-facility local7; if (exists host-name) {
authoritative; log (info,concat("We have host-name:", option host-name));
option server.min-lease-time 60; }
...
Before configuring non-supported options, keep in mind any invalid option is ignored.
If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations are ignored.
7. Once the configuration is OK, restart the DHCP daemon to take into account your changes
with the command:
service ipmdhcp.sh restart
1408
Configuring Non-Supported Options
authoritative;
ddns-update-style none;
option server.omapi-port 7912; if (exists host-name) {
log (info,concat("We have client-id:", option dhcp6.client-id));
... }
subnet6 2001:db8:0:1::/64 {
range6 2001:db8:0:1::129 2001:db8:0:1::254;
}
Before configuring non-supported options, keep in mind any invalid option is ignored.
If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations are ignored.
7. Once the configuration is OK, restart the DHCPv6 daemon to take into account your changes
with the command:
service ipmdhcp6.sh restart
1409
Configuring Non-Supported Options
By default, the directory /etc contains a file ntp.conf.inc that can de edited to specify the settings
of your choice.
ntp.conf
# By default, exchange time with everybody, but dont allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
Before configuring non-supported settings, keep in mind that there is no validation check for
this file. Any invalid configuration may prevent the service from running properly.
5. In the directory /usr/local/nessy2/etc/, edit the file ntp.conf.inc according to your needs to
incorporate the non-supported NTP options of your choice.
6. Once the configuration is OK, restart the NTP daemon to take into account your changes
with the command:
service ntpd restart
1410
Configuring Non-Supported Options
By default, the directory /include can contain any file that you can configure with the settings of
your choice.
syslog.conf
@version:3.7
@define allow-config-dups 1
@include "scl.conf"
@include "eip_syslog-ng.conf"
@include "syslog-ng.d/eip_redirect.conf"
log {
destination{ file("/tmp/test.log"); };
flags(catchall);
};
If no errors are returned, go to the next step. If not, you must edit the content of the included
files because incorrect configurations are ignored.
7. Make sure the daemon is running with the command:
service syslog-ng status
1411
Configuring Non-Supported Options
shared_preload_libraries = 'auto_explain'
auto_explain.log_min_duration = '1000ms'
Before configuring non-supported options, keep in mind that there is no validation check for
these files. Any invalid configuration may prevent the service from running properly.
5. In the directory /usr/local/nessy2/etc/, edit the file postgresql.conf.inc according to your needs
to incorporate the non-supported PostgreSQL options of your choice.
6. Restart the PostgreSQL daemon to take into account your changes with the command:
service postgresql restart
1412
internal module setup, 33
Index propagating, 780
restricting, 780
setting, 780
A Agentless server
ACL DHCP (see Microsoft DHCP)
DHCP DNS (see Microsoft DNS)
adding, 416 alerts, 1151
adding ACL entries, 420 adding alerts, 1153
copying (only v4), 417 checking alerts, 1156
creating an ACL based on option 82, 437 disabling alerts, 1156
deleting, 419 dismissing alerts, 1156
editing, 417 editing alerts, 1155
granting access to known clients, 416 enabling alerts, 1156
DNS allow-notify
DNS server ACL, 542 at server level, 522
editing a view match clients list, 567 at view level, 572
editing a view match destination list, 567 at zone level, 620
Active Directory allow-query
authenticating users, 1091 at server level, 524
domain, 600 at view level, 576
dynamic update authentication, 655 at zone level, 623
relying on AD credentials to log users, 1091 allow-query-cache
addresses, 255 at server level, 525
adding, 257 at view level, 577
adding by search, 259 allow-recursion, 520
adding manually, 257 allow-transfer
assigning, 257 at server level, 526
configuring aliases, 262 at view level, 578
deleting, 271 at zone level, 624
editing, 261 allow-update, 625
editing aliases, 263 also-notify
editing the network/broadcast address, 260 at server level, 522
moving IPv4 addresses across networks, 267, 268 at view level, 572
moving IPv4 addresses across spaces, 268 alt-transfer-source, 538
moving IPv4 addresses across the VLSM, 297 alt-transfer-source-v6, 538
pinging an address, 269 Amazon Route 53
removing aliases, 264 DNS servers, 505
renaming Pv4 addresses massively, 266 analytics
restoring, 272 DHCP data, 446
statuses and types, 256 DNS data, 732
undoing an address deletion, 272 Guardian data, 845
updating RPZ data, 732
Device Manager, 1003 answerlog, 740
Administration anycast
importing CSV data, 164 for BGP, 550
administrators for IS-IS, 554
authenticating remote users, 1089 for OSPF, 546
