Settings: Difference between revisions

Jump to navigation Jump to search

Settings (view source)

Revision as of 09:06, 6 April 2020

17,638 bytes added ,  6 April 2020
no edit summary
No edit summary
No edit summary
Line 331: Line 331:




==''' Incident settings'''==
This configuration section lists all available incidents that can be enabled and configured.




==''' User defined names'''==
It is possible to define own names for IP addresses and MAC addresses, see User defined names for detailed information.


==''' Incident settings'''==


==''' User defined names'''==
=='''Management interface settings'''==
Access to the web interface of the Allegro Network Multimeter is handled by an out-of-band network connection separately connected to the device via a wired connection or wireless.
 
This section allows to configure the settings of the wireless and the wired access.
 


<big>''' Wireless management interface'''</big>
<big>''' Wireless management interface'''</big>
The wireless access can be disabled or enabled, regardless of an connected WiFi device since such a device can be connected later at any time.
The wireless management interface can work in two modes:
* Join existing network: In this mode, the Allegro Network Multimeter will connect to your existing WiFi network.
To do so, enter the name (SSID) of the network and the password.
Your WiFi access point should list the IP it assigns to the Allegro Network Multimeter.
* Manage own network: In this mode, the device will setup an own access point so that you can connect your laptop or smartphone directly to the device and access the management interface.
In this mode, the web interface can be accessed by entering the URL “https://allegro/” into your web browser.
Additionally, two other options are available in this mode:
– Channel: A fixed WiFi channel can be selected so the access point only uses this channel instead of automatically chosing the best available channel.
– Disable default gateway: If enabled, the access point will not announce to be the default gateway/route for this network.
If so, the device can only be accessed by using the IP address 192.168.4.1. If this option is disabled, the name server running on the device will also resolve the name “allegro/” to make it easier
to access to the device.
This option is useful if there is still another connection active which should still be used, like a mobile connection or the internal company network.


<big>''' LAN management interface'''</big>
<big>''' LAN management interface'''</big>
For wired connection there are three operation modes:
• Join existing network: Similar to the wireless connection, in this mode the device gets an IP from the network connected to the management port.
The router or DHCP server in your network should list the IP of the Allegro Network Multimeter.
• Manage own network: In this mode, the device will run a DHCP server on the management port so that you can connect another computer via a wire to the system. Be aware that the network port should not be connected to your main network as running multiple DHCP servers will very probably disturb the network.
In this mode, the web interface can be accessed by entering the URL “https://allegro/” into your web browser.
• Use static IP: It is also possible to configure a fixed IP for the wired management port. You can enter any IP for the port. The IP must end with a slash followed by the subnet size.
Example: /24 stands for a subnet mask of 255.255.255.0.
Optionally you can enter the IP of your gateway computer and the IP of the DNS server.
You can leave them empty if you want directly connect the device to another computer with no router involved.
In this mode, the web interface can be reached by the static IP you have configured.


<big>''' Secondary management interface'''</big>
<big>''' Secondary management interface'''</big>
You can attach an USB ethernet adapter to any USB port of the Allegro Network Multimeter and use this as an additional management interface.
This management interface can be operated with a static IP address only. In the address input field please enter the IP address followed by a slash and the subnet size.
Optionally you can enter the IP of your gateway computer and the IP of the DNS server.
You can leave them empty if you want directly connect the device to another computer with no router involved.
This feature is not supported by the Allegro 200.


<big>''' Host name'''</big>
<big>''' Host name'''</big>
By default, the host name is in the format “allegro-mm-xxxx” where the last four characters depend on the actual device.
Because of this multiple multimeters can be used in the same network.
It is however possible to choose an own host name. Enter a new name and save the changes.
If the name field is empty, the default name will be used again after the next reboot.


<big>''' LLDP'''</big>
<big>''' LLDP'''</big>
If enabled, the Allegro Network Multimeter will transmit LLDP (Link Layer Discovery Protocol) information for the management MAC and IP addresses on the management interface.
The LLDP system name will contain the hostname of the Allegro Network Multimeter and the LLDP system description will contain the platform type (e.g. Allegro-200-rev1) and the currently installed firmware version.




