Chapter 6. System reference

CARP works by allowing a group of hosts on the same network segment to share an IP address. Within the group, one host is designated the "master" role and the rest are "backups". The master host is the one that currently "holds" the shared IP; it responds to any traffic or ARP requests directed towards it. If the master fails a backup transparently takes the master role and start responding to traffic.

CARP also allows for configuring a load balanced cluster . In such a cluster all the traffic load is shared between the nodes and in case a node fails it will be excluded from the cluster and the remaining nodes will handle traffic for the failed node.

1.1. Configuring a load balanced cluster

To configure a load balanced (active/active) cluster of two Profense™ nodes do the following:

Node 1 configuration

Create a LOADBALANCE MASTER interface by doing the following:

In Cluster virtual IP configuration enter the virtual IP address of the cluster in the the Virtual IP field.
In Netmask enter the netmask specifying the subnet for the virtual ip.
In the Type drop-down menu select LOADBALANCE MASTER.
Click the Add virtual IP button.

This will create a Carp interfaces with type LOADBALANCE MASTER.

The interface is assigned an even numbered VHID and two priorities, Priority and Priority Slave. Due to the way IP Loadbalancing is implented with Carp another virtual interface is created in the background. Priority Slave is assigned to the background interface as is a VHID with an un-even number (VHID + 1).

Enable cluster synchronization and designate the role TEACH in the Synchronization configuration section:

Select Enable proxy settings synchronization
Select TEACH in the Mode drop-down.
Enter a password for the cluster in the Password field.
Click the Save button.

Node 2 configuration

Create a LOADBALANCE SLAVE interface by doing the following:

In Cluster virtual IP configuration enter the virtual IP address of the cluster (the same as on the master) in the the Virtual IP field.
In Netmask enter the netmask specifying the subnet for the virtual ip.
In the Type drop-down menu select LOADBALANCE SLAVE.
Click the Add virtual IP button.

This will create a Carp interfaces with type LOADBALANCE SLAVE.

The interface is assigned a VHID and priorities like on the LOADBALANCE MASTER node except that the priorities are mirrored.

Supposing there are no other or an equal amount of CARP interfaces configured on both nodes the VHID on the two nodes should be equal.

On node 1 the LOADBALANCE MASTER interface should have the same VHID as the LOADBALANCE SLAVE interface on node 2.

Otherwise configure the interfaces two achieve the above in CARP interfaces (Section 1.4, “CARP Interfaces”).

Enable cluster synchronization and designate the role LEARN in the Synchronization configuration section:

Select Enable proxy settings synchronization
Select LEARN in the Mode drop-down.
Enter the same cluster password as for node 1for the cluster in the Password field.
Click the Save button.

1.2. Configuring a fail-over cluster

To configure a fail-over (active/passive) cluster of two Profense™ nodes do the following:

Node 1 configuration

Create a FAILOVER-MASTER interface by doing the following:

In Cluster virtual IP configuration enter the virtual IP address of the cluster in the the Virtual IP field.
In Netmask enter the netmask specifying the subnet for the virtual ip.
In the Type drop-down menu select FAILOVER-MASTER.
Click the Add virtual IP button.

Enable cluster synchronization and designate the role TEACH in the Synchronization configuration section:

Select Enable proxy settings synchronization
Select TEACH in the Mode drop-down.
Enter a password for the cluster in the Password field.
Click the Save button.

Node 2 configuration

Create a FAILOVER-BACKUP interface for the same virtual IP by doing the following:

In Cluster virtual IP configuration enter the virtual IP address of the cluster in the Virtual IP field.
In Netmask enter the netmask specifying the subnet for the virtual ip.
In the Type drop-down menu select FAILOVER-BACKUP.
Click the Add virtual IP button.

Enable cluster synchronization and designate the role LEARN in the Synchronization configuration section:

Select Enable proxy settings synchronization
Select LEARN in the Mode drop-down.
Enter the same cluster password as for node 1for the cluster in the Password field.
Click the Save button.

1.3. Synchronization configuration

When Profense nodes are running a cluster one of the Profense nodes can be designated the role TEACHER.

In order to keep load balancing and backup nodes up-to-date with the current configuration the TEACHER is broadcasting policy changes and some proxy settings like web application firewall settings an class changes when changes occur.

Proxy settings synchronization have to be configured by all nodes in the cluster.

Enable proxy settings synchronization

Check box

Enable or disable proxy settings synchronization.

If enabled, Profense™ will synchronize the current ACL database and other parameters with other Profense™ nodes.

Mode

Drop down list

Synchronization role.

If set to Teach, this Profense™ will multicast the ACL database to other Profense™ installations. If set to Learn, this Profense™ will update it's ACL database according to synchronization messages from other Profense™ installations.

