Administration
The administration page allows the following actions:
Power
Reboot or power off the Allegro Network Multimeter.
After clicking on the buttons, a confirmation dialogue will appear. Most of the time, rebooting is not necessary since it takes a significant time. If packet processing needs to be restarted because some options cannot be changed during runtime, the next option is a better choice since it minimizes downtime.
Processing
Restart the Allegro Network Multimeter processing software. This will reset all measured statistics.
Choosing this option will stop packet processing but the machine and its web interface is still available as the device itself is not rebooted. The packet processing core is restarted with the current settings and will begin processing packets after a few seconds.
Configuration
By clicking on the Reset System Configuration button a dialog is displayed that allows to reset all settings, including the network configuration, to factory defaults and the system will be restarted. As of version 3.4 the dialog allows to keep certain settings (management interface settings, users and passwords, disk and packet ring buffer cluster settings including optional random device-specific encryption keys) while setting the rest of the system configuration to defaults.
The Export System Configuration button allows you to export the entire configuration of the *Allegro Network Multimeter*. A zip compressed file can be downloaded and used for import.
The Import System Configuration button allows you to select several configuration items:
- Core settings: All settings of global settings, module settings, incident settings, user defined names, virtual link groups, ingress (NIC) filter and IP groups, excluding management interface settings, multi-device settings, and user settings. Some core settings (network interfaces, virtual link groups, incidents and time synchronization) can also be retained during import. Simply uncheck the global core setting checkbox und check the child checkboxes for settings to be imported and overwritten.
- Management interface settings: All settings of the management interface (e.g. Wi-Fi, LAN, hostname).
- Multi device settings: All settings on the configured remote devices.
- User and roles: All users and their passwords. The admin user cannot be changed and cannot be deleted by a configuration import.
- User settings: All user settings (such as search history or dashboard configuration)
It is possible to import the selected settings to all configured remote devices by selecting the last check box.
The button Save current system configuration on Multimeter will store the current configuration as a file on the device itself (in contrast to the export feature, which will download the file the user's computer).
When there are saved configuration available, any of them can be selected and load onto the system again. It is also possible to delete the configuration.
CORS Configuration
With version 4.1 the option to configure the "Cross-Origin Resource Sharing" (CORS) settings was introduced.
You can learn about CORS on the MDN Web docs[1].
Access Control
Since version 4.1 there is the the option to limit the access to the multimeter api, the web interface and some other services like the sftp-server to specific subnets.
If you enable the access control, you have the option to specify the subnets from which people are allowed to access the multimeter.
If you want to allow the access for the clients in the subnet in which the multimeter is deployed you are able to allow that with ticking "Allow local access".
TLS/SSL certificate
The appliance comes with a pre-installed generic TLS certificate but a custom certificate can be uploaded, generated or downloaded from a Certificate Authority via ACME.
Modes
The following modes are supported:
- Legacy: The default certificates the appliance got shipped with will be used if the appliance got shipped with an older firmware than 3.6. You won't be able to switch back to this option and it will be hidden if it is not selected.
- ACME: The Certificates will be downloaded from the specified Certificate Authority
- Upload: You are able to upload a X.509 certificate file and a (unencrypted) key file in the .pem-file format. Upon successful upload, this certificate will be used to serve the user interface. The .pem-file should contain the full certificate chain to trust the certificate: If there is an intermediate CA, its certificate should also be in the file.
- Self-Signed: Generate self-signed certificates with a custom host-name. They will be valid for 10 years and replace the legacy certificates for devices shipped with firmware version 3.6 or later.
The Default Mode is always the fall-back if the process does not work.
The Reset to default SSL certificate button will remove any user-provided SSL certificate and the user interface will be served using the default SSL certificate.
HSTS
With the version 4.2 the option to enable HTTP Strict Transport Security (HSTS) for the multimeter was added. HSTS stops users from trying to access the multimeter via unencrypted HTTP or ignoring invalid certificates for the multimeter.
If the administrator locked themselves out by enabling HSTS there are multiple options:
- If HSTS was already activated and the certificates were changed on purpose after that, they have to remove information about the site from their browser.
- If HSTS was already activated and the certificates were changed accidental, they are able to connect to the multimeter via a private window or via the ip address.