==''' Multi-device settings'''==


==''' Administration'''==
The administration page allows following actions:
* Power: Reboot or power off the Allegro Network Multimeter. After clicking on the buttons a confirmation dialog will appear.
Rebooting is most of the time not necessary as it takes significant time. If the packet processing needs to
be restarted because some options can not be changed during runtime, the next option is a better choice as
it minimizes the downtime.
* Processing: Restart the Allegro Network Multimeter processing software. This will reset all measured statistics.
Choosing this option will stop the packet processing but the machine and its web interface is still available
as the device itself is not rebooted. The packet processing core is restarted with the current settings and will be processing packets again after a few second.s
* Configuration: By clicking on “Reset System Configuration” all settings including the network configuration will be reset to factory defaults and the system will be restarted.


==''' Multi-device settings'''==


==''' Administration'''==


''' SSL certificate'''
''' SSL certificate'''
The device comes with a pre-installed generic SSL certificate but an own certificate can be installed:
* Certificate: The “Install SSL certificate” button will open a dialog that will allow to upload a X.509 certificate file and a RSA key file. Upon successful upload this certificate will be used to serve the user interface.
The “Reset to default SSL certificate” button will remove any user-provided SSL certificate and the user interface will be served using the default SSL certificate.
It is currently not possible to issue a signing request procedure. To use a certificate which needs to be signed by a company CA, the user has to create that certificate on a separate machine, create the signing request, and deploy the final certificate to the device using the option above.


==''' Filter'''==
==''' Filter'''==
The filter page allows setting a processing filter for live traffic. The traffic may be filtered before it is processed.
Filters can be applied for
* IP addresses (with possible subnet mask)
* pairs of IP addresses (with possible subnet mask)
* MAC addresses
* VLAN tags (or none for no VLAN tag)
* certain TCP/UDP ports
* physical interface IDs (as listed in Interface statistics)
They all can be set to either blacklist or whitelist mode.
Filtering will be evaluated for every packet in the order of the tabs.
The more restrictive filter will be applied.
For instance, if no IP address is denied but a certain MAC address is on the blacklist, no traffic for that MAC address is being processed.
The processing filter is applied on live traffic only. When replaying a PCAP or using the remote traffic capture feature, the filtering is not used.


<big>''' IP filters'''</big>
<big>''' IP filters'''</big>
The IP filter page allows importing an IP list in the format:
{| class="wikitable"
|-
| #A line with a comment
1.2.3.1
1.2.3.2
1.2.3.3
|}
By clicking on “Import list” a dialog will be openend where you can choose to download such a list from a given URL or specify a file from your system. The IPs are added to the already existing ones up to a maximum of 10000 IP addresses.
The “Export list” button allows for exporting the IP filter list in the same format as the import.
The “Delete all” button allows for deleting all IPs from the filter list.


==''' Remote access and export'''==
==''' Remote access and export'''==
<big>''' Statistics Export'''</big>
The Statistics Export allows querying the API of the Allegro Network Multimeter and transmit JSON results to a remote server via HTTP POST requests.
The API path can be determined by using a debug console of the browser on any of the modules of the Allegro Network Multimeter.
Example:
* Interval: '''60'''
* Internal URL Path: '''/API/stats/interfaces'''
* External POST target: '''http://10.0.0.1:3000/interface-stats-for-mm-1234'''
This will generate a '''POST /interface-stats-for-mm-1234''' request to '''10.0.0.1''' every minute and send the interface
statistics of the multimeter.
'''Sample Node.js server'''
The following script is a basic Node.js server (with minimal error handling) which reads all POST requests and stores them to a file:
{| class="wikitable"
|-
|const http = require('http');
const fs = require('fs');
const listenAddress = '0.0.0.0';
const port = 3000;
let fileCount = 1;
const server = http.createServer((req, res) => {
if (req.method != 'POST') {
res.statusCode = 405;
res.end();
return;
}
let id = fileCount++;
let outputFilename = `${req.url.substring(1).replace(/\//g, '_')}_${id}.json`;
console.log(`${id}: ${req.method} ${req.url} => ${outputFilename}`);
let data = [];
req.on('data', chunk => data.push(chunk));
req.on('end', () => {
fs.writeFile(outputFilename, data, (err) => {
if (err != null) {
console.log(err);
res.statusCode = 500;
} else {
res.statusCode = 200;
}
res.end();
});
});
});
server.listen(port, listenAddress, () => {
console.log(`Server running at http://${listenAddress}:${port}/`);
});
|}


<big>''' Statistics Export'''</big>


<big>''' SSH Port Forwarding'''</big>
<big>''' SSH Port Forwarding'''</big>
The Allegro Network Multimeter can be configured to to use SSH Port Forwarding to allow remote access to the device behind a NAT.
The multimeter will create a tunnel to an SSH endpoint and will open a listening port on this SSH server.
This port can now be used to send HTTPS requests to the multimeter.


'''Preparing the SSH server'''
'''Preparing the SSH server'''


'''Create a user'''
'''Create a user'''
The user on the SSH server does not need any special rights and does not need a login shell. Example:
{| class="wikitable"
|-
| $> useradd -m -s /usr/sbin/nologin mmremote
|}


'''Allow SSH access via public key'''
'''Allow SSH access via public key'''
The Allegro Network Multimeter uses SSH public key authentication to log in on the SSH server.
The public key can be found in the '''SSH public key''' field in the '''SSH Port Forwarding''' settings dialog.
{| class="wikitable"
|-
| $> mkdir /home/mmremote/.ssh
$> chown mmremote: /home/mmremote/.ssh
$> nano /etc/mmremote/.ssh/authorized_keys
|}
Paste the line into the file and save/close the file.
There are two options to access the multimeter:


'''Option 1: No proxy'''
'''Option 1: No proxy'''
Advantage:
* no additional software required
Disadvantage:
* no port < 1024 (as non-root user)
– Default HTTPS port 443 is not possible
The SSH server might be configured to allow only local listening ports. This has to be changed to allow listening on any subnet.
Edit the SSH configuration file '''/etc/ssh/sshd_config''' and activate the following line:
{| class="wikitable"
|-
| GatewayPorts clientspecified
|}
Save and close the configuration file and restart the SSH service.


'''Option 2: With HTTPS proxy'''
'''Option 2: With HTTPS proxy'''
Advantage:
* use default HTTPS port 443
* use several filter mechanisms provided by the proxy software
* use the same SSH server as proxy for several multimeters through SNI routing
Disadvantage:
* additional configuration required
The following block shows a sample configuration for the '''nginx''' proxy server:
{| class="wikitable"
|-
| server {
          listen 443 ssl;
          listen [::]:443 ssl;
          server_name allegro-mm-1234.mm-remote.company.com;
          ssl_certificate /etc/letsencrypt/live/allegro-mm-1234.mm-remote.company.com/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/allegro-mm-1234.mm-remote.company.com/privkey.pem;
          location / {
                      proxy_pass        https://localhost:55443; # 55443 =configured listen port on multimeter
                      }
            client_max_body_size 200M; # for firmware uploads
}
server {
        listen 80;
        listen [::]:80;
       
      server_name allegro-mm-1234.mm-remote.company.com;
      return 301 https://$host$request_uri;
}
|}
The forwarding to the Allegro Network Multimeter is using the configured server name. In this example, requests to '''allegro-mm-1234.mm-remote.company.com''' will be forwarded to the multimeter.
Ths requires that this hostname is resolved by the DNS server. This could be solved by a wildcard DNS CNAME entry to point at the SSH server.


'''Configuration of the multimeter'''
'''Configuration of the multimeter'''
In the configuration dialog, insert the parameters to access the SSH server. For example:
* SSH Host: '''mm-remote.company.com'''
* SSH Port: '''22'''
* SSH User: '''mmremote'''
* Listening HTTPS Port on SSH Host: '''55443'''
The settings have to match the configuration above. '''Every multimeter requires a separate HTTPS listening port..'''
If the '''SSH user''' is not '''root, no port below 1024''' is possible. Otherwise, an error message will appear when trying to connect.




<big>'''Allegro Remote Service'''</big>
<big>'''Allegro Remote Service'''</big>
The Allegro Remote Service is similar to the SSH Port Forwarding feature, but is an Out-of-the-box solution.
The Allegro Remote Service is a transparent proxy which does not terminate the SSL connection. The certificate presented to your browser is the same that is configured on the multimeter (like with Option 1 of the SSH Port Forwarding configuration).
To use the Allegro Remote Service, just set Enabled to On. It is also possible to restrict the access by specifying subnets which are allowed to access the multimeter.


<big>''' SNMP'''</big>
<big>''' SNMP'''</big>
If enabled, it is possible to access the Allegro Network Multimeter using SNMPv1.
The community used is “public.
The following attributes are supported:
* hostname (1.3.6.1.2.1.1.5)
* uptime (1.3.6.1.2.1.25.1.1)
* interfaces (1.3.6.1.2.1.2)


<big>''' User Management'''</big>
<big>''' User Management'''</big>
The user management page allows managing users which can use the Allegro Network Multimeter.
It is possible to:
* Create new users
* Edit users
– Change password, assign roles
* Disable users
– Disabled users are not able to login, but their settings are kept.
* Delete users.
Notes:
* It is not possible to delete or disable the admin account.
* It is not possible to delete or disable the currently logged in user.


<big>''' Roles'''</big>
<big>''' Roles'''</big>
The only role currently defined is the “admin” role.
Only users with the “admin” role can:
* start captures
* change system settings
* manage users
* use WebDAV


<big>''' LDAP users'''</big>
<big>''' LDAP users'''</big>
In the LDAP users tab, it is possible to define an LDAP or Active Directory source for user management.
The LDAP users are only an addition to the locally defined users.
Locally defined users take precedence over LDAP users.
The values required depend on the setup of the LDAP server.
The user filter requires a ‘%s’ as a placeholder for the username.
The group filter requires either ‘%s’ as a placeholder for the username, or any ‘${value}’ attribute of the user.
The special value ‘${DN}’ references the distinguished name of the user.
In the ‘Allegro MM users group’ and ‘Allegro MM admins group’, a comma-separated list of the common name of the groups is given. If the user is in any of the groups, he is allowed to log in. If the user is in one of the admins group, he is treated as an administrator.
Example for a simple LDAP setup involving only the username:
{| class="wikitable"
|-
| User filter : (uid=%s)
Group filter : (memberUid=%s)
Users group : allegro-mm-users
Admins group :  allegro-mm-admins
|}
Example for a more complex setup using the distinguished name of the user for filtering the groups and Active Directory-style user-filtering:
{| class="wikitable"
|-
| User filter : (&(sAMAccountName=%s)(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2))
Group filter : (&(member=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins)))
Users group : allegro-mm-users
Admins group : allegro-mm-admins
|}
For recursive group membership resolution, the following group filter can be used for Active Directory:
{| class="wikitable"
|-
|Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins)))
|}
This recursive group filter might be slower, depending on the size of the directory.
Depending on the setup, it is also possible to filter groups by distinguished name:
{| class="wikitable"
|-
|Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(distinguishedName:=CN=allegro-mm-users,OU=Groups,DC=example,DC=com)(distinguishedName:=CN=allegro-mm admins,OU=Groups,DC=example,DC=com)))
|}


<big>=='''Firmware update'''==</big>
<big>=='''Firmware update'''==</big>
This sub-page allows for uploading and activating new firmware version.
When a new firmware is available from Allegro Packets, you can upload the file by clicking on the upload button and select the file from your hard disc.
The device will verify the file and give positive or negative feedback. All available firmwares are listed and can be activated by clicking on the “Star” symbol on the right side of the page. Activating will take some time. When it is finished, an green info box will appear.
You should reload the web site to have web site changes take effect.
You can activate older firmware if you choose so in case there is a problem with a newer firmware. You may also delete old firmwares from the device by clicking on the trashcan symbol. Old or new firmware can uploaded again at any later time.


<big>==''' License upload'''==</big>
<big>==''' License upload'''==</big>
The Allegro Network Multimeter comes with an installed license which may have some limitations according to the support contract details. New license can be uploaded by clicking on the upload button and selecting the file from your hard disc. Valid license take immediate effect.
The shown system serial needs to be sent to Allegro Packets in order to generate a new license if required.
In case of an invalid or expired license, the device will stop analyzing traffic, but instead it will bypass all packets in bridge mode so that the network connection is still functioning.
Soumar
1,775

edits

Retrieved from "https://allegro-packets.com/wiki/Special:MobileDiff/934"

Navigation menu