Synchronization settings affects the operation of the Learner. When synchronization is enabled and the node synchronization mode is set to Learn, the node will not sample learn data but wait for the node master to dispatch a policy.

	Note
	You need to configure an interface that will be used for synchronization before the ACL database synchronization will be activated.

Password

Input field

Password used for synchronization message authentication.

Valid input

Any string.

A long password is recommended as it do not have to be memorable by humans.

Input example

98974953Q38512432324CU4859229842784

Default value

none

1.4. CARP Interfaces

The CARP Interfaces configuration section provides an overview of CARP interfaces and allows for post configuration.

ID	The CARP interface id on the node.
VIP	Virtual IP address of the cluster. This is the IP address the nodes in the cluster is sharing.
Netmask	The netmask defining the virtual IP's subnet.
VHID Input field	Virtual host identifier number of the CARP group. On each Profense node VHIDs are required to be unique. VHIDs identify cluster groups accros Profense™ nodes. The same VHIDs are therefore required to be configured on both cluster nodes. Valid input An even integer in the range 2-254 Default value `Next available VHID number`
Interface	The physical network interface the CARP interface is bound to.
State	State of the CARP interface can be either `MASTER` or `BACKUP`. If a CARP interface with a low priority (automatically set when selecting the types FAILOVER-BACKUP or LOADBALANCE-FAILOVER) is assuming the role of MASTER then probably the original MASTER node is experiencing problems.
Priority Input field	The priority of the interface in the CARP group. Do not edit this property unless you are familiar with the CARP protocol. The priority itself is an abstraction over the `advskev` CARP parameter. When setting `priority` `advskev` is calculated as `254 - priority`. Interfaces of type FAILOVER-MASTER and LOADBALANCE are configured with a high priority and interfaces of type FAILOVER-BACKUP or LOADBALANCE-FAILOVER are configured with a lower priority. Valid input An integer in the range 1-254 Default value `FAILOVER-MASTER and LOADBALANCE MASTER: 254` `FAILOVER-BACKUP or LOADBALANCE-FAILOVER: 154`

1.5. Fail-over status information

If the system is running in a fail-over configuration the following additional information will be displayed.

Virtual IP	Virtual IP address.
Role (config)	Shows the configured role (MASTER or BACKUP) for the specified virtual IP address.
Role (current)	Shows the current role (MASTER or BACKUP) for the specified virtual IP address. If the current role differs from the configured an error situation has occurred and the role information fields will be blinking red.
Interface	Shows the physical interface the specified virtual IP address is attached to.
Priority	Shows the virtual IP address priority for the physical interface.

2. Configuration

GUI Path: System -> Configuration

2.1. Network

Basic network configuration is performed in this section. Any changes made to this section are applied and saved by clicking on the Save" button.

Hostname Input field	Domain name of the Profense™ Web application firewall. Valid input Fully qualified domain name. Input example `proxy.mydomain.com` Default value `None`
Default gateway Input field	IP address of the default gateway. Valid input IP address assigned must be in the same network subnet as the IP address of one of the physical network interfaces. Input example `192.168.0.1` Default value `None`
DNS server(s) Input field	IP address of one or more DNS servers. Valid input IP addresses Use space to separate multiple hosts (only one required). Input example `192.168.0.2` Default value `None`
SMTP server Input field	SMTP server hostname or IP address. SMTP server is used for sending alert e-mails to the contact e-mail address specified. Valid input IP address or fully qualified domain name Input example `smtp.mydomain.com` Default value `None`
Syslog server Input field	External syslog server hostname or IP address. Proxies with external syslog alert enabled will send syslog alerts to the specified server. Syslog messages are sent to `user` facility and `informational level` (criticality) is configurable for each proxy. See Section 12.3, “External notification” for details on configuring alerts for proxies. Valid input IP address or fully qualified domain name Input example `syslog.mydomain.com` Default value `None`

2.2. Static routes

Define static routes.

Click Add new route and enter route information for each route you want to add.

When routes are entered click Save settings in lower button bar to save.

Destination

Input field

The route destination.

Enter first IP address of destination network.

Valid input

A valid ip address.

Input example

192.168.5.0
192.168.6.8
192.168.7.10

Default value

None

Subnet

Input field

Network mask of the destination IP address.

Valid input

A valid network mask

Input example

255.255.255.0
255.255.255.248
255.255.255.255

Default value

None

Gateway

Input field

IP address of the gateway through which the destination can be reached.

Valid input

An IP address of a gateway which is directly reachable by the Profense™ node.

Input example

192.168.0.4
192.168.0.5
192.168.0.6

Default value

None

The examples above would result in:

Access to IP addresses 192.168.5.0-255 (192.168.5.0/24) is routed through the gateway 192.168.0.4.
Access to IP addresses 192.168.6.8-16 (192.168.6.8/29) is routed through the gateway 192.168.0.5.
Access to IP address 192.168.7.10 (192.168.7.10/32) is routed through the gateway 192.168.0.6.