advanced properties, 752 appliance
configuring default gateway, 91
DHCP, 776 high availability (see high availability management)
DNS, 779 hostname, 93
IPAM, 754 reboot, 1189
inheriting, 780 remote management, 1105
1413
Index
1414
Index
1415
Index
1416
Index
1417
Index
1418
Index
1419
Index
redirection, 1159 N
visualization, 1158
NetChange, 887
loopback interface, 104
Addresses, 937
configuration files versioning, 924
M discovered items, 939
maintenance, 1173 history, 942
backup (see backup) purging, 942
clearing SOLIDserver cache, 1181 refreshing, 941
local files listing (see local files listing) updating the IPAM, 941
maintenance mode, 1180 discovering network devices, 895
reboot (see appliance, reboot) importing CSV data, 150
shutdown (see appliance, shutdown) licenses, 888
troubleshooting (see troubleshooting) monitoring
update macros and rules, 1180 automating devices synchronization, 947
management keeping the database up to date, 946
high availability (see high availability management) network devices, 891
Master/Slave, 465 802.1X authentication, 896
max-cache-size adding, 893
at server level, 528 connecting via a web console, 900
at view level, 579 connecting via SSH, 899
MetaIP connecting via telnet, 900
importing a DHCP configuration file, 177 deleting, 902
Microsoft DHCP discovering, 895
adding a server, 353 editing SNMP properties, 897
agentless server, 351 making a snapshot, 900
importing a configuration file, 175 refreshing, 898
limitations, 352 scheduling a refresh, 899
managing failover, 354 statistics, 944
prerequisites, 351 ports, 910
Microsoft DNS 802.1X authentication, 914
adding a server, 492 associating a port with a VLAN, 921
agentless server, 490 configuring tagging mode, 920
limitations, 490 edge and terminal ports, 910
prerequisites, 490 editing speed and duplex, 913
minimal-responses, 530 enabling/disabling, 912
monitoring, 1142 interconnection ports, 910
alerts (see alerts) limiting access using MAC addresses, 915
database tables size, 1171 limiting access using user rights, 918
DHCP data, 444 port-security, 915
DNS data, 730 statistics, 944
forwarding events, 1164 updating description, 914
high availability appliances, 1112 rights, 1076
netstat, 1170 routes, 903
remote appliances, 1112 creating in the IPAM, 906
reports (see reports) statistics, 944
services logs, 1158 tuning
services statistics, 1160 customizing the devices' type, 948
session tracking, 1162 updating
SNMP (see SNMP, monitoring) Device Manager with devices, 983
user tracking, 1162 Device Manager with discovered items, 983
copy user operations in syslog, 1164 IPAM with addresses, 941
Multi-Master, 467 versioning, 924
comparing configuration files, 931
1420
Index
1421
Index
changing the lease time for PXE clients, 422 on DNS servers, 1144
next-server and filename options (v4), 421 on DNS views, 1145
on DNS zones, 1146
Q on NetChange network devices, 1146
query-source, 537 on statistics, 1147
query-source-v6, 537 on users, 1088
querylog, 739 scheduling, 1149
quick wizards, 77 resource records, 630
adding, 633
A, 633
R AAAA, 634
RADIUS
AFSDB, 634
authenticating users, 1095
CAA, 635
configuring a FreeRadius server, 1377
CERT, 635
configuring with Cisco RADIUS ACS, 1378
CNAME, 636
ranges (DHCP), 396
DHCID, 636
adding, 397
DNAME, 637
deleting, 404
DNSKEY, 638
editing, 400
DS, 703
options, 402
HINFO, 639
replicating in the IPAM, 401
MINFO, 639
resizing, 401
MX, 640
ranges (VLAN), 1016
NAPTR, 640
adding, 1017
NS, 641
deleting, 1019
NSAP, 642
editing, 1017
OPENPGPKEY, 642
resizing, 1018
PTR, 643
records
SRV, 644
SOA
SSHFP, 643
resetting, 601
TLSA, 645
recursion, 519
TXT, 645
at server level, 519
URI, 646
at view level, 574
WKS, 646
recursive-clients, 521
delegation, 649
remote management, 1105
deleting, 654
adding appliances, 1109
DNSSEC (see DNSSEC, records)
configuring the management appliance, 1108
duplicating, 651
deleting an appliances, 1132
editing, 647
monitoring statistics, 1112
load balancing, 652
monitoring the logs, 1112
moving, 651
monitoring the statistics, 1112
SOA, 630
monitoring the time drift, 1112
SPF, 652
prerequisites, 1109
supported RRs, 630
remote network configuration, 1111
Response policy zone (see RPZ)
remote service configuration, 1111
Response Rate Limiting (RRL) (see DNS, RRL)
replacing an appliance, 1131
rights management, 1069
upgrading remote appliances, 1211
authentication rules, 1089
reports, 1142
groups of users, 1071
browsing the reports database, 1142
users, 1081
downloading and displaying, 1150
route
generating, 1148
adding a specific route, 92
managing scheduled reports, 1150
static route, 92
on DHCP scopes, 1143
RPZ, 665
on DHCP servers, 1142
limitations, 665
1422
Index
1423
Index
1424
Index
1425
Index
X
X.509
certificate, 1193
Z
zones
adding
delegation-only, 598
forward, 592
hint, 597
master, 586
slave, 590
1426