Certificate Authority
Some features also connect to external SSL services, for instance when sending email notifications via SMTP or when searching for firmware updates. Usually these SSL connections are verified with the built-in CA certificate pool. It is also possible to upload one or many own CA certificates which are used additionally to the system ones.
The button "Install SSL CA certificates" opens a dialoug where the file can be selected and uploaded. This file must contain certificates in the PEM format. It may contain multiple certificates.
Before version 3.6 uploading new certificates will replace the existing ones. The button "Remove SSL CA certificates" will delete the previously installed custom CA certificates so that only the system CA pool is used again for certificate verification.
With version 3.6 uploading a new certificate adds to the old one. You can delete all by pressing the "Remove all CA certificates" and also remove separate certificates.
Time Settings
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Allegro Network Multimeter. PTP service may be used if management interface supports hardware time stamping. If a GNSS/GPS-capable extension card is available, GNSS/GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.
To enable a time service, switch to the desired type in the dropdown box. The time service field will show whether the selected service is running or not.
NTP - For active NTP time retrieval, you can specify and edit dedicated NTP servers the Allegro Network Multimeter should communicate with. If you do not specify a NTP server, a set of predefined NTP servers will be automatically selected.
NTP from data plane - For passive time retrieval, NTP from data plane can be used to retrieve the time to be synchronized passively from NTP packets within the traffic that is analyzed. The IP address of a desired NTP server must be set. As soon as a NTP server packet is seen, the system time of the Allegro Network Multimeter will be set. The wait period field can be used to set a time period where subsequent updates are ignored. If set to 0, every time packet of that server will be used. NTP from data plane is ideal in situation where the Allegro Network Multimeter MGT interface can not or may not actively connect to the network.
PTP - For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.
The following settings are possible for PTP and should match the settings of the PTP grandmaster:
- Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is Auto.
- Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is UDPv4.
- Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.
GNSS/GPS - The GNSS/GPS time synchronization option will become available when a GNSS/GPS-capable extension card is installed in the Allegro Network Multimeter.
If no time synchronization mechanism is selected the date and time of the device can be manually configured by entering a properly formatted date and time description. Below the time synchronization settings, the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone.
When a nanosecond-resolution capture card with support for PPS-synchronization is installed, the toggle Enable PPS synchronization can be used to enable this type of synchronization. It is only shown when the time service chosen is not GPS as those two modes cannot be used simultaneously. The time offset in nanoseconds is also configurable allowing to compensate for the PPS connection cable length. This feature should only be enabled when it is made sure that a proper PPS signal is provided to the network adapter. Otherwise the packet timestamps may be incorrect.
To make any of the above changes take effect, click on the Save settings button at the bottom of the page. To reload the stored settings, click on Reload settings.
Changes of the system time and packet timestamping
The packet processing uses a monotonically increasing time for software packet timestamping and statistics calculation (see Hardware packet timestamping in Global settings for information about packet timestamps on interfaces with hardware packet timestamping enabled) . If the clock for some reason jumps forward in time (e.g. changing the time synchronization method or manually changing the time) the same will happen with the statistics and the packet timestamps and there may be a gap in the statistics. If the system clock jumps backwards in time the packet processing cannot jump back. In this case a warning "problematic change of system time detected (core restart recommended)" is displayed. While the packet processing time is ahead of the system clock the packet processing time will run at a speed of 75% of real-time so that the system clock will eventually catch up. This can e.g. lead to statistics that show higher traffic bandwidth than there actually is. A restart of the packet processing is always recommended in this case.
Email notification
Certain modules support the sending of email notifications. The following settings are used to globally configure the SMTP server used and the target email address that will receive the notifications:
- Enable email notifications: globally enables or disables the sending of email notifications.
- SMTP server address: the address of the SMTP server that will be used to send notification emails.
- SMTP server port: the TCP port on which the SMTP server is listening.
- SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.
- Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.
- Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.
- Username: the username used to log in to the SMTP server.
- Password: the password used to log in to the SMTP server.
- From email address: the email address from which incident notifications will be sent.
- Target email address: the email address to which incident notifications will be sent.
- Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the correct URL prefix for links sent with the notification emails.
- Send periodic system status mail: if set to hourly or daily, a periodic system status report email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbours if the management LLDP feature is enabled.
The Send test email button can be used to verify that the entered settings are working.