2.3. Syslog - logging to external host

Configure threshold level and address of external Syslog server.

Syslog server

Input field

External syslog server hostname or IP address.

Proxies with external syslog alert enabled will send syslog alerts to the specified server.

Syslog messages are sent to user facility and informational level (criticality) is configurable for each proxy. See Section 12.3, “External notification” for details on configuring alerts for proxies.

Valid input: IP address or fully qualified domain name
Input example: syslog.mydomain.com
Default value: None

2.3.1. Mapping of Profense System Logs to Syslog facilities

Attack	`Local3`
Audit	`auth`
Proxy	`Local0`
Learner	`Local4`
Backup	`Local5`
WebGUI	`Local2`
Daemon	`Local1`
Syslog	Other facilities
Error	All facilities with informational level `error` and above

Logging to external Syslog server is only available in Profense™ Professional licenses.

See Section 5, “Logs” for a description of the log mentioned above.

2.4. Date and Time

This section is used for configuration of time synchronization via NTP (Network Time Protocol).

It is strongly advised to configure an NTP server in order to have the correct date and time set on the system.

It is recommended to configure an internal NTP interface. If one is not available, a well-known NTP server time.nist.gov can be used. Also, have a look at www.ntpd.org for a more detailed list of NTP servers available for free on the Internet.

NTP server

Input field

IP address or hostname of an NTP server.

Remember to set up at least one DNS server if you enter a hostname here.

Valid input

IP address or fully qualified domain name.

Use space to separate multiple hosts (only one required).

Input example

time.nist.gov

Default value

None

Timezone

Drop down list

Timezone information.

Select the systems timezone from the drop down menu.

Valid input: A timezone option from the drop down list.
Default value: Europe/Copenhagen

2.5. Miscellaneous

Miscellaneous information.

Contact

Input field

E-mail address of the administrative contact.

All alert e-mails and notifications are sent to this address.

You need to define an SMTP server before any e-mails are sent.

Valid input: E-mail address
Input example: admin@mydomain.com
Default value: admin@mydomain.com

Sender domain

The e-mail address domain.

Extracted from the contact e-mail.

2.6. Backup configuration

This section is used to configure an FTP/SCP server used for automated configuration backup/restore of Profense™ configuration.

2.6.1. FTP configuration

FTP server Input field	FTP hostname or IP address. Valid input IP address or fully qualified domain name Input example `ftp.mydomain.com` Default value `None`
FTP port Input field	FTP server port number Valid input An TCP/IP port number Input example `21` Default value `21`
Login Input field	Username used for login. FTP account used must be able to store files on the remote FTP server. Valid input A valid username Input example `profense_backup` Default value `none`
Password Input field	Password used for SCP login. Valid input Any string. A long password is recommended as it do not have to be memorable by humans. Input example `s984ROf.dds&fdsfs)afa8343287` Default value `none`
Remote directory Input field	Full path to directory on FTP server used for storing Profense™ related files. Valid input A directory path ending with / Input example `/ftp/profense/` Default value `none`

2.6.2. SCP configuration

SCP server Input field	SCP hostname or IP address. Valid input IP address or fully qualified domain name Input example `ftp.mydomain.com` Default value `None`
SCP port Input field	SCP server port number Valid input An TCP/IP port number Input example `21` Default value `21`
Login Input field	Username used for login. SCP account used must be able to store files on the remote SCP server. Valid input A valid username Input example `profense_backup` Default value `none`
SCP key Button	Click Download Profense Public SCP Key to download key used for authentication. Make sure to add this key to the authorized keys list on the remote server.
Remote directory Input field	Full path to directory on SCP server used for storing Profense™ related files. Valid input A directory path ending with / Input example `/scp/profense/` Default value `none`
Remote directory Input field	Full path to directory on SCP server used for storing Profense™ related files. Valid input A directory path ending with / Input example `/scp/profense/` Default value `none`

2.7. Auto-backup

Auto-backup, if enabled, is performed daily at 03:00 AM based on your current timezone settings.

Enable FTP auto-backup

Check box

Enable or disable FTP auto-backup.

If checked, automated FTP configuration backup will be active.

Enable SCP auto-backup

Check box

Enable or disable SCP auto-backup.

If checked, automated SCP configuration backup will be active.

3. Information

GUI Path: System -> Information

3.1. System

Displays basic system hardware information.

CPU	Number of CPUs detected, CPU speed in gigahertz (GHz) and CPU model.
BIOS	Information read from server BIOS.
Memory	Available server (hardware) memory.
Uptime	Time since the system was last started.
Localtime	The system time.

CPU model: