Sightline TMS 90 Advanced-Configuration-Guide 2018-10-16

Sightline and Threat Mitigation System
Advanced Configuration Guide
Version 9.0
Legal Notice
The information contained within this document is subject to change without notice. Arbor Networks,
Inc. makes no warranty of any kind with regard to this material, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. Arbor Networks, Inc. shall not be
liable for errors contained herein or for any direct or indirect, incidental, special, or consequential
damages in connection with the furnishings, performance, or use of this material.
© 1999-2018 Arbor Networks, Inc. All rights reserved. Proprietary and Confidential Information of Arbor
Networks, Inc.
Document Number: SP_TMS-ACG-90-2018/10
16 October, 2018
Contents
Preface
How to use Sightline and Threat Mitigation System (TMS) Documentation 8
Conventions Used in this Guide 9
Contacting the Arbor Technical Assistance Center 11
Using the Command Line Interface (CLI)

Connecting the Serial Cable for CLI Setup 14
Using CLI Commands 16
Part I Sightline and TMS (TMS) Deployment

Chapter 1 Configuring Your Sightline Deployment 23
Ports Used by Sightline 24
Auto-discovering Your Local Address Space 28
Adding a Whois Resolution Server 30
Configuring DNS Servers 31
Configuring NTP Servers 34
Setting the AIF Server Address 37
Importing AIF Signatures 38
Automatically Configuring a TMS Model for the Management Network 39
Add New TMS Models to the Appliance List without Upgrading Sightline 44
Replacing a Sightline Appliance with an RMA Replacement 46
Replacing a TMS Appliance with an RMA Replacement 49
Chapter 2 Securing Your Sightline Appliances 55
Securing Your Arbor Networks Appliances 56
Physical Security for Sightline 61
Adding and Editing an Acknowledgment Question 62
Configuring Advanced Password Requirements 63
Resetting a Sightline Administrator Password 64
Configuring Advanced SSH Settings 67
Chapter 3 Configuring Sightline Appliances 69
Installing and Refreshing a Cloud-based Flexible License in the CLI 70
Adding Managed-Object Homing to an Appliance That Has the Data Storage Role 72
Overriding the Default FPS Limit for Flow on a Sightline Appliance 73
Teeing NetFlow 75
Disabling Access to the Shell 77
Configuring Settings for Capturing Raw Flows 78
Resetting the Alert Database 82
Changing the Size of the BGP Shared Memory 83
Chapter 4 Configuring TMS Models 85
Enabling and Disabling Promiscuous Mode on a Physical Interface of a TMS Appliance 86
Enabling and Disabling the Performance Alert for a TMS Model 87
Assigning a TMS Appliance to a Different Sightline Leader 89
Pinging a Nexthop from a TMS Appliance 90
Running a Traceroute Command from a TMS Port 93
Sightline and TMS Advanced Configuration Guide, Version 9.0 3

Sightline and TMS Advanced Configuration Guide, Version 9.0
Viewing the BGP Status of a TMS Appliance 96

Viewing the APM Slot Status on Chassis-based TMS Appliances 97
Viewing and Clearing Interface Counters on TMS Appliances 99
Viewing SFP Module Information on TMS 2300 Series Appliances 100
Chapter 5 Configuring Settings for Routers and Interfaces 105
Configuring Sightline to Monitor Routers with BGP 106
Configuring the Local BGP Router ID on Sightline Appliances 108
Enabling the Detection of Traffic on a Router Based on SNMP Polling 109
Disabling SNMP Polling for a Router 110
Configuring IPv4 Aliases and Netmasks for Sightline Appliance Network Interfaces 111
Disabling Sampling on Router Interfaces 112
Manually Running Router Auto-Configuration 113
Configuring Loopback Interfaces 114
Configuring the BGP Interface on a TMS Appliance 117
Configuring Multiple VLAN Subinterfaces on a TMS Appliance 118
File Format for the / services sp data bgp dump <router> Command 121
Chapter 6 Upgrading Sightline and TMS Software 123
Upgrading the Software and Installing Maintenance Releases on a Sightline Appliance 124
About Upgrading Software and Installing Maintenance Releases on TMS Appliances 132
Upgrading the Software and Installing Maintenance Releases on TMS Appliances 135
Manually Upgrading the TMS Firmware on a Chassis-based TMS Appliance 140
Adding Software Updates to the Appliances in Your Deployment 141
Chapter 7 Reinstalling Sightline and TMS Software 145
Reinstalling Sightline Appliance Software 146
Reinstalling TMS Software on a Chassis-based TMS Appliance 155
Restoring TMS Software from Flash on a Chassis-based TMS Appliance 161
Part II System Administration

Chapter 8 Configuring the User Interface 165
The XML Menu Schema 166
Enabling the Subscriber Feature 170
Restoring the Default Login Page 171
Overriding the Number of Configuration Changes Shown on the Interface Configuration
History Page 172
Changing How Sightline Sorts Alerts by Importance 173
Changing the Graph View on DoS Alert Listing Pages 174
Changing the Search Result Settings on the Alerts and Mitigation Pages 175
Configuring Prefix Aggregation of IP Addresses for DoS Alerts 177
Chapter 9 Configuring User Account and User Group Settings 179
Hiding Non-Local User Data on the User Account Login Records Page 180
How Sightline Header-Based Single Sign-On Works 181
Configuring Header-Based Single Sign-On 183
Changing the Default RADIUS/TACACS+ User Group 185
Chapter 10 Configuring DoS Detection Settings 187
Combining Duplicate Sets of Shared Host Detection Settings 188
Converting Managed Objects and Services to Use Custom Sets of Host Detection Settings 190
Disabling and Enabling Host Detection Misuse Types 191
Resetting DoS Evaluation Baselines 193
Disabling and Enabling Auto-detection of VPN Sites 194
4 Proprietary and Confidential Information of NETSCOUT Systems, Inc.

Chapter 11 Configuring Mitigation Settings 195
Changing the Default Traffic-Triggered Auto-Mitigation Settings 196
Configuring the Mitigation Return Time Interval 197
Configuring the Sample Packet Recording Settings 198
Disabling the Whitelisting of Hosts with the SSL Negotiation Countermeasure 199
Enabling Blocked-Host Logging on TMS Appliances 200
Rate Limiting Layer 2 and Layer 3 Conversion Charts 201
Using 6PE to Divert and Mitigate IPv6 Traffic 203
Configuring Custom Blackhole Nexthop Templates 207
Chapter 12 Configuring Reports 209
Disabling and Enabling Transit Traffic and Transit Research Reporting 210
Overriding the Default Number of Items Listed in a Report Data Table 212
Chapter 13 Monitoring the System 213
Configuring Alert Management Software 214
Enabling and Disabling System Alert Notifications 218
Sightline Syslog Output Format BNF 221
Configuring Syslog to Send the Sightline Appliance Log Messages to a Remote Host 229
Configuring Syslog to Send the TMS Appliance Log Messages to a Remote Host 231
Configuring Limits for Appliance Metrics 232
Chapter 14 System Maintenance 237
Viewing Available Disk Space 238
About High Availability Configuration 239
Configuring Scheduled Backups of Individual Appliances 242
Manually Switching to the Backup Leader Appliance 244
Recovering After a Failover 245
Setting a Timestamp Suffix 247
Appendixes
Appendix A Configuring Flowspec Routers for Traffic Mitigation 253
Configuring a Juniper Router to Mitigate Traffic 254
Testing Flow Specification Mitigation 256
Appendix A Configuring Flow and SNMP on Routers 259
About Configuring Flow Sources 260
Configuring Cisco IOS Routers to Send NetFlow to Sightline 261
Configuring Juniper Routers to Send Flow Monitoring to Sightline 265
Configuring Foundry, Alaxala, and Force10 Devices to Send sFlow to Sightline 271
Configuring Alcatel 7750 Routers to Send cFlowd Data to Sightline 277
Configuring SNMP on the Alcatel 7750 Router 280
Supported SNMP Polling with Alcatel 7750 Router 281
Configuring Routers to Send SNMP Information to Sightline 282
Glossary 287
Index 297
Arbor Networks, Inc. License, Cloud, and Managed Service Agreement 303
Proprietary and Confidential Information of NETSCOUT Systems, Inc. 5


Preface
Introduction
The Sightline and Threat Mitigation System Advanced Configuration Guide includes
instructions for re-installation, upgrading, and additional optional configurations for your
Sightline™ and Threat Mitigation System (TMS) appliances. The commands documented in
the Advanced Configuration Guide do not apply to TMS-ISAs. This guide supports the 9.0
release for all Sightline and TMS appliances.
Audience
This information is intended for network security system administrators (or network
operators) who are responsible for configuring and managing Sightline on their networks.
Administrators should have fundamental knowledge of their network security policies and
network configuration.
In this section
This section contains the following topics:
How to use Sightline and Threat Mitigation System (TMS) Documentation 8

Conventions Used in this Guide 9
Contacting the Arbor Technical Assistance Center 11

How to use Sightline and Threat Mitigation System (TMS)

Documentation
Using this guide
The Sightline and Threat Mitigation System Advanced Configuration Guide provides
instructions and information about using the Sightline CLI. It also provides instructions for
advanced features, including upgrading software, reinstalling software, installing
maintenance releases, and integrating with third-party devices.
Additional Sightline and TMS documentation

See the following documentation for more information about Sightline and TMS
appliances and this version of the software:
Additional documentation
Available Documentation Contents

Sightline and Threat Mitigation Instructions and requirements for the initial
System Quick Start Cards installation and configuration of Sightline and TMS
appliances.
Sightline and Threat Mitigation Instructions and information that explain how to
System User Guide configure and use Sightline and TMS appliances and
software using the Sightline web user interface (UI).
Sightline and Threat Mitigation Online help topics from the User Guide and
System Help Advanced Configuration Guide. The Help is context-
sensitive to the Sightline web UI page from which it is
accessed.
Sightline and Threat Mitigation Instructions and information for the managed
System Managed Services services customers who use the Sightline 9.0 web
Customer Guide user interface.
Sightline and Threat Mitigation Instructions for remotely accessing Sightline and
System API Guide TMS using the REST, SOAP, and Arbor Web Services
APIs.
Sightline REST API Online help topics about the Sightline

Documentation REST API endpoints. To open the help, select
Administration > REST API Documentation.
(information) Information about a report or a particular feature of

the Sightline web user interface (UI). This
information appears when you hover your mouse
pointer over the icon.

Preface
Conventions Used in this Guide

This guide uses typographic conventions to make the information in procedures,
commands, and expressions easier to recognize.
Conventions for procedures

The following conventions represent the elements that you select, press, and type as you
follow procedures.
Typographic conventions for procedures
Convention Description Examples

Italics A label that identifies an area On the Summary page, view the
on the graphical user Active Alerts section.
interface.
Bold An element on the graphical Type the computer’s address in

user interface that you click or the IP Address box.
interact with. Select the Print check box, and
then click OK.
SMALL CAPS A key on the keyboard. Press ENTER.

To interrupt long outputs, press
CTRL + C.
Monospaced A file name, folder name, or Navigate to the

path name. C:\Users\Default\Favorites
Also represents computer folder.
output. Expand the Addresses folder,
and then open the readme.txt
file.
Monospaced Information that you must Type https:// followed by the IP

bold type exactly as shown. address.
Monospaced A file name, folder name, path Type the server's IP address or
italics name, or other information hostname.
that you must supply.
> A navigation path or sequence Select Mitigation > Threat

of commands. Management.
Navigate to the Alerts Ongoing
page (Alerts > Ongoing ).

Conventions for commands and expressions

The following conventions show the syntax of commands and expressions. Do not type
the brackets, braces, or vertical bar in commands or expressions.
Typographic conventions for commands and expressions
Convention Description
Monospaced bold Information that you must type exactly as shown.
Monospaced A variable for which you must supply a value.

italics
{ } (braces) A set of choices for options or variables, one of which is required.

For example: {option1 | option2}.
[ ] (square brackets) A set of choices for options or variables, any of which is optional.
For example: [variable1 | variable2].
| (vertical bar) Separates the mutually exclusive options or variables.

Preface
Contacting the Arbor Technical Assistance Center

The Arbor Technical Assistance Center is your primary point of contact for all service and
technical assistance issues that involve Arbor products.
Contact methods
You can contact the Arbor Technical Assistance Center as follows:
n Phone US toll free — +1 877 272 6721
n Phone worldwide — +1 781 362 4301
n Support portal — https://support.arbornetworks.com
Submitting documentation comments

If you have comments about the documentation, you can forward them to the Arbor
Technical Assistance Center. Please include the following information:
n Title of the guide
n Document number (listed on the reverse side of the title page)

n Page number
Example
SP_TMS-ACG-90-2018/10
Sightline and TMS Advanced Configuration Guide
Page 9


This section provides instructions for connecting to and using the Command Line
Interface (CLI). You can use the CLI to manually reinstall a appliance or to configure
advanced settings.
In this section
Connecting the Serial Cable for CLI Setup 14

Using CLI Commands 16

Connecting the Serial Cable for CLI Setup

To access an appliance’s CLI, you need to connect using the console, virtual console, or
SSH.
Using the correct serial cable

To use the serial console, you must connect the appliance to the console with a null
modem (RJ-45) cable. This type of cable is not included in your appliance packages.
About terminal emulation

If you are configuring an appliance for the first time or reinstalling the Sightline software
on an appliance, you can either connect directly to the appliance or establish a connection
to the appliance using a compatible terminal emulator, such as Hyperterminal.
Setting up terminal emulation with Hyperterminal

To set up terminal emulation using Hyperterminal, and connect to the appliance:
1. In the Hyperterminal application, go to File > Properties > Settings.
2. Select Emulation=AutoDetect, and then click OK.
For more information, go to https://www.hilgraeve.com/hyperterminal/.
Connecting a Sightline or TMS appliance to the console

To connect an Sightline or TMS appliance to a computer:
1. Connect the serial console cable to the TMS appliance. The serial connector type and
location depends on the TMS appliance.
l For chassis-based TMS appliances: Connect the serial console cable to the
Management Serial Port connector on the front of the MCM blade. The following
table shows the serial connector label and type for each MCM model:
MCM Model Serial Connector Label Serial Connector Type
MCM-1 CONSOLE DB-9F
MCM-2 CONSOLE DB-9F micro-D
MCM-C SER RJ45F
Note
On all MCM models, the Management Serial Port uses Cisco pinouts.
Note
Chassis-based TMS appliances include the TMS 4000 and the TMS 5000.
l For all other appliances: Plug one end of the serial cable into the serial port on
the back of the appliance.
2. Plug the other end of the serial cable into the serial port on your computer or laptop.
3. Connect the power cables for your appliance.
4. Turn on the appliance, and then start your computer.

5. Use a terminal emulation program, such as Hyperterminal, to create a connection to

the appliance with the following settings:
Setting Value Appliance

n All Sightline appliances (except as
noted)
n TMS 2300
9600 n TMS 2800
n TMS 4000 with MCM-1 or MCM-C
Baud rate
n TMS 5000 with MCM-C
n TMS HD1000 appliances
n Sightline Insight 8000 appliances

115200
n TMS 4000 with MCM-2
Data bits 8 All
Parity None All
Stop bits 1 All
Flow control None All
Communications Typically COM1, but All

Port this depends on the
computer you are
using.
6. To connect to the network, connect an Ethernet cable between the appliance’s

management port (for example, mgt0 or mgt1) and the network you will use to
manage it.
Default username and password

When you log in to an appliance for the first time, you can use the default user name and
password. The default user name is admin. The default password is arbor.
Logging in
To log in to the appliance:
1. Turn on the appliance.
2. Start your terminal emulator.
3. At the login prompt, enter your user_name
4. Enter your password

Using CLI Commands

Each Sightline appliance has a CLI, and you can use the leader’s CLI to configure the
system. The CLI uses a standard command line command hierarchy that allows you to
enter commands and navigate through the directories. Use the following procedures to
start Sightline, navigate through the menus, and access Help.
Exceptions to documented commands

You can use the commands described in this topic on all Sightline and TMS appliances;
however, the commands in this guide do not apply to TMS-ISAs.
Logging in to the CLI of an appliance

To log in to an Sightline appliance’s CLI using the console or virtual console:
1. Do one of the following:
l If you do not have a CD-ROM drive, turn on the appliance.
l If you have a CD-ROM drive, insert the Sightline CD, and then turn on the appliance.
2. (Optional) Press any key when the “Press any key to continue” message appears.
Sightline runs its initial system diagnostics and displays boot-loading messages and
then the boot directory after it loads.
3. Select one of the following options:
l disk to boot from hard disk
l cdrom to boot from CD or on-board flash to boot from internal flash
l (re)install to boot from CD and run the installation setup
Caution
If you choose to reinstall, Sightline writes over the current configuration.
Note
If you do not press a key within five seconds, the system attempts to boot
automatically, first from the disk and then from the CD or the internal flash.
4. After the login: prompt appears, enter admin
5. Enter arbor as the default password.
Important
You should change your password for security purposes.

Edit and disabled modes

The command shell runs in one of the following operating modes:
Command shell operating modes
Command
Mode Description Prompt
Edit Allows all configuration changes. The system starts in Hash mark (#)
edit mode automatically when an administrator logs in
to Sightline; they do not need to access a password to
access Edit mode.
Disabled Allows read-only access and minimal configuration Greater than sign
changes. Users without administrative privileges must (>)
enter edit mode to make configuration changes.
Switching to edit mode

Non-administrative users must switch to edit mode to make configuration changes.
To switch to edit mode:

n At the login prompt, enter edit
The command prompt changes from > to # to indicate Edit mode.
About the CLI command hierarchy

After you log in to Sightline, the system displays the banner and the command prompt.
Commands are arranged in a hierarchical manner, similar to a file system. The root
directory is also known as / (slash). You can enter a “/” at any prompt to return to the root
directory. Entering .. (dot-dot) navigates you up one level in the command hierarchy.
Example: Navigating the menu hierarchy

The following example shows how to navigate the menu hierarchy:
admin@mariner2.sea:/# system files
admin@mariner2.sea:/system/files# ..
admin@mariner2.sea:/system# ..
admin@mariner2.sea:/# ip
admin@mariner2.sea:/ip# interfaces
admin@mariner2.sea:/ip/interfaces# /
admin@mariner2.sea:/#

Command types
The following are the types of commands:
Command type descriptions
Command Type Description

Sub commands Specific to the current directory.
Global Available anywhere in the command hierarchy.
About entering commands

You are only required to enter the first few letters of a command (for example, sy is a
synonym for system ), but all commands are case sensitive. You can also group multiple
commands into a single, compound command.
Example: Entering singular or compound commands

The following example shows how you can enter singular or compound commands to
navigate to the banner directory:
admin@mariner2.sea:/# system
admin@mariner2.sea:/system# banner
Banner:
Welcome to Sightline
admin@mariner2.sea:/system# ..
admin@mariner2.sea:/# system banner
Banner:
Welcome to Sightline
admin@mariner2.sea:/#
Entering lists of arguments

If Sightline prompts you to enter a list of arguments, enclose the list in quotation marks
and separate the arguments with commas.
Using Help
The following are the types of Help commands:
Help command descriptions
Command Description
help Shows a list of the available choices within a directory.
help global Shows a list of commands available from all directories.
? Shows a list of the available choices within a directory.

Example: Help commands

The following is an example of using the different types of Help commands:
admin@mariner2.sea:/# help
ip/ IP and network configuration
services/ System services
system/ System configuration
admin@mariner2.sea:/# help global
cd Change directory
clock Show or set the system clock
config Configuration management
edit enter configuration mode
exit Exit
help Help
ping Ping a network host
ping6Ping a network host (IPv6)
reload Reload the system
shutdown Shutdown the system
traceroute Trace route to a network host
traceroute6 Trace route to a network host (IPv6)
users Show user login summary
admin@mariner2.sea:/# clock ?
set Set the system clock
<cr>
admin@mariner2.sea:/# clock set ?
[[[[[[cc]yy]mm]dd]HH]MM[.SS]]
admin@mariner2.sea:/# clock set 201006261445.30
Viewing the current configuration

To view the current configuration:
n Enter config view
Note
You can view the configuration from anywhere in the CLI.
Viewing the status of the current directory

To view the status of the current directory:
n Enter show
Note
You can view the system status from most directories within the CLI. The results you see
represent the state of what the current directory is used to configure.
Saving the configuration

It is important to save the configuration whenever you make changes. Saving the

configuration ensures that the current changes take effect immediately and preserves the
configuration if the system is rebooted.
To save the configuration:

n Enter config write
Note
This is a global command, so you can enter it from any directory within the CLI.

Part I
Sightline and TMS (TMS) Deployment

Chapter 1
Configuring Your Sightline Deployment
This section describes how to configure your Sightline deployment.
In this section
Ports Used by Sightline 24

Auto-discovering Your Local Address Space 28
Adding a Whois Resolution Server 30
Configuring DNS Servers 31
Configuring NTP Servers 34
Setting the AIF Server Address 37
Importing AIF Signatures 38
Automatically Configuring a TMS Model for the Management Network 39
Add New TMS Models to the Appliance List without Upgrading Sightline 44
Replacing a Sightline Appliance with an RMA Replacement 46
Replacing a TMS Appliance with an RMA Replacement 49

Ports Used by Sightline

Sightline uses specific ports for each of the services it utilizes.
Firewall port configuration

If you have firewalls and other access control lists, you must open the ports on the firewall
to ensure that your appliances can forward and receive data.
Ports required for correct deployment operation

The following table lists the ports that Sightline uses and that are required for a
deployment to operate correctly. When the following terms appear in this table, they refer
to appliance roles with flexible licensing and to appliance types with appliance-based
licensing:
n data storage
n traffic and routing analysis

n user interface
References in this table to the FS appliance (Flow Sensor) only apply to appliance-based
licensing.
Ports required for correct deployment operation
Service Ports Required Protocol Direction

ArborFlow 31373 UDP n FS appliance to traffic and routing analysis
n FS appliance to data storage
n traffic and routing analysis to data storage
ArborFlow (if 5000 (default) UDP n TMS appliance to traffic and routing analysis
ArborFlow from
TMS is enabled)
BGP 179 TCP n traffic and routing analysis to router

n user interface to router
n FS appliance to router
n Router to traffic and routing analysis
n Router to user interface
n Router to FS appliance
n Router to TMS appliance
DNS 53 UDP n Sightline appliance query to DNS server

n DNS server response to Sightline appliance
Flow (netflow) 2055 UDP n Router to traffic and routing analysis

(configurable) n Router to FS appliance
By default, traffic and routing analysis or FS

appliances watch all UDP ports for netflow packets
from configured routers.

Chapter 1 Configuring Your Sightline Deployment
Ports required for correct deployment operation (Continued)
Service Ports Required Protocol Direction

HTTPS 443 TCP n Sightline non-leader appliance(s) to Sightline
leader appliance
n Sightline leader appliance to Sightline non-
leader appliance(s)
n TMS appliance to managing appliance
n Managing appliance to TMS appliance
SNMP polling of 161 UDP n Traffic and routing analysis query to router
routers n FS appliance query to router
n Router response to appliance
Sightline user 443 TCP n User workstation to Sightline leader or user

interface (HTTPS) interface
Sightline user 443 TCP n Web proxy to Sightline leader or user interface
interface with
single-sign-on
(HTTPS)
SSL 40000-40030 TCP n Any appliance to any appliance (excluding TMS)

(configurable)
Note
Some of these ports may not be applicable to your deployment.
Optional ports
The following ports are optional and only need to be enabled if you are using the
corresponding service:
Optional ports for other services
Service Ports Protocol Direction

Cloud-based flexible 443 TCP n Leader to license server
licensing n License server response to leader
Cloud Signaling 443 TCP n AED to leader appliance

handshake (HTTPS) n Leader appliance response to AED
Cloud Signaling 7550 UDP n AED to leader appliance

heartbeat n Leader appliance response to AED
Note
PAT (Port Address Translation) cannot be used if
the AED is behind a NATing firewall.
FTP 20-21 TCP n Sightline appliance query to FTP server

n FTP server response to Sightline appliance

Optional ports for other services (Continued)
Service Ports Protocol Direction

HTTP 80 TCP n Sightline appliance to HTTP server
n HTTP server response to Sightline appliance
NTP 123 UDP n Sightline appliance request to NTP server

n NTP server response to Sightline appliance
ping echorequest, ICMP n Sightline appliance request to remote device

echoreply n Remote device response to Sightline appliance
RADIUS 1812 UDP n Sightline appliance query to RADIUS server

Authentication n RADIUS server response to Sightline appliance
RADIUS Accounting 1813 UDP n Sightline appliance query to RADIUS server

n RADIUS server response to Sightline appliance
SMTP 25 TCP n Leader appliance delivery to SMTP server

n SMTP server response to leader appliance
SNMP polling of 161 UDP n User polling equipment query to Sightline

appliances appliance
n Sightline appliance response user polling
equipment
SNMP trap 162 UDP n Leader appliance message to SNMP trap collector
SSH 22 TCP n Workstation to Sightline appliance

n Sightline appliance response to workstation
Note
Backup uses SSH
Syslog 514 UDP n Sightline appliance message to Syslog server
TACACS+ 49 TCP n Sightline appliance query to TACACS+ server

n TACACS+ server response to Sightline appliance
Whois 43 TCP n Leader appliance, user interface, and backup user

interface query to Whois server
n Whois server response to appliance
ATLAS services ports

All ATLAS services require you to open access to hosts outside of your network. These
hosts live across the internet and leverage modern content delivery networks and web
services. Because each of these services use DNS to find the IP address of the ATLAS
service, the IP addresses may change as the service is scaled or enhanced to support new
features and customers. This means that the Sightline can be redirected to various servers
via a secure handshake to deliver content from Arbor to the deployment.
Arbor makes the following recommendations concerning accessing ATLAS services:

n You should rely upon a web proxy server to handle communications to and from the
deployment and ATLAS services.
A web proxy server helps keep Sightline from making direct calls out to the internet yet
lets Sightline communicate with ATLAS services where needed. Direct connectivity from
an Sightline device to the ATLAS services is also supported.
n You should allow your proxy server to talk to the internet only on port 443 for calls from
the Sightline device.
n You should rely upon DNS to provide service resolution of name to IP address to
ensure availability for requests.
If an ATLAS service cannot connect to the service address, you may need to check the
current DNS results for the addresses listed in the following table and update your
firewall rules.
n You should make sure your Arbor Sightline client certificate is not expired as it is
required to protect the internet communication between the Sightline device and the
ATLAS services.
Note
If you are faced with security constraints that limit your ability to follow the preceding
recommendations, please open a case with the Arbor Technical Assistance Center (ATAC)
for further review:
n Web: https://support.arbornetworks.com via the ATAC Customer Support Portal
n Telephone: +1.877.272.6721 toll free USA or +1.781.362.4301
The following table lists the ATLAS services:
ATLAS services ports
Service Address (DNS) Port Protocol Direction

AIF (FCAP signatures) rfl.arbor.net 443 HTTPS/TCP Leader to feed
server(s)
AIF (DDoS regular aif.arbor.net 443 HTTPS/TCP Leader to feed

expressions) server(s)
ArbUpdate (software update.arbor.net 443 HTTPS/TCP Leader to

updates) update server
ATLAS Visibility atlas-visibility.arbor.net 443 HTTPS/TCP Leader to

(formerly Internet ATLAS servers
Trends)
HTTP proxy (If you your HTTP proxy server 1080 TCP Leader to the
configure a proxy to (configurable) proxy server
reach out to ATLAS
services or the internet)

Auto-discovering Your Local Address Space

You can configure the Sightline system to automatically discover the local address space
and add it to the local address space definition of your network. After the system queries
the information, it prompts you to append any already configured address space with the
automatically discovered CIDR prefixes.
For information on customizing the IRR server used to autodiscover your address space,
see “Changing the Internet Routing Registry server” below.
Auto-discovering and appending your local address space

To automatically discover your local address space and append that space to the currently
defined blocks you have:
1. Log in to the Sightline leader appliance’s CLI using the administrator user name and
password.
2. Enter / services sp model address_space auto
3. Enter y
4. Enter config write
Example: auto-discovering local address space

The following example shows how to auto-discover local address space for the mariner1
appliance and append that space:
admin@mariner1:/# / services sp model address_space auto
Sending query for AS 100 to 198.108.0.18:43...
Netblocks for AS 100:
12.29.38.0/24 209.184.44.0/24 216.61.250.0/24
Append to local address space list? [n] y
admin@mariner1:/# config write
Changing the Internet Routing Registry server

Many service providers run an Internet Routing Registry (IRR) server to maintain and
advertise routing policies. Sightline can use IRR data to auto-discover address space for a
network. The system comes with a default IRR server defined.
Note
Sightline only supports querying servers that respond to RIPE argument syntax as
described at http://www.radb.net/tutorials/query2.php.
To change the IRR server:

password.
2. Enter / services sp auto-config irr ip_address setIP_address

Example: changing the Internet Routing Registry server

The following example shows how to set the IRR server to IP address 10.0.1.100:
admin@mariner1:/# / services sp auto-config irr ip_address set 10.0.1.100

Adding a Whois Resolution Server

If you plan to use the peering evaluation tool in Sightline, you can add a Whois server to
identify peers.
For more information about peering evaluation, see “Using the Peering Evaluation Tool” in
the Sightline and Threat Mitigation System User Guide .
Adding a Whois resolution server

To add a Whois resolution server:
password.
2. Enter / services sp preferences whois add {IP_address | hostname}
{IP_address | hostname} = Enter the IP address or hostname of the Whois
server that you want to add.
Example
The following example shows how to add a Whois server with the IP address 10.1.2.3:
admin@mariner1:/# services sp preferences whois
admin@mariner1:/services/sp/preferences/whois/# show
Whois servers:
User configured:
Default: whois.arin.net whois.ripe.net whois.apnic.net
admin@mariner1:/services/sp/preferences/whois/# add 10.1.2.3
admin@mariner1:/services/sp/preferences/whois/# config write

Configuring DNS Servers

You can use the CLI to configure DNS servers in your Sightline deployment:
n View information about the DNS servers
You can view the status of DNS services and whether a DNS server is in a local or global
configuration.
n Add DNS servers to a local or global configuration
See “Local and global configuration guidelines for DNS servers” below.
n Delete a DNS server from a local or global configuration
n Import DNS hosts files
You can also add DNS servers to a global configuration on the Configure Network Services
page (Administration > System Maintenance > Network Services ) of your
Sightline leader appliance.
For information about configuring global DNS servers on the Configure Network Services
page, see “Configuring Network Services” in the Sightline and Threat Mitigation System
User Guide .
Local and global configuration guidelines for DNS servers

Use the following guidelines to decide whether to add an DNS server to a local or global
configuration:
n If you want all appliances to use a DNS server, use a global configuration.
n If you want individual appliances to use different DNS servers, use a local configuration.
The following are some additional guidelines for adding a DNS server to a local or global
configuration:
n If you add a DNS server to a local configuration, you can then add the DNS server to a
global configuration on that appliance without first deleting the local configuration. If
you then delete the DNS server from the global configuration, the local configuration is
restored.
n If a DNS server has been added to a global configuration, then you cannot add the DNS
server to a local configuration.
Note
When you add a DNS server to a global configuration or delete a DNS server from a
global configuration, the global servers do not get added or deleted until you commit the
configuration changes. However, when you add a DNS server to a local configuration or
delete a DNS server from a local configuration, the change takes place immediately.
Displaying information about the DNS servers

To display information about the DNS servers:
1. Log in to an appliance’s CLI using the administrator user name and password.
2. Enter / services dns show
To display just a list of the DNS servers, enter / services dns server show.

Adding a DNS server to a local configuration

To add a DNS server to a local configuration:
1. Log in to the CLI of the appliance using the administrator user name and password.
2. Enter / services dns server add ip_address local
ip_address = the IPv4 or IPv6 address of the DNS server
Note
To add a DNS server to a local configuration, you do not have to include local in this
command.
Adding a DNS server to a global configuration

To add a DNS server to a global configuration:
1. Log in to the CLI of the leader appliance using the administrator user name and
password.
2. Enter / services dns server add ip_address global
3. Enter config write to commit the configuration.
The DNS server configuration is added to the active configuration of all of the
appliances in the deployment.
Deleting a DNS server from a local configuration

To delete a DNS server from a local configuration:
2. Enter / services dns server delete ip_address local
Note
To delete a DNS server from a local configuration, you do not have to include local
in this command.
Deleting a DNS server from a global configuration

To delete a DNS server from a global configuration:
password.
2. Enter / services dns server delete ip_address global
The DNS server is deleted from the configuration of all the appliances in the
deployment.
Importing a DNS hosts file

To import a DNS hosts file:
password.

2. Enter / services dns hosts disk:file_name

file_name = the file name of the hosts file

Configuring NTP Servers

You can use the CLI to configure NTP servers in your Sightline deployment:
n View information about the NTP servers
You can view the status of NTP services and whether an NTP server is in a local or global
configuration.
n Add NTP servers to a local or global configuration
See “Local and global configuration guidelines for NTP servers” below.
n Delete an NTP server from a local or global configuration
n Delete all NTP servers
You can also add NTP servers to a global configuration on the Configure Network Services
page (Administration > System Maintenance > Network Services ) of your
Sightline leader appliance.
For information about configuring global NTP servers on the Configure Network Services
page, see “Configuring Network Services” in the Sightline and Threat Mitigation System
User Guide .
Local and global configuration guidelines for NTP servers

Use the following guidelines to decide whether to add an NTP server to a local or global
configuration:
n If you want all appliances to use an NTP server, use a global configuration.
n If you want individual appliances to use different NTP servers, use a local configuration.
The following are some additional guidelines for adding an NTP server to a local or global
configuration:
n If you add an NTP server to a local configuration, you can then add the NTP server to a
global configuration on that appliance without first deleting the local configuration. If
you then delete the NTP server from the global configuration, the local configuration is
restored.
n If an NTP server has been added to a global configuration, then you cannot add the
NTP server to a local configuration.
Note
When you add an NTP server to a global configuration or delete an NTP server from a
global configuration, the global servers do not get added or deleted until you commit the
configuration changes. However, when you add an NTP server to a local configuration or
delete an NTP server from a local configuration, the change takes place immediately.
Displaying information about the NTP servers

To display information about the NTP servers:
2. Enter / services ntp show
To display just a list of the NTP servers, enter / services ntp server show.

Adding an NTP server to a local configuration

To add an NTP server to a local configuration:
2. Enter / services ntp server add {ip_address | hostname} local
{ip_address | hostname} = the IPv4 or IPv6 address or hostname of the NTP
server
Note
To add an NTP server to a local configuration, you do not have to include local in
this command.
Adding an NTP server to a global configuration

To add an NTP server to a global configuration:
password.
2. Enter / services ntp server add {ip_address | hostname} global
server
The NTP server configuration is added to the active configuration of all of the
appliances in the deployment.
Deleting an NTP server from a local configuration

To delete an NTP server from a local configuration:
2. Enter / services ntp server delete {ip_address | hostname} local
server
Note
To delete an NTP server from a local configuration, you do not have to include local
in this command.
Deleting an NTP server from a global configuration

To delete an NTP server from a global configuration:
password.
2. Enter / services ntp server delete {ip_address | hostname} global
server
The NTP server is deleted from the configuration of all the appliances in the
deployment.
Deleting all NTP servers

You can delete all NTP servers from both local and global configurations.

To delete all NTP servers:

password.
2. Enter / services ntp server clear

Setting the AIF Server Address

If you do not have DNS configured on the leader appliance, then you have to use the CLI
to set the AIF server address. After you set the AIF server address, you can then configure
the AIF update settings on the ATLAS Intelligence Feed tab on the Configure ATLAS
Services page (Administration > ATLAS).
Setting the AIF server address

To set the AIF server address:
Log in to the leader appliance’s CLI by using the administrator name and password.
1. See “Logging in to the CLI of an appliance” on page 16.
2. Enter / services sp remote_services aif server set IP address
IP address = the AIF server address
For information about the IP address for the AIF feed, see “ATLAS services ports” on
page 26.
3. To commit the configuration, enter config write

Importing AIF Signatures

You can update the AIF (ATLAS Intelligence Feed) signatures even if you do not have
access to the AIF server by importing them in an XML file.
You can configure all of the other AIF standard feed settings in the web UI on the ATLAS
Intelligence Feed tab of the Configure ATLAS Services page (Administration > ATLAS).
Importing AIF signatures
To import AIF signatures:
1. Log in to an appliance’s CLI by using the administrator name and password.
2. Enter / services sp remote_services atf import disk:file_name

Automatically Configuring a TMS Model for the Management

Network
A TMS model must be configured for the management network before you can add it to
your Sightline/TMS deployment. This initial configuration can be done automatically on
boot-up for TMS models that support Zero Touch Provisioning (ZTP). You do not need to
connect a serial console to the TMS model and manually enter the initial configuration
commands.
After ZTP automatically configures the TMS model, the system boots up on the
management network. You can then remotely log in to the Sightline web UI or the TMS
model’s command line interface (CLI) and add the TMS model to your
Sightline/TMS deployment.
ZTP can configure a TMS model for an IPv4 or IPv6 management network. However, to use
ZTP, the TMS model must be connected to a management network that supports IPv4.
Note
For information about manual initial configuration, and for information about adding a
TMS model to your deployment, see Adding, Editing, and Deleting a TMS Model.
About Zero Touch Provisioning for TMS models

Like manual initial configuration, automatic initial configuration with ZTP applies and saves
a new startup configuration file on the TMS model. If no startup configuration file exists on
a TMS model, and all ZTP prerequisites are met, the TMS model uses ZTP to perform the
initial configuration.
See “Prerequisites for Zero Touch Provisioning on a TMS model” on the next page.
Unlike manual initial configuration, with ZTP, you create a startup configuration file for the
TMS model in a text editor. You store that file on a network file server. Next, you configure
the file’s location on a DHCP server. Then, if the TMS model boots up with no initial
configuration, ZTP queries the DHCP server to locate the predefined configuration file for
that model. ZTP then downloads, applies, and saves that configuration file.
See “How ZTP automatically configures a TMS model for the management network”
below.
When the TMS model boots up, it runs the commands in the startup configuration file.
These commands configure the TMS model for the management network.
How ZTP automatically configures a TMS model for the management network
When you boot a TMS model that has no startup configuration file, ZTP automatically
performs the following tasks:
1. Asks the DHCP server to provide the “bootfile-name” parameter (DHCP option 67) for
the TMS model. The bootfile-name specifies the URL for the ZTP configuration file that
was created for the TMS model.
See “Creating a ZTP configuration file” on page 41.
2. Receives the URL for the ZTP configuration file in the bootfile-name parameter sent
from the DHCP server.

3. Downloads the ZTP configuration file from the file server at the specified URL using
HTTP, FTP, or TFTP.
4. Saves the downloaded ZTP configuration file to disk as the new startup configuration
file.
5. Runs the commands in the new startup configuration file to configure
communications with the management network.
6. Finishes booting up.
Since TMS models ship without a startup configuration file, ZTP runs on the first boot after
a new or replacement TMS model is installed. ZTP also runs the first time you boot a TMS
model after its startup configuration was manually cleared.
ZTP will not run on boot if a startup configuration exists on the TMS model. If no startup
configuration exists on a TMS model, but you do not want ZTP to run on boot, see
“Disabling ZTP on a TMS model” on page 42.
If the management network configuration changes, you might need to update the startup
configuration file on the TMS model. See “Updating the startup configuration file on a
TMS model using ZTP ” on page 42.
Prerequisites for Zero Touch Provisioning on a TMS model

You can use ZTP to create a new startup configuration file if your deployment meets these
requirements:
n The TMS model has TMS software release 8.2 or higher installed. (ZTP is enabled by
default on these TMS models.)
n A management interface on the TMS model is connected to an Ethernet switch in your
management network.
For more information about connecting TMS models to your management network,
see the Threat Mitigation System Quick Start Card for your appliance, or, see the
Configuration Guide for your Cisco ASR 9000 vDDoS Protection model. You can
download these documents from the Arbor Technical Assistance Center
(https://support.arbornetworks.com).
n The management network has a DHCP server that the TMS model can reach through its
management interface.
n A valid ZTP configuration file is stored in a network location that the TMS model can
access.
See “Creating a ZTP configuration file” on the facing page.
n The DHCP server’s configuration file includes a URL (in the boot-file name) that points to
the correct ZTP configuration file for the TMS model.
See “Configuring the DHCP server” below.
Configuring the DHCP server

Before ZTP can use DHCP to configure a TMS model, the DHCP server configuration file
must be updated to support ZTP on the TMS model. Specifically, the DHCP configuration
file must include values for the following parameters:
n hardware ethernet: The MAC address for the management (“mgt”) interface on the
TMS model that is connected to the management network. For ZTP, one of the
management interfaces on the TMS model must be connected to the management

network. The MAC addresses for the management interfaces are listed on the Quick
Start Card for your TMS appliance.
n fixed-address: The temporary IP address for the TMS model. ZTP uses this address
communicate with the DHCP server, and to download the ZTP configuration file from
the URL that the DHCP server provides. Once the TMS applies the ZTP configuration file,
it stops using this temporary IP address and uses the network settings in the ZTP
configuration file instead.
n option bootfile-name: The URL of the ZTP configuration file to download. The URL
can use HTTP, FTP, or TFTP.
The following is an example of a Linux DHCP server configuration file that supports ZTP on
a TMS model with the host name TMS-01. The ZTP configuration file name is
TMS-01.config.
subnet 198.51.100.0 netmask 255.255.255.0 {
# Standard gateway / mask setup.
option routers 198.51.100.1;
option subnet-mask 255.255.255.0;
host TMS-01 {
hardware ethernet 00-00-5E-FE-CB-00-71-FF;
fixed-address 198.51.100.25;
option bootfile-name "http://198.51.100.32/TMS-01.config";
Creating a ZTP configuration file

To create a ZTP configuration file that a TMS model can download from a file server on
your management network:
1. Perform the initial configuration manually on a TMS model in the same deployment as
the TMS model that you want to add.
For manual initial configuration instructions, see the Quick Start Card for your TMS
appliance, or, see the Configuration Guide for your Cisco ASR 9000 vDDoS Protection
model. You can download these documents from
2. Log in to the CLI for the TMS model that you configured in Step 1.
3. Enter the following CLI commands to export the TMS startup configuration and copy it
to the ZTP configuration file location on the target file server:
/ config export disk:TMS_filename.config
/ system file copy disk:TMS_filename.config scp://fileserver_
addr/ZTP_filename.config
where:
TMS_filename.config = The name of the configuration file to copy to the target
ZTP configuration file.
fileserver_addr = The IP address of the target file server where the exported
configuration file will be copied to.
ZTP_filename.config = The name of the target ZTP configuration file. The
exported configuration file is copied to this ZTP file.

4. (Optional) Modify the ZTP configuration file as necessary for other TMS models to use.
For example, you can modify the IP addresses or host names in the commands in a
ZTP configuration file. However, you should only add commands which can be
exported from a valid TMS startup configuration file. There is one exception: You can
add the TMS bootstrap command, which is not an exported command.
See “Connecting to the Sightline leader on boot-up” below.
Caution
Except for the TMS bootstrap command, only exportable configuration commands
are supported in ZTP configuration files. Adding commands that are not exportable
can cause boot errors or boot failure.
Connecting to the Sightline leader on boot-up

When you export the configuration from a TMS model, the IP address for the model’s
Sightline leader is not included in the export. The zone secret for the Sightline/TMS
deployment is also not included in the export.
If you want the TMS model to connect to its Sightline leader on boot up, add the following
TMS bootstrap command the end of the ZTP configuration file, just before the
/ services tms start command:
/ services tms bootstrap leader_ipzone_secret
For example:
/ services tms bootstrap 198.51.100.5 f006arV31tas
/ services tms start
Disabling ZTP on a TMS model

To prevent ZTP from running on boot when no startup configuration exists on a TMS
model:
1. On the TMS model, connect a serial console cable and disconnect all management
interfaces.
To locate the serial console port and management ports, see the Quick Start Card for
your TMS appliance, or, see the Configuration Guide for your Cisco ASR 9000 vDDoS
Protection model. You can download these documents from
2. Boot up the TMS model.
3. After the TMS model boots up, enter the command / config write on the serial
console.
This saves a startup configuration to the TMS model, which disables ZTP on future
boots.
Updating the startup configuration file on a TMS model using ZTP

You might need to update the startup configuration file on the TMS model if the
management network configuration changes.
To update the startup configuration file using ZTP:

1. (If required) Update the DHCP server configuration to reflect the changes in the
management network.
See “Configuring the DHCP server” on page 40.

2. (If required) Update the ZTP configuration file to reflect the changes in the
management network.
See “Creating a ZTP configuration file” on page 41.
3. Log in to the CLI for the TMS model.
4. Enter the command / config clear
This clears the startup configuration for the TMS model so that ZTP will run the next
time that the TMS boots up.
5. Reboot the TMS model to locate, download, and save the updated ZTP configuration
file as the new startup configuration file.
Viewing a ZTP log file

ZTP creates a log file on the TMS model each time it runs. To view the ZTP log file, log in to
the CLI of the TMS model and enter the following command:
/ services logging view ztp.log

Add New TMS Models to the Appliance List without

Upgrading Sightline
On an Sightline appliance running SP 8.1 or higher, you can use the Sightline CLI to add
new TMS models to the Appliance list on the Add/Edit Appliance page in the Sightline web
UI. This means that, if a new TMS model comes out after the current release, you don’t
have to wait for the next Sightline release to add that new TMS model to your deployment.
Adding new TMS models to the Appliance list

To add new TMS models to the Appliance list without upgrading Sightline, follow these
steps:
1. Obtain the tms.conf.tgz file that contains the new TMS models that you want to add
to the list.
Note
Instructions for obtaining the latest tms.conf.tgz file are provided when a new
TMS model is released.
2. Log in to the CLI on the target Sightline appliance.
Note
The target Sightline appliance must be running SP 8.1 or higher.
3. Enter the following command to copy tms.conf.tgz to the installation file directory
on the target Sightline appliance:
/ system files copy{loc}tms.conf.tgz disk:tms.conf.tgz
where:
loc = the network location, URL, or file path where tms.conf.tgz is stored, for
example:
ftp://[user:passwd@]A.B.C.D[:port]/
ftp://[user:passwd@]hostname[:port]/
http[s]://[user:passwd@]A.B.C.D[:port]/
http[s]://hostname[:port]/
scp://[user@]A.B.C.D[:port]/
scp://[user@]hostname[:port]/
usb:
Note
Do not decompress the tms.conf.tgz file.
4. To update the Appliance list with the new TMS models, enter the following
command:
/ services sp tms update_tms_appliances
5. Verify that the following messages appear:
Verifying TMS appliance definitions package...
Extracting TMS appliance definitions...
Copied TMS appliance definitions file.
Successfully updated TMS appliance definitions.

6. To view the new TMS models on the updated Appliance list, do the following:
a. Log in to the Sightline web UI on the target Sightline appliance and navigate to the
Configure Appliances page (Administration > Appliances).
b. Click Add Appliance.
c. On the Appliance tab, click the Appliance list. Scroll down the list to view the new
TMS models.
7. (Optional) To configure a new TMS model for your deployment, see “Adding, Editing,
and Deleting a TMS Model” in the Sightline and Threat Mitigation System User Guide .

Replacing a Sightline Appliance with an RMA Replacement

If you have received an Sightline appliance that is an RMA (return merchandise
authorization) replacement, then follow the steps in this topic to replace your old
appliance with the new appliance.
Replacing a Sightline appliance with an RMA replacement appliance

You can perform many of the following steps in the web UI or in the appliance’s CLI. If you
cannot access the web UI of the old appliance to perform these steps, then use the CLI.
See “Using CLI Commands” on page 16.
If you cannot access the web UI or the CLI to perform these steps, then contact ATAC
(Arbor Technical Assistance Center). See “Contacting the Arbor Technical Assistance
Center” on page 11.
To replace an Sightline appliance with an RMA replacement appliance:
1. Do one of the following to identify the version of Sightline that is installed on the old
appliance along with any Sightline patches:
l In the web UI of the old appliance, click the About link in the lower right corner of
any page to access the About page.
The installed software is listed at the top of the page.
l In the CLI of the old appliance, use the following CLI command to display the
Sightline software that is installed:
/ system file show
Note
You also need to identify any hand patches that are installed on the old appliance. If
you need assistance in determining which hand patches are installed, contact ATAC
(Arbor Technical Assistance Center). See “Contacting the Arbor Technical Assistance
Center” on page 11.
2. Do one of the following to create and export a backup of the files on the old
appliance:
l In the web UI of the old appliance, on the Managed Backups page
(Administration > System Maintenance > Backups ), perform tasks to create
and export a full or incremental backup. See “Managing System Backups” in the
Sightline and Threat Mitigation System User Guide .
l In the CLI of the old appliance, use the following CLI commands to create and
export a full or incremental backup (the first and third commands are for a full
backup and the second and fourth are for an incremental backup):
/ services sp backup create full
/ services sp backup create incremental
/ services sp backup export full scp://user@host/path/ password
/ services sp backup export incremental scp://user@host/path/
password
user = the user name that is required to access the remote server
host = the IP address of the remote server
path = the directory path to which to export the backup on the remote server
password = the password that is required to access the remote server

Note
You can create an incremental backup if you already have a full backup. An
incremental backup includes only the changes that have occurred since the last full
backup.
3. If Sightline is not installed on the new appliance, install the same version of the
software that was installed on the old appliance along with any patches that were
installed on the old appliance. See “Reinstalling Sightline Appliance Software” on
page 146.
The patches must include any hand patches that were installed on the old appliance.
Note
The RMA replacement appliance should come with the correct version of Sightline
installed.
4. Perform the initial configuration of the Sightline software using the instructions in the
appliance’s Quick Start Card. You can access the Quick Start Card at
https://support.arbornetworks.com.
Important
Make sure all of these initial configuration settings on the new appliance are the
same as those on the old appliance. This includes performing a bootstrap if you
want to restore the appliance using the web UI.
5. Disconnect the old appliance from the network and connect the new appliance.
6. On the new appliance, do one of the following to import and restore the backup from
the remote server:
l In the web UI of the new appliance, on the Managed Backups page
(Administration > System Maintenance > Backups ), perform tasks to import
and restore the backup. See “Managing System Backups” in the Sightline and
Threat Mitigation System User Guide .
Important
If you restore the full backup, the IP interface, IP access, and IP route settings will
no longer be correct. Make sure to configure these settings on the new appliance
so that they are the same as those on the old appliance. For information about
how to configure these settings, see the appliance's Quick Start Card at
https://support.arbornetworks.com.
l In the CLI of the new appliance, use the following CLI commands to import and
restore the backup (the first command imports a full backup and the second
command imports an incremental backup):
/ services sp backup import full scp://user@host/path/ password
/ services sp backup import incremental scp://user@host/path/
password
/ service sp backup restore skip_arbos
user = the user name that is required to access the remote server
host = the IP address of the remote server
path = the directory path to where you want to export the backup on the
remote server
password = the password that is required to access the remote server
7. If the old appliance had appliance-based licensing, log in to the web UI of the leader
appliance and apply the new appliance’s license.

If the license is unavailable or incorrect, contact ATAC (Arbor Technical Assistance

Center). See “Contacting the Arbor Technical Assistance Center” on page 11.
For information about applying the license key, see “Configuring Appliance Settings
for an Sightline Appliance” in the Sightline and Threat Mitigation System User Guide .
8. If the old appliance was the leader or backup leader with flexible licensing, then
upload the flexible license to the leader or backup leader appliance.
If you do not have an updated version of the flexible license, contact ATAC (Arbor
Technical Assistance Center). See “Contacting the Arbor Technical Assistance Center”
on page 11.
For information about uploading the flexible license, see "Uploading a Flexible
License" in the Sightline and Threat Mitigation System User Guide .
9. Test the new appliance to verify that it performs all functions just as the old appliance
did before its failure.

Replacing a TMS Appliance with an RMA Replacement

If you received a replacement TMS appliance on a Return Merchandise Authorization
(RMA), follow the instructions in this topic to replace your old appliance with the new
appliance.
Note
Contact ATAC if you need help with this RMA replacement procedure. See “Contacting
the Arbor Technical Assistance Center” on page 11.
About replacing an old TMS appliance with a new TMS appliance

To replace an old appliance with a new TMS appliance that you received on an RMA,
perform the instructions for each action in the order shown.
Step Action Instructions

1 Create a backup storage path on a remote See “Creating a backup storage
server. path on a remote server” on the
next page.
2 Export and copy the old appliance’s TMS See “Exporting and copying the
configuration settings to the backup server. old TMS configuration settings”
on the next page.
3 Back up the TMS data on the old appliance See “Backing up the TMS data
to the backup server. stored on the old appliance” on
the next page.
4 Connect the new appliance and perform an See “Connecting and configuring
initial configuration on the new appliance. the new appliance” on page 52.
5 Restore the old appliance’s TMS data from See “Restoring the old TMS data
the backup server to the new appliance. from backup to the new
appliance” on page 53.
6 Copy and import the old appliance’s TMS See “Copying and importing the
configuration settings to the new appliance, old configuration settings to the
and then reboot the new appliance. new appliance” on page 53.
7 Restart and bootstrap the new appliance, See “Restarting and configuring
and then configure administrative settings the new appliance on the
for the new appliance on the Sightline Sightline leader” on page 54.
leader.
You perform these steps on the following devices:

n Step 1: on a remote server.
n Steps 2 and 3: in the TMS CLI for the old appliance.
n Steps 4 through 6: in the TMS CLI for the new appliance.
n Step 7: in the TMS CLI for the new appliance, and then in the web UI on the Sightline
leader.
For help accessing the TMS CLI and entering CLI commands, see “Using the Command
Line Interface (CLI)” on page 13.

Creating a backup storage path on a remote server

Select a remote server that is connected to the same network as the old appliance. On the
remote server, create a backup storage path (such as /tms/backups). You will use this
path to store the backup TMS configuration and data files for the old appliance.
Exporting and copying the old TMS configuration settings

To export the TMS configuration settings for the old appliance to a disk file, and then copy
the file to the storage path that you created on the remote server:
1. Log in to the CLI of the old TMS appliance.
2. Export the TMS configuration settings for the old appliance to a file on the local disk.
Enter / config export disk:filename
filename = the name of the disk file that contains the old TMS configuration
settings, for example, oldTMS.conf.
Note
In the instructions that follow, use your filename in place of oldTMS.conf.
3. Copy oldTMS.conf from the local disk on the old appliance to the storage path on
the backup server.
Enter / system files copy disk:oldTMS.conf backupURL/oldTMS.conf
backupURL = the URL for the storage path on the backup server. Use one of the
following options to specify backupURL:
ftp://[user:password@]A.B.C.D[:port]//storagepath
ftp://[user:password@]hostname[:port]//storagepath
http[s]://[user:password@]A.B.C.D[:port]//storagepath
http[s]://hostname[:port]//storagepath
scp://[user@]A.B.C.D[:port]//storagepath
scp://[user@]hostname[:port]//storagepath
user:password = the username and password for the backup server
A.B.C.D = the IPv4 address for the backup server
hostname = the host name for the backup server
port = the port number for the backup server
storagepath = the relative or absolute storage path on the backup server.
Use two forward slashes (//) before storagepath as shown if the path is
absolute. Use a single forward slash ( / ) before storagepath. if the path is
relative to a working directory such as /home.
Backing up the TMS data stored on the old appliance

To back up the TMS data stored on the old appliance to the storage path on the backup
server:
1. Log in to the CLI of the old TMS appliance.
2. Show the software packages installed on the old appliance.
Enter / system file show
Note the version numbers for the ArbOS software package, the TMS software
package, and any installed software hand patches.

Note
Contact ATAC if you need help determining which hand patches are installed on the
old appliance. See “Contacting the Arbor Technical Assistance Center” on page 11.
3. Set the URL for the storage path that you created on the backup server.
Enter / services backup server set {backupURL|interactive|local}
backupURL = the URL for the storage path on the backup server. Use the following
syntax to specify the backupURL:
transport://[user:password@]server[:port]//storagepath
transport = the transport protocol: scp, sftp, ssh, or ftp
user:password = the username and password for the backup server
server = the backup server’s hostname, IPv4 address (A.B.C.D), or IPv6
address (aaaa:bbbb::cccc)
port = the port number for the backup server
storagepath = the relative or absolute storage path that you created on the
backup server. Use two forward slashes (//) before storagepath as shown if
the path is absolute. Use a single forward slash ( / ) before storagepath. if
the backup path is relative to a working directory such as /home.
(Optional) Enter interactive instead of the backupURL to have the CLI prompt
you for the URL components:
Backup server address = the server IP address in IPv4 or IPv6 format
Backup transport (scp, sftp, ssh, or ftp) = the transport protocol
Backup storage path on server = the relative or absolute storage path
on the backup server
Backup server username = the username for the backup server
Backup server password = the password for the backup server
After you enter the password, enter y to save your entries and to set the backup
URL, or press ENTER to exit without saving and setting the backup URL.
Caution
Enter either the backupURL or the interactive option only. Do not enter the local
option. If you use the local option, the TMS data will be backed up to the disk in the
old appliance instead of the backup server.
4. (Optional; recommended) Show the backup URL and verify that the storage path was
created correctly.
Enter / services backup show
In the output, under Backup Configuration, the Server should match the backup
URL that you set in the previous step.
5. Back up the TMS data stored on the old appliance to the backup URL.
Enter / services backup create [full | incremental]
If this is the first backup of the old appliance to the backup URL that you set in Step 3,
create a full backup. If you backed up the old appliance to this URL previously, you can
create an incremental backup to save time.
6. (Optional; recommended) Show the status of the backup.
When the backup completes, the Backup Status in the output should show backup
succeeded.

7. (Optional; recommended) Verify that the backup was created successfully.

Enter / services backup list
The Available Backups list in the output should show the correct information for
the backup that you just created.
Tip
Note the timestamp for the backup. You can use the timestamp to confirm that you
are restoring the correct backup to the new appliance in “Restoring the old TMS data
from backup to the new appliance” on the facing page.
Connecting and configuring the new appliance

Important
The TMS software on the new appliance must be initially configured before you can
restore the old appliance backup files to the new appliance. The initial configuration
enables the new appliance to communicate with the backup server through its
management interface. Make sure that the initial configuration settings you use on the
new appliance are the same as those that you used to configure the old appliance. For
information about how to configure these settings, see the appliance's Quick Start Card
at https://support.arbornetworks.com.
To connect the new appliance to the network, and then perform an initial configuration of
the TMS software on the new appliance:
1. Log in to the CLI of the new appliance with the username admin and the password
arbor.
2. Verify that the new appliance has the same software versions installed as the old
appliance.
Enter / system files show.
Compare the version numbers for all installed software packages to those for the old
appliance that you noted in Step 2 under “Backing up the TMS data stored on the old
appliance” on page 50.
3. If the software installed on the new appliance does not match the software installed
on the old appliance, you must install the matching software versions on the new
appliance. For instructions, see “Reinstalling TMS Software on a Chassis-based TMS
Appliance” on page 155 .
Important
The software installation for the new appliance must include all of the hand patches
that were installed on the old appliance.
4. If the new appliance contains the same software versions as the old appliance,
connect the new appliance to the network. For connection instructions, see the Quick
Start Card for the new appliance.
Important
You must, at minimum, connect the management interface port on the new
appliance.
5. Perform the initial configuration of the TMS software on the new appliance. For initial
configuration instructions, see the Quick Start Card for the new appliance.

Important
Do not configure the administrative settings for the new appliance on the Sightline
leader yet. You will do this later in “Restarting and configuring the new appliance on
the Sightline leader” on the next page.
Restoring the old TMS data from backup to the new appliance
Important
You must connect and initially configure the new appliance before you perform this
restore procedure. See “Connecting and configuring the new appliance” on the previous
page.
To restore the old appliance TMS data files on the backup server to the new appliance:
1. Log in to the CLI of the new appliance.
2. Specify the storage path on the backup server to restore from:
Enter / services backup server set {backupURL|interactive|local}
Specify the same backupURL value that you entered in Step 3 under “Backing up the
TMS data stored on the old appliance” on page 50 .
3. (Optional) Verify that the backup URL was specified correctly.
In the output, under Backup Configuration, the Server should match the backup
URL that you set in Step 2.
4. (Optional) Verify that the backup that you want restore exists.
Enter / services backup list
The list of Available Backups in the output should show the information for the
backup that you want to restore from. The list should also show the timestamp
indicating when the backup was created.
5. Restore the old appliance backup data files to the new appliance:
Enter / services backup restore [timestamp]
timestamp = the timestamp of the backup to restore from. Omit the timestamp to
restore from the most recent backup.
6. (Optional) Check the status of the restore process.
When the restore process completes, the Backup Status in the output should show
restore succeeded.
Copying and importing the old configuration settings to the new appliance
To copy oldTMS.conf from the backup server to the disk on the new appliance, and then
import the configuration settings in oldTMS.conf to working memory on the new
appliance:
2. Copy the oldTMS.conf file from the backup server to the disk on the new appliance:
Enter / system files copy backupURL/oldTMS.conf disk:[oldTMS.conf]
Specify the same backupURL value that you entered in Step 3 under “Exporting and
copying the old TMS configuration settings” on page 50.
3. Import the old TMS configuration settings in the disk file oldTMS.conf to working

memory in the new appliance:

Enter / config import disk:oldTMS.conf
4. At the prompt, enter Y to reboot the new appliance.
Restarting and configuring the new appliance on the Sightline leader

To finish configuring the new appliance on the Sightline leader after the new appliance
reboots:
2. Bootstrap the new appliance to the Sightline leader.
Enter / services tms bootstrap leader_ip zone_secret
leader_ip = the IP address of the Sightline leader appliance
zone_secret = the word or phrase that is used by all of the appliances in the
system for internal communication
3. Restart TMS services on the new appliance.
Enter / services tms start
4. Configure the administrative settings for the new appliance on the Sightline leader as
follows:
a. Log in to the web UI of the Sightline leader.
b. On the Configure Appliances page (Administration > Appliances), click the
name of the new appliance and complete its configuration. For more information,
see “Configuring TMS Models” on page 85 .

Chapter 2
Securing Your Sightline Appliances
This section describes how to secure your Sightline appliances.
In this section
Securing Your Arbor Networks Appliances 56

Physical Security for Sightline 61
Adding and Editing an Acknowledgment Question 62
Configuring Advanced Password Requirements 63
Resetting a Sightline Administrator Password 64
Configuring Advanced SSH Settings 67

Securing Your Arbor Networks Appliances

It is important that you secure your NETSCOUT® Arbor appliances to prevent them from
being compromised. You should make sure that you have taken all of the steps to secure
your appliances that are described in this topic.
The following are some basic tactics for securing your NETSCOUT® Arbor appliances:
n Set IP access rules appropriately to ensure that only the IP networks used by system
users can access the system.
l Prevent system intrusion via compromised user credentials by denying a login
prompt to potential attackers.
l Use more restrictive rules for services such as SSH or SNMP that might need access
from fewer networks than the HTTPS user interface.
l Do not permit access from 0.0.0.0/0 unless absolutely necessary.
n Use centralized authentication services for your organization instead of local user
accounts whenever possible, using TACACS+ or RADIUS protocols for integration.
l Implementing centralized authentication services can reduce the forgotten
passwords and password resets for users who infrequently access an Arbor
appliance, because passwords for general users are the same as those used daily
elsewhere in the organization.
l We recommend maintaining a least one local user account, which can be used to
access the system in the event that RADIUS or TACACS+ servers become inaccessible
via the network.
n Use long and complex passwords whenever local user accounts are necessary on an
Arbor appliance.
l Generally, longer passwords are more secure. Arbor appliances support passwords
up to 72 characters long.
l Mix different classes of characters in a password. Use uppercase and lowercase
letters, numbers, and special characters.
n Physically secure your Arbor appliances to prevent them from being disabled or
otherwise compromised.
Steps to secure your appliances

We recommend the following steps to secure your appliances. You can perform most of
these steps using CLI commands. See “Using CLI Commands” on page 16.

Chapter 2 Securing Your Sightline Appliances
Securing your NETSCOUT® Arbor appliances
Security Step CLI Commands and/or Description

Review your IP /ip access show
access rules.
Open ports only to For example, if 5.5.5.5/32 and 10.10.10.0/24 are known CIDR
known CIDR blocks blocks and are considered safe, you can open IP access to these
and only to specific, hosts, as follows:
trusted networks / ip access add ssh eth0 5.5.5.5/32
or hosts. / ip access add ssh eth0 10.10.10.0/24
/ ip access add https eth0 5.5.5.5/32
/ ip access add https eth0 10.10.10.0/24
/ ip access add ping eth0 5.5.5.5/32
/ ip access add ping eth0 10.10.10.0/24
/ ip access commit
/ config write
Important
Do not open traffic to 0.0.0.0/0, and if you must open traffic to
0.0.0.0/0 never open SSH or HTTP(S) for 0.0.0.0/0.
Enable max login / services aaa max_login_failures set number

failures protection. number = the maximum number of incorrect logins that
Sightline will permit local users to attempt before it disables
that user account
We recommend setting the maximum number of login
failures to no more than 5. The default is 5.
/ config write
Important
You must run these commands on the leader appliance.
You can also configure the max login failures in the web UI on the
Configure Accounts Options page (Administration >
Accounts/Accounting > Options).
Increase the length / services aaa password_length min number

of account number = the minimum length of new account passwords
passwords. We recommend setting the minimum length of new account
passwords to 10 or more characters. Generally, selecting a
higher number improves password security. The default is 10.
/ config write
Important
Enable commands / services aaa local accounting set level commands

level login. / config write

Securing your NETSCOUT® Arbor appliances (Continued)

Enable hardened / services aaa local advanced harden_passwords
password enable
requirements. / config write
Important
Note
When this is enabled, passwords must contain at least 1 number
and 1 letter and cannot contain any part of the username.
Hide non-local user / services aaa local advanced hide_non_local_

data on the User history enable
Account Login / config write
Records page. Important
Audit configured / services aaa local show

users on a regular Important
basis. You should limit users in the system_admin group to a
minimum, and you should disable unused accounts.
You can also view the accounts on the User Accounts page
(Administration > Accounts/Accounting > User Accounts ).
Use TACACS+ or You can configure the TACACS+ and RADIUS account settings in
RADIUS to control the web UI on the Configuring Accounting page (Administration
logins. > Accounts/Accounting > TACACS+/RADIUS Accounting ).
You configure Sightline to integrate with your existing TACACS+
and RADIUS servers to authenticate users on the Configure
Authentication page (Administration > Accounts/Accounting
> TACACS+/RADIUS Authentication). See “Configuring
Accounting” and “Configuring Authentication” in the Sightline and
Set an idle timeout / services sp preferences login_timeout set timeout

period for the UI. timeout = the timeout value in seconds
We recommend a timeout value of 600 seconds.
/ config write
Important
You can also set the idle timeout period for the UI in the web UI
on the Configure UI Preferences page (Administration > User
Interface > Global Settings).


Set an idle timeout / system idle set timeout
period for the CLI. timeout = the timeout value in seconds
We recommend a timeout value of 600 seconds.
/ config write
Important
Enable remote / services sp notification groups edit default

syslog for auditing syslog destination set ip_address
commands and ip_address = the IPv4 address of the remote host where you
logins. want syslog to send the log messages
/ config write
For more information about remote syslog configuration, see
“Configuring Syslog to Send the Sightline Appliance Log
Messages to a Remote Host” on page 229 .
Add a pre-login / system login-banner set

banner that is You can then enter the banner that you want to display. After
displayed before you enter the banner, press ENTER, and then press CTRL-D to
users log in to the save the banner
CLI. The following is an example banner:
#################################################
# NETSCOUT® Arbor, Inc. #
# All connections to this device #
# are monitored and recorded #
# Disconnect IMMEDIATELY if you #
# are not an authorized user #
#################################################


Add a login banner / system banner set
that is displayed You can then enter the banner that you want to display. After
after users log in to you enter the banner, press CTRL-D to save it.
the CLI. The following is an example banner:
#################################################
# NETSCOUT® Arbor, Inc. #
# All connections to this device #
# are monitored and recorded #
# Disconnect IMMEDIATELY if you #
# are not an authorized user #
#################################################
/ system banner acknowledge set question
affirmative_answer negative_answer
question = the yes/no style question that you want displayed
(wrap the question in quotation marks)
For example: “Do you agree to be bound by the access terms
specified (yes/no)?”
affirmative_answer = one word only
negative_answer = one word only
/ system banner acknowledge enable
/ config write
Enable shell only / sys attr clear shell.enabled

for troubleshooting / config write
and then disable it.

Physical Security for Sightline

Experts estimate that 65-80 percent of all serious intrusions are initiated by insiders. As a
result, you should install Sightline on appliances in a secure room or locked cage and
provide access to only authorized personnel.
Physical security considerations

To ensure the integrity of your Sightline deployment, we recommend that you implement
the following security measures:
n Secure the system location and physical access with keys or card readers and a clearly
defined access policy.
n Set BIOS and/or console passwords.
n Consider deploying anti-theft devices and etching unique serial numbers on
components.
Note
You can configure BIOS settings by pressing F2 during the boot sequence.

Adding and Editing an Acknowledgment Question

You can configure Sightline to ask a yes or no style question of all users who log in to
either the CLI or the web UI.
Adding an acknowledgment question

To add an acknowledgment question:
password.
2. Enter / system banner acknowledge set question affirmative_response_
answer negative_response_answer
question = the yes/no style question that you want displayed (wrap the question
in quotation marks)
affirmative_response_answer = one word only
negative_response_answer = one word only
3. To enable the question, enter / system banner acknowledge enable
Example
The following example shows how to add the question, “Do you agree to be bound by the
access terms specified?” and allow access to users who reply “yes.”
admin@mariner1:/# system banner acknowledge ?
set Set system banner acknowledgment question
clear Clear system banner acknowledgment question
enable Enable system banner acknowledgment
disable Disable system banner acknowledgment
admin@mariner1:/system/banner/acknowledge# banner acknowledge set “Do
you agree to be bound by the access terms specified” yes no
admin@mariner1:/# / system banner acknowledge enable
admin@mariner1:/#
Display of acknowledgment question

The following example shows the question configured in the above example when a user
logs in to Sightline.
Last login: CLI on Fri Oct 16 20:38:13 2013 from 10.0.1.106
Sightline v9.0
Copyright (c) 2000-2013 NETSCOUT® Arbor, Inc. All Rights Reserved.
Do you agree to be bound by the access terms specified (yes/no)? yes

Configuring Advanced Password Requirements

Administrators can configure the minimum and maximum number of characters that are
required for a password. The minimum password length must be at least 10 characters,
which is the default minimum. You can increase the minimum password length to
increase login security. You can also configure a maximum password length, which by
default is undefined.
Administrators can also enable password hardening to add additional login security.
When you enable password hardening, passwords must meet the following criteria:
n contain at least one number and one letter
n cannot contain the user name in any form (upper case or lower case)
After you configure these password settings, if a user tries to add a password that does
not meet the criteria, an error appears and the password is not set.
Note
After you configure these password settings, they apply to the creation of new
passwords. They do not apply to passwords that have already been created.
Configure minimum password length

To configure the minimum password length:
2. Enter / services aaa password_length min number
number = the minimum number of characters required for a password
Configure maximum password length

To configure the maximum password length:
2. Enter / services aaa password_length max number
number = the maximum number of characters allowed for a password
Enabling password hardening

To enable password hardening:
2. Enter / services aaa local advanced harden_passwords enable
Disabling password hardening

To disable password hardening:
2. Enter / services aaa local advanced harden_passwords disable

Resetting a Sightline Administrator Password

If you lose the administrator password to an Sightline appliance, you can reset it. To reset
the password, you must reset the appliance and access the serial or VGA console.
Before you begin

If an Sightline appliance has a CD-ROM drive, you must have the Sightline CD to reset the
administrator password.
Resetting an Sightline administrator password

To reset an Sightline administrator password:
1. If you have a CD-ROM drive, insert the Sightline CD in the disk drive.
2. Press the Reset button on the appliance to power cycle it.
3. To boot the appliance from a CD, at the boot> prompt, enter cdrom
4. Log in to the appliance by using the user name admin and the password arbor.
5. Enter system disks start all
Because this abruptly shuts down the appliance, the system runs a file system check
(fsck), which takes a few minutes.
6. Enter config write aaa
This overwrites all saved AAA configurations, including radius, tacacs, and any local
users.
7. To reboot the appliance, enter shutdown
8. To boot the appliance from the hard disk, at the boot> prompt, enter disk
9. Log in to the appliance by using the user name admin and the password arbor.
10. Enter / services aaa local password admin interactive
11. Enter the new password
12. Enter the new password again.
Example
The following example shows how to reset an Sightline password:
boot> cdrom
Booting from CD-ROM-
000: Configuring ramdisk

001: The system is booting
010: Using CD-ROM
018: No system configuration found
020: Configuring CD-ROM
ArbOS/6.2 (arbos)

login: admin
Password: **********
ArbOS 6.2 (build xxxx)
Welcome to Peakflow
admin@arbos:/# system disks start all

admin@arbos:/# config write aaa
admin@arbos:/# shutdown
094: Syncing file systems...

095: Halting disk operations......done
***: Rebooting...
com0: 9600 baud

boot> disk
Booting from disk-
000: Configuring ramdisk

001: The system is booting
002: Scanning for filesystems
003: Using system disk
004: Checking file system integrity
005: Configuring swap devices
006: Configuring software packages
007: Restoring system configuration
020: Configuring CD-ROM
SP/9.0 (mariner)
login: admin
Last login: CLI on Wed Oct 26 21:17:01 2013 from console
SP v9.0
Welcome to Peakflow

admin@mariner:/# services aaa local password admin interactive

Changing local password for admin.
New password: **********
Retype new password: **********
admin@mariner:/# config write
Saving ArbOS configuration...
admin@mariner:/#

Configuring Advanced SSH Settings

To ensure a high level of security, all incoming IP traffic is denied by default. During initial
setup, Sightline adds an IP access rule to allow SSH traffic from given hosts. However, you
may want to change the SSH versions permitted to deny or allow a given version of SSH.
You may also want to install public SSH keys on your appliances.
Setting the SSH version

To set the SSH version:
password.
2. Enter / services ssh protocol set version
Example: Configuring SSH version

The following example shows how to configure SSH to use version 1.
admin@mariner1:/# services ssh protocol set ?
<1|2|2,1> Permitted protocol version
default Allow both protocol version 1 and 2
admin@mariner1:/# services ssh protocol set 1
Installing public SSH keys

You can copy and install your public key files to your Sightline appliances for
authentication. This instructs Sightline to first try a user's public key before it prompts the
user to enter a password.
To copy and install a public key file:

1. Log in to the Sightline appliance’s CLI using the administrator user name and
password.
2. Enter / system files copy URI disk:ssh_key_filename
URI = describes the protocol and path for the SSH key file
3. Enter / services ssh key import disk:ssh_key_filename
Example: Installing an SSH public key

The following example shows how to copy an SSH public key file from a remote server
using scp and install it on the Sightline appliance.
admin@mariner1:/# / system files copy ?
ftp://[user[:passwd]@]A.B.C.D/<filename>
http://A.B.C.D/<filename>
scp://[user@]A.B.C.D/<filename>
cdrom:<filename>
disk:<filename>
usb:<filename>

admin@mariner1:/# / system files copy

scp://admiral@10.0.1.10/home/admiral/
rsa.key.public disk:ssh_public_admiral
admin@mariner1:/# / services ssh key import disk:ssh_public_admiral

Chapter 3
Configuring Sightline Appliances
This section describes how to use the CLI commands to configure advanced Sightline
appliance settings.
In this section
Installing and Refreshing a Cloud-based Flexible License in the CLI 70

Adding Managed-Object Homing to an Appliance That Has the Data Storage Role 72
Overriding the Default FPS Limit for Flow on a Sightline Appliance 73
Teeing NetFlow 75
Disabling Access to the Shell 77
Configuring Settings for Capturing Raw Flows 78
Resetting the Alert Database 82
Changing the Size of the BGP Shared Memory 83

Installing and Refreshing a Cloud-based Flexible License in

the CLI
To install your cloud-based flexible license file, you will need the license server URL that
you received from Arbor and access to the leader's command line interface (CLI). You can
also attempt to manually refresh the license from the CLI. For information about cloud-
based flexible licensing, see "About Cloud-based Licensing" in the Sightline and Threat
Mitigation System User Guide .
Note
Cloud-based flexible licensing requires regular contact with our license server to function
correctly. It uses the standard HTTPS port 443. If you are behind a firewall, we
recommend that you use a proxy server. If a proxy server is not available, you can make
an ACL change to allow the leader to connect to port 443. For information about
configuring HTTP proxy settings, see "Configuring Network Services" in the Sightline and
For information about using CLI commands, see “Using CLI Commands” on page 16 .
Installing a cloud-based flexible license file

To install a cloud-based flexible license file on the leader:
1. Log in to the leader’s CLI by using the administrator name and password.
2. To configure your cloud-based flexible license file, enter the following commands:
l / services sp license flexible server url set license_server_url
license_server_url = the license server URL sent to you by Arbor
l / services sp license flexible server cloud_licensing enable
l / services sp device edit leader_name license_mode set flexible
leader_name = name of the Sightline appliance that will be using cloud-based
flexible licensing
3. To commit the activation, enter config write
4. After one to three minutes, you can verify your license is working by entering /
services sp license flexible show
After one to three minutes, you can also view the status of the license in the Cloud-based
License section on the Deployment Status page (System > Status > Deployment
Status) in the Sightline web UI.
Manually refreshing a cloud-based flexible license file

If Sightline has not been able to refresh the local copy of the cloud-based flexible license
file, you can attempt to refresh your license manually with a CLI command or in the web UI
of Sightline:
n In the CLI, log in to the leader’s CLI by using the administrator name and password and
enter:
/ services sp license flexible refresh
n In the web UI, open the Deployment Status page (System > Status > Deployment
Status) and click the Refresh Local Copy of License button
If you are unable to resolve the problems that are preventing Sightline from
communicating with the license server, contact the Arbor Technical Assistance Center

Chapter 3 Configuring Sightline Appliances
(ATAC) for assistance. For information about contacting ATAC, see “Contacting the Arbor
Technical Assistance Center” on page 11.

Adding Managed-Object Homing to an Appliance That Has the

Data Storage Role
An Sightline appliance that has the data storage role serves as a “home” for managed
objects. For redundancy, you can assign each managed object to up to three appliances
that have the data storage role.
Adding Managed-Object Homing to an Appliance

To add managed-object homing to an appliance that has the data storage role:
1. Log in to the appliance’s CLI using your administrator user name and password.
2. Enter / services sp managed_objects edit managed_object_name home add
appliance_name
managed_object_name = the name of the managed object that you are homing
appliance_name = the appliance that has the data storage role to which you are
homing the managed object

Overriding the Default FPS Limit for Flow on a Sightline

Appliance
A Sightline appliance receives flow that is a sample of the traffic that traverses your
network. To ensure that this flow does not negatively impact an appliance's performance,
a flows-per-second (FPS) limit for flow is set on each appliance. The default FPS limit for
flow is set when the appliance's services start and is different for each type of appliance. If
the appliance type cannot be determined, then the lowest default setting is used. See
“Default FPS limits for flow on a Sightline appliance” below.
If the flow that an appliance receives exceeds the default FPS limit for flow, then Sightline
automatically determines the sampling rate that is needed to reduce the amount of
processed flow in order to prevent the appliance from being overloaded.
The following are examples of when you might want to override the default FPS limit for
flow:
n To lower the limit to resolve performance issues that are caused by too much flow
being received by an Sightline appliance
n To increase the limit to avoid or decrease the sub-sampling of flow that is occurring on
an Sightline appliance
Warning
If the FPS limit is raised above the default value, it could result in an appliance overload
and the loss of data.
To override the default FPS limit for flow, see “Overriding the FPS limit for flow on a
Sightline appliance” on the next page.
Default FPS limits for flow on a Sightline appliance

The default FPS limit for flow is different for different types of Sightline appliances. You can
determine an appliance's type by its system model number or the letters at the beginning
of its serial number. See “Viewing the serial number of a Sightline appliance” on the next
page.
The following table lists the default FPS limits for flow for each type of appliance:
Default FPS limits for flow
Appliance Type Default FPS Limit for Flow

a SP 5500 appliance with a serial 20,000 FPS
number that begins with AZLR

number that begins with AZLH

number that begins with CG

Default FPS limits for flow (Continued)
Appliance Type Default FPS Limit for Flow

number that begins with CG
Virtual Machine (VM) 85,000 FPS (8-15 cores)

200,000 FPS (16-32 cores)
Note
Configurations of more than 32 cores are not
supported.
Overriding the FPS limit for flow on a Sightline appliance

To override the FPS limit for flow on a Sightline appliance:
See “Logging in to the CLI of an appliance” on page 16.
2. Enter / services sp device edit appliance_name fps_limit set fps_value
appliance_name = the name of the appliance
fps_value = the FPS value that you want to use to override the default FPS value
(for example, enter 180000 to reduce flow on an appliance that has the default
value of 200000)
Viewing the serial number of a Sightline appliance

To view the serial number of an Sightline appliance:
2. Enter system hardware

Teeing NetFlow
You can use the tee feature to duplicate the NetFlow™ records that your Sightline
appliance receives and then forward the duplicated records to another IP address.
Before you begin

We recommend that you consider the following issues before you perform the teeing
NetFlow procedure:
n Make sure that both the network interfaces on the Sightline appliances and the
interfaces on any switches or routers passing teed NetFlow are operating in full-duplex
mode.
n The link speeds involved when duplicating NetFlow streams can cause problems.
Example
If an NETSCOUT® Arbor appliance receives 40Mbps of NetFlow from a variety of
sources, and you try to duplicate all of those sources over the same 100Mbps interface,
problems can occur if that interface is not operating in full-duplex mode.
n Teeing NetFlow to multiple destinations can cause the aggregate bandwidth to saturate
an interface on the appliance.
n When the tee sends packets out of the appliance, it looks up routing tables to find the
interface out of which to route the packets. To balance traffic loads across interfaces
and networks, you can load multiple interfaces into an appliance and add static routes
to the routing table.
n There is some processing overhead on the appliance when teeing is enabled.
We recommend that you do not duplicate each NetFlow stream more than twice from a
single appliance.
Tip
If you want more duplication, you can enable downstream appliances to tee the data
or you can employ a dedicated tee appliance.
Teeing NetFlow to another appliance

To tee NetFlow from an Sightline collector appliance to a second appliance:
1. Using the administrator user name and password, log in to the CLI of the Sightline
collector appliance that is receiving the NetFlow that you want to tee to another
appliance.
Repeat this and the following steps on each Sightline collector appliance where you
want to tee flow to another appliance.
2. Enter / ip tee add source_IP_address:source_port destination_IP_
address:destination_port
Do not insert spaces before or after the colons.
3. To start the operation of the tee, enter / ip tee start
4. To test the tee, enter counter
A summary of the tee output appears.

Example
The following example shows how to tee NetFlow from port 111 on 192.168.1.1 and send
it to port 222 on 198.168.1.2. It then shows how to start the tee and test it.
admin@mariner1:/# / ip tee ?
Subcommands:
add Add a NetFlow tee rule
counter Show or reset NetFlow tee counters
delete Delete a NetFlow tee rule
show Show NetFlow tee configuration
start Start the NetFlow tee
stop Stop the NetFlow tee
admin@mariner1:/ip/tee# add ?
[A.B.C.D]:[1-65535] Source address:Destination port
admin@mariner1:/ip/tee# add 192.168.1.1:111 198.168.1.2:222
admin@mariner1:/ip/tee# start
admin@mariner1:/ip/tee# counter ?
status
reset
[cr]
admin@mariner1:/ip/tee# counter
Rule evaluations failed: 9109
Interface output failures: 0
tee 192.168.1.1:111 to 168.1.2:222 - passed: 9259
admin@mariner1:/ip/tee# config write
admin@mariner1:/ip/tee#

Disabling Access to the Shell

You can complete the procedure in this topic to disable all access to the shell on an
Sightline appliance.
Warning
You cannot re-enable access after you disable it. You should consult with your
NETSCOUT® Arbor Consulting Engineer or contact ATAC (Arbor Technical Assistance
Center) before you complete this procedure. See “Contacting the Arbor Technical
Assistance Center” on page 11.
Disabling access to the shell

To complete this procedure, you must first enable the related attribute to make the
command available.
To disable access to the shell:

password.
2. To enable the attribute, enter / system attributes set appliance.enabled =
1
3. To disable shell access, enter / system appliance enable
4. At the first warning prompt, enter yes
5. At the second warning prompt, enter yes
If a user tries to access the shell, they will receive the following message:
121: Shell access is prohibited with appliance mode enabled
Example
The following example shows how to disable access to the shell:
admin@mariner1:/# / system attributes set appliance.enabled = 1
admin@mariner1:/# / sys appliance
enable Enable appliance mode
<cr>
Appliance mode: disabled
admin@mariner1:/# / sys appliance enable
By enabling appliance mode, you will permanently remove the shell
capability.
Are you sure you want to permanently remove the shell capability? [no] yes
Answer again to proceed [no] yes
Appliance mode enabled
admin@mariner1:/# / shell
121: Shell access is prohibited with appliance mode enable
Appliance mode: enabled

Configuring Settings for Capturing Raw Flows

A View Raw Flows link is on the Summary tab of a DoS alert page. You can click this link
to view the raw flows data for the major traffic events associated with the alert. You can
then save the raw flows data as a report. You can also generate predefined raw flows
reports. These reports are based on raw flows that Sightline captures.
For information about generating or viewing a raw flows report for a DoS alert, see “About
the Summary Tab” on a DoS Alert Page in the Sightline and Threat Mitigation System User
Guide .
You can use CLI commands to configure settings that determine the rate at which raw
flows are captured and the amount of hard disk space that captured raw flows can use.
These settings are configured on a per appliance basis and can be configured on any of
the collector appliances in your Sightline deployment.
Configurable settings for capturing raw flows

You can use CLI commands to configure the following settings for capturing raw flows:
n Maximum disk usage
The maximum amount of hard disk space that can be used for the raw flows that are
captured and written to the disk. When the maximum disk usage is exceeded, Sightline
deletes old raw flows until the disk usage falls below this maximum value. The default
value is 20 GB.
n Suspension of flow capture
Raw flow capture is suspended when the disk usage is greater than this setting.
Sightline will delete old raw flows until the percentage falls below this value. Flow
capture will resume, once the "Use%" falls below the specified percentage. The default
value is 90%.
n Sample rate
The rate at which the raw flows are captured and written to the disk. The default is 100,
which means that 1 flow record is captured and written to the disk for every 100 raw
flows.
For estimates on the disk usage with different sample rates and different flows per
second, see “Estimated disk space usage with sample rates of 50 or 100” on the facing
page.
Use cases for modifying the settings for capturing raw flows
The following use cases are examples of when you might want to modify the default
settings for capturing raw flows:
n More detailed raw flows data is needed
You are under a long-running attack, and you want more detailed data about the
attack. You then change the sampling rate from the default rate of 100 to a rate that
captures more raw flows. For example, you can change the rate to 50, which captures 1
flow record for every 50 raw flows.
n Raw flows data is not relevant
The raw flows data is not relevant to you, and you want to reduce the amount of hard

disk space that can be used for writing the captured raw flows to the disk. You then
reduce the disk suspend setting and the maximum disk usage setting.
Estimated disk space usage with sample rates of 50 or 100

The following table displays the estimated amount of disk space that is used over different
time periods when raw flows are captured and written to the disk with a sample rate of 50
or 100. With a sample rate of 50, one flow record is captured and written to the disk for
every 50 raw flows, while with a sample rate of 100, one flow record is captured and
written to the disk for every 100 raw flows.
Estimated disk space usage
Estimated Disk Space

Flows per sec Sample rate for 1 Hour for 1 Day for 1 Week
50 K 50 120 MB 2.8 GB 20 GB
50 K 100 62 MB 1.5 GB 10 GB
100 K 50 229 MB 5.4 GB 37 GB
100 K 100 118 MB 2.7 GB 19.5 GB
200 K 50 430 MB 10 GB 70 GB
200 K 100 230 MB 5.4 GB 38 GB
Configuring the maximum disk usage setting

To configure the maximum disk usage setting:
1. Log in to the Sightline collector appliance’s CLI using the administrator user name and
password. See “Logging in to the CLI of an appliance” on page 16.
2. (Optional) To view the current maximum disk usage setting, enter / services sp
device edit collector_name raw_flows disk max show
collector_name = the name of the collector appliance
3. Enter / services sp device edit collector_name raw_flows disk max set
disk_space
disk_space = the maximum disk space in MB to be used for the raw flows that
are captured and written to the disk
Configuring the flow capture suspension setting

To set the flow capture suspension setting:
password. See “Logging in to the CLI of an appliance” on page 16.
2. (Optional) To view the current flow capture suspension setting, enter / services sp
device edit collector_name raw_flows disk suspend show

3. Enter / services sp device edit collector_name raw_flows disk suspend

set suspend_percentage
suspend_percentage = the usage percentage of the partition at which raw flows
are no longer saved when the "Use%" from df exceeds it
Configuring the sample rate setting

To set the sample rate setting:
password.
2. (Optional) To view the current sample rate, enter / services sp device edit
collector_name raw_flows sample_rate show
3. Enter / services sp device edit collector_name raw_flows sample_rate
set sample_rate
sample_rate = the rate at which raw flows are captured (The sample_rate is the
number of raw flows for each captured flow record. For example, if the sample_
rate is 50, then 1 flow record is captured and written to the disk for every 50 raw
flows.)
Clearing the settings for capturing raw flows

You can use CLI commands to clear specific settings for capturing raw flows or to clear all
the settings. When you clear a setting, it reverts to the default value.
To clear the settings for capturing raw flows:

password.
2. (Optional) To view all of the settings for capturing raw flows, enter / services sp
device edit collector_name raw_flows show
You can also use the following command arguments in place of raw_flows show to
view specific settings for capturing raw flows:
Command Setting
raw_flows disk max show maximum disk usage
raw_flows disk suspend show flow capture suspension
raw_flows disk show maximum disk usage and flow capture

suspension
raw_flows sample_rate show sample rate

3. To clear all of the settings for capturing raw flows and revert to the default values,
enter / services sp device edit collector_name raw_flows clear
You can also use the following command arguments in place of raw_flows clear to
clear specific settings for capturing raw flows:
Command Setting
raw_flows disk max clear maximum disk usage
raw_flows disk suspend clear flow capture suspension
raw_flows disk clear maximum disk usage and flow capture

suspension
raw_flows sample_rate clear sample rate

Resetting the Alert Database

If a situation occurs where you must reset the alert database on a leader appliance, you
must also reset the alert databases on all other appliances in your deployment to ensure
proper synchronization of database records between the leader and non-leader
appliances that have the user interface role.
Caution
You should perform this procedure only if instructed to do so by your SE or an Arbor
Technical Assistance Center representative. Resetting the alert database permanently
removes all alerts, mitigations, and associated data from your Sightline system.
Reasons for completing this procedure

You may need to complete this procedure if one of the following situations occur:
n You have a database corruption issue on the Sightline leader appliance and do not
have a recent backup image to restore the databases.
n You are upgrading an appliance to be the Sightline leader, and you want to reset the
databases to their initial, unpopulated state.
Resetting the alert databases

To reset the alert databases for all appliances in your deployment:
password.
2. Enter / services sp stop
3. Enter / services sp data database reset alert
A warning message is displayed to remind you to perform this procedure on all
Sightline appliances.
4. Enter / services sp start
5. Log in to the CLI of all non-leader appliances in your deployment and repeat Steps 2-
5.

Changing the Size of the BGP Shared Memory

You can change the size of the BGP shared memory from the default setting for an
Sightline appliance. You may want to increase the shared memory size if you have a large
number of routes, which makes the BGP table too large for the default shared memory
size.
The maximum size that you should set for the BGP shared memory is 2048 megabytes
(MB), which supports the guideline limit of 25 million steady-state BGP routes. The
minimum size that you should set for the BGP shared memory is 500 megabytes (MB). If
you set the size too small, the system might become unstable.
Setting the size of an appliance's shared memory for BGP

To set the BGP shared memory size for an appliance:
1. Log in to the appliance’s CLI by using the administrator name and password.
2. Issue the following commands to view or change the BGP shared memory size on the
appliance:
To... Issue this command...

display the current / services sp device edit appliance_name bgp
shared memory size shared_memory_size show
set a new shared / services sp device edit appliance_name bgp

memory size in MB shared_memory_size set size
reset the shared / services sp device edit appliance_name bgp

memory size to the shared_memory_size clear
default (1024 MB)
l appliance_name = name of the appliance

l size = new size of the shared memory in MB
3. For the change to take effect, stop and restart services by issuing the following
commands:
l / services sp stop
l / services sp start


Chapter 4
Configuring TMS Models
This section describes how to use the CLI commands to configure advanced TMS Model
settings.
In this section
Enabling and Disabling Promiscuous Mode on a Physical Interface of a TMS

Appliance 86
Enabling and Disabling the Performance Alert for a TMS Model 87
Assigning a TMS Appliance to a Different Sightline Leader 89
Pinging a Nexthop from a TMS Appliance 90
Running a Traceroute Command from a TMS Port 93
Viewing the BGP Status of a TMS Appliance 96
Viewing the APM Slot Status on Chassis-based TMS Appliances 97
Viewing and Clearing Interface Counters on TMS Appliances 99
Viewing SFP Module Information on TMS 2300 Series Appliances 100

Enabling and Disabling Promiscuous Mode on a Physical

Interface of a TMS Appliance
Promiscuous mode allows you to learn how the settings of a mitigation impact the traffic,
without actually dropping any of your traffic. A TMS appliance deployment with a physical
interface in promiscuous mode is like SPAN port mode except that the attack traffic is
mitigated although it is not dropped.
To enable or disable promiscuous mode on a physical interface of a TMS appliance, use

the CLI. For a description of a diversion deployment with a physical interface in
promiscuous mode, see “TMS Appliance Deployment Scenarios” in the Sightline and
Important
You can only put a physical interface into promiscuous mode on a TMS appliance that is
in the diversion mode.
Enabling promiscuous mode on a physical interface of a TMS appliance

To enable promiscuous mode on a physical interface of a TMS appliance in diversion
mode:
1. Log in to the TMS appliance’s CLI using the administrator user name and password.
2. Enter / services tms registry main set patch_panel.interface_
GID.promiscuous = 1
interface_GID = the GID of the interface
To identify the GID of an interface, run the services tms registry main
command and look for interface.#.name. The number before the interface name is the
GID for the interface.
Disabling promiscuous mode on a physical interface of a TMS appliance

To disable promiscuous mode on a physical interface of a TMS appliance:
2. Enter / services tms registry main set patch_panel.interface_
GID.promiscuous = 0
interface_GID = the GID of the interface
To identify the GID of an interface, run the services tms registry main
command and look for interface.#.name. The number before the interface name is the
GID for the interface.

Chapter 4 Configuring TMS Models
Enabling and Disabling the Performance Alert for a TMS

Model
You can enable and disable the Performance Alert on all TMS models. See “About
enabling and disabling the Performance Alert” below.
When enabled, a Performance Alert will trigger when a TMS model is overloaded and
dropping legitimate traffic. The conditions that trigger a Performance Alert are based on
the offered rate, the processed rate, and the overrun drop rate for mitigation traffic.
When triggered, the Performance Alert displays a message like the following example:
System oversubscribed: offered rate exceeded processed rate by 5%;
offered rate = 6.48 Gbps / 764.84 Kpps
About enabling and disabling the Performance Alert

You enable and disable the Performance Alert through the CLI of the TMS model. The
Performance Alert is disabled by default. See “Enabling the Performance Alert” on the
next page or “Disabling the Performance Alert” on the next page.
Important
Enabling or disabling the Performance Alert also enables or disables the TMS Fault - Rate
Limit alert. Therefore, like Performance Alert, the Rate Limit alert is disabled by default.
See "Rate Limit 'Licensed Limit' is 'Over Limit'" in the Sightline and Threat Mitigation
System User Guide.
Why set the Performance Alert?

Enabling the Performance Alert allows you to respond faster when an overloaded TMS
model is dropping traffic. For example, you can respond before you receive calls or
queries about dropped traffic from your downstream users.
About responding to a Performance Alert

You can respond to a Performance Alert in the following ways:
n Route some traffic going to the overloaded TMS model or to other TMS models in your
data center. (For example, you might announce the diversion to an Anycast address to
distribute the load.)
n (Software TMSes only) If your deployment has available Software TMS bandwidth,
increase the Bandwidth Capacity setting for the Software TMS that triggered the
Performance Alert. See "About flexible-licensed Software TMS bandwidth capacity" in
the Sightline and Threat Mitigation System User Guide.
n Use Sightline mitigation methods such as access control list (ACL) filtering, blackhole
routing, or flow specification ACLs, to reduce the load on the overloaded TMS model.
See Mitigating Attacks Using Sightline.
n Inform your downstream users that you are dropping traffic temporarily due to an
attack.
For a longer-term correction, you can purchase license upgrades for appliance-licensed
TMS model rate limits or flexible-licensed Software TMS bandwidth capacity. You can also
purchase additional TMS models.

Enabling the Performance Alert

To enable the Performance Alert for a TMS model:
1. Log in to the TMS CLI using the administrator user name and password.
2. Enter / services tms registry main set performance.alert = 1
When the alert is enabled, the CLI displays the message:
Registry key 'performance.alert' successfully set.
Disabling the Performance Alert

To disable the Performance Alert for a TMS model:
1. Log in to the TMS CLI using the administrator user name and password.
2. Enter / services tms registry main clear performance.alert
When the alert is disabled, the CLI displays the message:
Registry key 'performance.alert' successfully cleared.

Assigning a TMS Appliance to a Different Sightline Leader

You use the CLI to assign a TMS appliance to a different Sightline leader. You can also use
the CLI to determine the current Sightline leader of a TMS appliance.
Assigning a TMS appliance to a different leader

To assign a TMS appliance to a different Sightline leader:
1. Log in to the TMS appliance’s CLI by using the administrator name and password.
2. Enter / services tms bootstrap leader zone_secret
leader = the IP address of the Sightline leader appliance.
zone_secret = the word or phrase that is used by all appliances in the system for
internal communication
3. Log in to the Sightline leader appliance’s web UI, and add the TMS appliance to the
deployment.
See “Configuring Sightline Appliances” in the Sightline and Threat Mitigation System
User Guide .
Identifying the current Sightline leader

To identify the current Sightline leader of a TMS appliance:
2. Enter / services tms bootstrap

Pinging a Nexthop from a TMS Appliance

Use the tms-ping command to ping a nexthop from a TMS appliance in a diversion
deployment. You run tms-ping from the command line interface on the TMS appliance.
See “Using the Command Line Interface (CLI)” on page 13.
Note
You can also use the tms-traceroute command to troubleshoot network connectivity
in your Sightline/TMS diversion deployment. See “Running a Traceroute Command from
a TMS Port” on page 93.
About tms-ping
With tms-ping, you can ping a nexthop for a physical or logical TMS interface or
subinterface. The nexthop is the destination in the echo request sent by tms-ping. You
specify the destination to ping using the nexthop’s DNS hostname or its IPv4 or IPv6
address.
You can optionally specify a TMS interface or subinterface as the source interface. This
interface is the source of the echo request sent by tms-ping (...the interface that you “ping
from”). In the tms-ping command, you specify the source interface by name. For
example, the source name can be the name of an output port that is configured for a TMS
interface or subinterface.
If you ping a nexthop’s DNS hostname, you can tell the tms-ping command to ping either
the IPv4 address or the IPv6 address for that hostname. This is useful when the host’s DNS
resource record contains both an IPv4 host address and an IPv6 address.
See “To ping a nexthop using tms-ping” below.
When to use tms-ping

The tms-ping command works in Diversion deployments in either Patch Panel or Layer 3
forwarding mode. However, tms-ping does not work in Inline or PortSpan deployments.
See Configuring Deployment Settings for a TMS Appliance, Software TMS, TMS-ISA, or
Cisco ASR 9000 vDDoS Protection Model.
The standard ping command cannot ping from a TMS mitigation interface while TMS
services are running, but tms-ping can. However, tms-ping cannot ping from any TMS
management interface. Instead, use the standard ping command to ping from a
management interface.
To ping a nexthop using tms-ping

To ping a nexthop for a mitigation interface in Patch Panel or Layer 3 forwarding mode:
1. Log in to the CLI for the TMS appliance using the administrator name and password.
2. Enter / services tms tms-ping [ipv4|ipv6] {hostname|v4addr|v6addr}
[source_intf] [number]
where:
ipv4|ipv6 = the internet protocol of the DNS host IP address to ping. Use this
keyword when a DNS host has both an IPv4 and an IPv6 address. For example,

include ipv4 to ping the IPv4 address for a DNS host. If you omit this keyword,
the command pings the IPv6 address of the DNS host by default.
Note
If you ping a DNS host named “ipv4” or “ipv6”, include this
keyword to ping the intended IPv4 or IPv6 address.
hostname|v4addr|v6addr = the nexthop to ping. You can specify the nexthop
to ping by its DNS hostname, its IPv4 address (A.B.C.D). or its IPv6 address
(aaaa:bbbb:...).
source_intf = the name of the TMS mitigation interface to ping from. This can
be the name of a physical or logical mitigation interface or subinterface. For
example, source_intf can be an interface name such as tms2, tms0.4, or
logical0. Or, it can be a subinterface name such as tms2.3, tms0.4.1, or
logical0.1. If you do not specify an interface or subinterface name, the TMS
automatically selects an interface to ping from.
Note
A subinterface name is the parent interface name with a “.n”
suffix. The “n” is the VLAN ID number (or “VLAN tag”) for the
subinterface. See Configuring Subinterfaces for a TMS
Appliance or Cisco ASR 9000 vDDoS Protection Model.
number = the number of ping attempts.
Example: Using tms-ping in Patch Panel forwarding mode

In Patch Panel forwarding mode, you can ping the IPv4 Nexthop or IPv6 Nexthop for
any configured TMS interface or subinterface on the Patch Panel tab.
See Configuring Patch Panel Settings for a TMS Appliance, Software TMS, or Cisco ASR
9000 vDDoS Protection Model.
If several interfaces have the same nexthop address, use source_intf in the tms-ping
command to specify the name of the interface or subinterface to ping from. You can also
use source_intf to ping the nexthop from the Output Port that is configured for a TMS
For example, on a TMS HD1000 appliance, suppose the interface tms0.0 is configured with
the IPv4 Nexthop address 192.0.2.100 and the Output Port is assigned to
subinterface tms0.1.100. To ping the IPv4 nexthop for tms0.0 from the output port
tms0.1.100, enter the following command:
/ services tms tms-ping 192.0.2.100 tms0.1.100
Example: Using tms-ping in Layer 3 forwarding mode

In Layer 3 forwarding mode, you can ping any nexthop that is configured on the IPv4
Forwarding tab or the IPv6 Forwarding tab. This includes the Default Nexthop and any
Nexthop to an IP Prefix configured in the forwarding table. You can also use source_
intf in the tms-ping command to ping the nexthop from any TMS interface or
subinterface configured on the Patch Panel tab.
See About layer 3 forwarding and Configuring IP Forwarding Settings for a TMS
Appliance.

For example, to ping the Nexthop address 192.0.2.101 on the IPv4 Forwarding tab
from the TMS interface tms2, enter the following command:
/ services tms tms-ping 192.0.2.101 tms2

Running a Traceroute Command from a TMS Port

Use the tms-traceroute command to display each hop in the path that packets take to a
network host from a TMS appliance in a diversion deployment. This command also
displays the elapsed time between each hop. You run tms-traceroute from the
command line interface on the TMS appliance.
See “Using the Command Line Interface (CLI)” on page 13.
Note
You can also use the tms-ping command to troubleshoot network connectivity in your
Sightline and TMS diversion deployment. See “Pinging a Nexthop from a TMS Appliance”
on page 90.
About tms-traceroute
With tms-traceroute, you can trace a route to a destination host from a physical or
logical TMS interface or subinterface. You specify the destination host using its DNS
hostname or its IPv4 or IPv6 address.
You can optionally specify a physical or logical TMS interface or subinterface as the source
interface for the trace. The route trace starts at the source interface. In the
tms-traceroute command, you specify the source interface by name. For example, the
source interface name can be the name of an output port that is configured for a TMS
If you trace a route to a DNS host, you can tell the tms-traceroute command to use
either the IPv4 address or the IPv6 address for that DNS host. This is useful when the
host’s DNS resource record contains both an IPv4 host address and an IPv6 address.
See “To trace a route from a TMS port using tms-traceroute” on the next page.
When to use tms-traceroute

The tms-traceroute command works in Diversion deployments in either Patch Panel or
Layer 3 forwarding mode. However, tms-traceroute does not work in Inline or
PortSpan deployments.
See Configuring Deployment Settings for a TMS Appliance, Software TMS, TMS-ISA, or
Cisco ASR 9000 vDDoS Protection Model.
In Layer 3 forwarding mode, tms-traceroute can trace routes with multiple hops to
destinations in different subnetworks. However, in Patch Panel forwarding mode,
tms-traceroute can only trace single-hop routes to destinations in the same
subnetwork as the source interface. Therefore, tms-traceroute provides the same
information as the tms-ping command in Patch Panel forwarding mode. Specifically, it
shows the elapsed time for packets to reach a single destination.
See “Example: Using tms-ping in Patch Panel forwarding mode” on page 91.

The standard traceroute command cannot trace a route from a TMS mitigation interface
while TMS services are running, but tms-traceroute can. However, tms-traceroute
cannot trace a route from any TMS management interface. Instead, use the standard
traceroute command to trace a route from a management interface.

To trace a route from a TMS port using tms-traceroute

To trace a route from a mitigation interface in Patch Panel or Layer 3 forwarding mode:
1. Log in to the CLI for the TMS appliance using the administrator name and password.
2. Enter / services tms tms-traceroute [ipv4|ipv6]
{hostname|v4addr|v6addr} [source_intf]
where:
ipv4|ipv6 = the internet protocol of the destination DNS host IP address. Use
this keyword when a DNS host has both an IPv4 and an IPv6 address. For
example, include ipv4 to trace a route to the IPv4 address for a DNS host. If you
omit this keyword, the command traces a route to the IPv6 address of the DNS
host by default.
Note
If you trace a route to a DNS host named “ipv4” or “ipv6”,
include this keyword to trace a route to the intended IPv4 or
IPv6 address.
hostname|v4addr|v6addr = the destination of the route to trace. You can
specify the destination by its hostname, its IPv4 address (A.B.C.D). or its IPv6
address (aaaa:bbbb:...).
source_intf = the name of the TMS mitigation interface from which the route
trace starts. This can be the name of a physical or logical mitigation interface or
subinterface. For example, source_intf can be an interface name such as tms2,
tms0.4, or logical0. Or, it can be a subinterface name such as tms2.3,
tms0.4.1, or logical0.1. If you do not specify an interface or subinterface
name, the TMS automatically selects the interface where the route starts.
Note
A subinterface name is the parent interface name with a “.n”
suffix. The “n” is the VLAN ID number (or “VLAN tag”) for the
subinterface. See Configuring Subinterfaces for a TMS
Appliance or Cisco ASR 9000 vDDoS Protection Model.
Example: Using tms-traceroute in Patch Panel forwarding mode

Note
Using tms-traceroute in Patch Panel forwarding mode provides the same information
as the tms-ping command. See “When to use tms-traceroute” on the previous page.
In Patch Panel forwarding mode, you can trace a route to any destination that is in the
same subnetwork as the source interface. For example, you can trace a route to an IPv4
Nexthop or IPv6 Nexthop from any configured TMS interface or subinterface on the
Patch Panel tab.
See Configuring Patch Panel Settings for a TMS Appliance, Software TMS, or Cisco ASR
9000 vDDoS Protection Model.
You can optionally use source_intf in the tms-traceroute command to specify the
name of the interface or subinterface where the route trace starts. You can also use
source_intf to start a route trace from the Output Port that is configured for a TMS

For example, on a TMS HD1000 appliance, suppose the interface tms0.0 is configured with
the IPv4 Nexthop address 192.0.2.100 and the Output Port is assigned to
subinterface tms0.1.100. To trace a route to the IPv4 nexthop for tms0.0 from the output
port tms0.1.100, enter the following command:
/ services tms tms-traceroute 192.0.2.100 tms0.1.100
Example: Using tms-traceroute in Layer 3 forwarding mode

In Layer 3 forwarding mode, you can trace a route from a TMS port to any destination
network host or IP address. You can optionally use source_intf in the tms-traceroute
command to start a route trace from any TMS interface or subinterface configured on the
Patch Panel tab.
See About layer 3 forwarding and Configuring IP Forwarding Settings for a TMS
Appliance.
For example, to trace a route to the host at IP address 192.0.2.101 from the TMS
interface tms2, enter the following command:
/ services tms tms-traceroute 192.0.2.101 tms2

Viewing the BGP Status of a TMS Appliance

You can view the BGP status of all TMS appliances. This allows you to verify your BGP
configuration and can help you to debug network issues.
Viewing the BGP status of a TMS appliance

To view the BGP status of a TMS appliance:
2. Issue the following commands to view the appliance’s BGP status:
To view this... Issue this command...

BGP configuration / services tms deployment bgp show config
advertised routes / services tms deployment bgp show routes
neighbors’ states / services tms deployment bgp show neighbors
BGP configuration / services tms deployment bgp show alerts

alerts
the last “n” number / services tms deployment bgp show number
of BGP number = the number of most recent BGP announcements
announcements that you want to view (The default is 20.)

Viewing the APM Slot Status on Chassis-based TMS Appliances

In chassis-based TMS appliances, you can use the CLI to view the activation status of
APM slots. You can also use the CLI to activate and deactivate APM slots.
Note
On the TMS 4000 and 5000 appliances, the valid APM slot numbers are 3, 4, 5, and 6.
Important
Consult with your SE or Arbor Technical Assistance Center before using the commands
listed in this topic. See “Contacting the Arbor Technical Assistance Center” on page 11.
Commands
You can log in to the CLI for a chassis-based TMS appliance and use the following
commands to view and change the slot activation status:
Slot activation status commands
Action Command
View the activation status of all populated APM slots / system hardware slot
in the appliance.
Activate all APM slots in the appliance. / system hardware slot

activate
Deactivate all APM slots in the appliance. / system hardware slot

deactivate
(TMS 4000 appliances only) Reboots all APMs in the / system hardware slot
appliance and then shows the activation status of rescan
all populated APM slots.
Show the activation status of the specified slot. / system hardware slot
slot-number
Activate the specified APM slot. / system hardware slot

slot-number activate
Deactivate the specified APM slot. / system hardware slot

slot-number deactivate
(TMS 4000 appliances only) Reboots the APM in the / system hardware slot
specified slot and then shows the activation status slot-number rescan
of the specified slot.
Examples
The following are examples of the CLI commands for viewing or changing the APM slot
activation status for the chassis-based TMS appliances.
n To show the activation status for all populated APM slots in a TMS 4000 appliance:
admin@tms4000:/# / system hardware slot

The system responds with the following messages:

Slot 3 is Active, Admin Status is Enabled
Slot 6 is Inactive, Admin Status is Enabled
Note
In the example above, slot 6 is empty.
n To deactivate APM slot 4 in a TMS 5000 appliance:
admin@tms5000:/# / system hardware slot 4 deactivate
The system deactivates slot 4 and responds with this message:
Slot 4 is Inactive, Admin Status is Disabled

Viewing and Clearing Interface Counters on TMS Appliances

TMS appliances use interface counters to keep track of the number of packets and bytes
that are sent and received by each interface. You can use Command Line Interface (CLI)
commands to view and clear (reset to zero) the packet and byte counters for a specific
interface or all interfaces on your TMS appliance.
For CLI instructions, see “Using the Command Line Interface (CLI)” on page 13 .
Showing and clearing interface counters

To show or clear the packet and byte counters for all interfaces or one specified interface
on a TMS appliance, perform these steps:
2. To show or clear interface counters for all interfaces, enter
/ ip interfaces counter [clear]
3. To show or clear interface counters for one specified interface, enter
/ ip interfaces counter [intf-name] [clear]
intf-name = the specified interface name, such as tmsx2 or mgmt0
About clearing interface counters

When you use a CLI command to show interface counters, the TMS appliance shows
packet and byte counts sent and received since the counters were last cleared.
To clear the counters for all interfaces, you can use a CLI command or you can reboot the
TMS appliance. However, to clear the counters for only one interface, you must use a CLI
command.
Note
Restarting the TMS service (using the CLI commands / services tms stop and then
/ services tms start) clears all mitigation interface counters but does not clear
management interfaces.
Example: Viewing the counters for a specific mitigation interface

The following shows the output of a CLI command that was used to show the interface
counters for mitigation interface tmsx2 on a TMS 2310 appliance:
admin@tms-2310:/# / ip interfaces counter tmsx2
tmsx2 counters last cleared at 2014-09-24 19:56:05
Input: 439764 pkts, 52676349 bytes, 0 errors
Output: 0 pkts, 0 bytes, 0 errors, 0 collisions
Interrupts: 24463070

Viewing SFP Module Information on TMS 2300 Series

Appliances
You can use the Command Line Interface (CLI) command / ip interfaces show to
view information about each small form-factor pluggable (SFP or SFP+) transceiver
module that is installed in your TMS 2300-series appliance.
See “Viewing SFP module information for a TMS 2300-series appliance” below.
For CLI instructions, see “Using the Command Line Interface (CLI)” on page 13 .
About SFP and SFP+ interfaces in TMS 2300-series appliances

TMS 2300 series appliances have SFP or SFP+ interfaces mounted on their network
interface cards (NICs). These interfaces are physical “cages” that accept hot-pluggable SFP
or SFP+ transceiver modules. An SFP or SFP+ module provides the appliance with either
an optical interface or an electrical interface to the protected network. For example, an
SFP+ optical interface on a TMS 2310 appliance will accept SFP+ modules for single mode
or multimode fiber with different types of fiber optic connectors.
You configure SFP and SFP+ modules as mitigation ports on a TMS 2300 series appliance.
SFP+ modules provide about ten times the throughput of SFP modules. Each 1-Gigabit
Ethernet (1GE) SFP module provides up to 1 Gbps of mitigation capacity. Each 10GE SFP+
module provides up to 10 Gbps of mitigation capacity.
Important
The total mitigation capacity for a TMS 2300-series appliance might be less than the sum
of the capacities of its individual SFP or SFP+ modules. This is because the total mitigation
capacity of an appliance depends on its hardware and license configuration as well as the
number and type of SFP or SFP+ modules installed.
Note
SFP and SFP+ modules are purchased separately from Arbor, or they are user-supplied.
Viewing SFP module information for a TMS 2300-series appliance

To view the information about each SFP or SFP+ module installed in a TMS 2300-series
appliance:
2. Enter / ip interfaces show.

Categories of displayed SFP module information

The / ip interfaces show command displays the following categories of information
for each SFP and SFP+ module installed in your TMS 2300 series appliance:
SFP module information categories
Category Description Examples

Port name The name of the tmsx0, tmsx3
mitigation port to which
the SFP or SFP+ module
is connected.
Module A description of the Ten Gigabit Fiber (10GE SFP+ fiber optic

type module type in terms of module)
its configured connection Gigabit Fiber (1GE SFP fiber optic module)
speed and interface type Gigabit Ethernet (1GE SFP electrical
(optical or electrical). “copper” module)
Interface The current state, up or UP

state down, of the SFP or SFP+ DOWN
interface to which the
module is connected.
MTU size The size of the maximum mtu 1500 (for a 1500-byte MTU)
transmission unit (MTU)
in bytes.
MAC The media access control Hardware: 00:E0:ED:26:E8:E4

address (MAC) address for the
SFP or SFP+ module.
Media The module's Media: Ethernet autoselect (copper SFP

transmission media, module using Ethernet)
copper or fiber, and Media: Fiber (fiber optic SFP or SFP+
supported network module using Fibre Channel)
protocol, Ethernet, Fibre
Channel, or SONET.
Status The negotiated speed at tatus: 10000Mb/s Full (link has been
S
which the module established at 10 Gbps)
currently runs. Status: 1000Mb/s Full (link has been
established at 1 Gbps)
Status: No carrier (link has not been
established)
Input Link statistics for data Input: 0 pkts, 0 bytes, 0 errors

received by the module.
Output Link statistics for data Output: 3 pkts, 258 bytes, 0 errors,

transmitted by the 0 collisions
module.

SFP module information categories (Continued)
Category Description Examples

Interrupts The cumulative number 13466083 (interrupts)
of interrupts on this
module's interface. An
interrupt occurs on an
interface when the
interface is UP and one of
the following events
occur:
n Data is present on the
interface and is ready
to process.
n The system checks the
status of the interface.
Model The module type, SFP: FINISAR CORP. FTLX8571D3BCL

information manufacturer, and model Note
number. The module type SFP indicates either an SFP
or SFP+ module.
Limitations on the display of model information for 1GE SFP modules

In the / ip interfaces show command output, the following limitations apply to the
display of model information for 1GE SFP modules installed in a TMS 2300-series
appliance: (See “Model information” above. )
n For 1GE SFP fiber optic modules: the interface for the SFP module must be UP in order
to display its model information.
n For 1GE SFP copper modules installed on 1GE NICs: the model information for the SFP
module is not displayed. However, if the 1GE SFP copper modules are installed on 10GE
NICs, the model information is displayed (though this is a nonstandard configuration).
Note
For 10GE SFP+ modules, there are no limitations on the display of model information.
Example: Interface information displayed for SFP+ modules

The following example shows the interface data for mitigation ports tmsx0–5. This
information appears when you run the / ip interfaces show command on a TMS
2310 appliance with six fiber optic SFP+ 10GE modules installed on 10GE NICs.
Note
Interface information for management ports mgt0-3 will also appear when you run this
command, however it was omitted from this example for brevity. The format of the
management port interface information is similar to the information shown for
mitigation ports tmsx0-6. On TMS 2300-series appliances, management ports are 1GE
copper interfaces on the motherboard, not SFP modules on NICs.
admin@tms-2310:/# / ip interfaces show
tmsx0 Ten Gigabit Fiber, Interface is UP, mtu 1500
Hardware: 00:E0:ED:26:E8:E4

Media: Fiber
Status: No carrier
SFP: FINISAR CORP. FTLX8571D3BCL

Hardware: 00:E0:ED:26:E8:E5
Media: Fiber
Status: No carrier

Hardware: 00:E0:ED:29:2B:F1
Media: Fiber
Status: 10000Mb/s Full

Hardware: 00:E0:ED:29:2B:F0
Media: Fiber
Status: No carrier
Output: 893803261601 pkts, 606675676807251 bytes, 0 errors

Hardware: 00:E0:ED:22:6D:D9
Media: Fiber

Hardware: 00:E0:ED:22:6D:D8
Media: Fiber


Chapter 5
Configuring Settings for Routers and
Interfaces
This section describes how to configure settings for routers and interfaces.
In this section
Configuring Sightline to Monitor Routers with BGP 106

Configuring the Local BGP Router ID on Sightline Appliances 108
Enabling the Detection of Traffic on a Router Based on SNMP Polling 109
Disabling SNMP Polling for a Router 110
Configuring IPv4 Aliases and Netmasks for Sightline Appliance Network Interfaces 111
Disabling Sampling on Router Interfaces 112
Manually Running Router Auto-Configuration 113
Configuring Loopback Interfaces 114
Configuring the BGP Interface on a TMS Appliance 117
Configuring Multiple VLAN Subinterfaces on a TMS Appliance 118
File Format for the / services sp data bgp dump <router> Command 121

Configuring Sightline to Monitor Routers with BGP

You can configure BGP settings to enable Sightline to monitor routers.
Configuring BGP for router monitoring

To configure BGP for router monitoring:
1. Log in to the Sightline leader appliance’s CLI using your administrator user name and
password.
2. To view your routers, enter / services sp router edit ?
3. Enter the router_name that you want to monitor.
4. Enter bgp
5. Enter ip_address set IP_address
IP_address = the IP address that Sightline should use when creating a BGP
peering session with this router.
6. Enter remote_as set AS_number
AS_number = the remote BGP AS number for the router
7. To enable the monitor routes BGP capability, enter / services sp router edit
router_name bgp capabilities monitor_routes enable
Example
The following example shows how to configure BGP for router monitoring:
admin@mariner1:/services sp router edit
ar1.chi/ Router name
ar1.lax/ Router name
ar1.nyc/ Router name
br1.chi/ Router name
br1.lax/ Router name
br1.nyc/ Router name
cr1.chi/ Router name
cr1.lax/ Router name
cr1.nyc/ Router name
mpls1.chi/ Router name
r4/ Router name
vr1.lax/ Router name
vr1.nyc/ Router name
admin@mariner1:/services/sp/router/edit crl.lax
admin@mariner1:/services/sp/router/edit/london2 bgp
admin@mariner1:/services/sp/router/edit/london2/bgp ip_address set
10.0.1.1
admin@mariner1:/services/sp/router/edit/london2/bgp remote_as set 555

Chapter 5 Configuring Settings for Routers and Interfaces
About advanced configuration options

You can apply advanced configuration options to routers using the web UI. See
“Configuring Routers” in the Sightline and Threat Mitigation System User Guide .

Configuring the Local BGP Router ID on Sightline Appliances

You can set the local BGP router ID on an Sightline appliance. This provides you the
flexibility to set the router ID either to a loopback interface IP address (if you configured
one) or to another IP address, if required by your internal routing configuration.
Procedure
To configure the BGP router ID on an Sightline appliance:
1. Log in to the leader appliance by using the administrator user name and password.
2. Enter / services sp device edit name bgp router_id IP_address
name = the name of the Sightline appliance
IP_address = the IPv4 IP address to which you want to set the local BGP router
ID. If you do not set the local BGP router ID, then Sightline uses the IP address of
the interface over which the BGP session to a router is established.
Sightline restarts all BGP sessions.

Enabling the Detection of Traffic on a Router Based on SNMP

Polling
If you want to use Sightline to see SNMP polling data for interfaces that will never see flow,
you can enable the detection of traffic on a router based on SNMP polling.
Procedure
To enable the detection of traffic on a router based on SNMP polling:
password.
3. Enter the router_name
4. Enter advanced flow_seen {flow | all}
flow = the detection of traffic using only flow
all = the detection of traffic using flow and SNMP polling
5. To save the configuration, enter config write

Disabling SNMP Polling for a Router

In the rare case that a router has difficulty SNMP polling CPU and memory statistics, you
can disable SNMP polling for the router.
Disabling SNMP polling for a router

To disable SNMP polling for a router:
password.
3. Enter the router_name
4. Enter snmp
5. Enter hardware_polling disable
Example
The following example shows how to disable SNMP polling for a router:
admin@mariner1:/# services sp router edit
ar1.chi/ Router name
ar1.lax/ Router name
ar1.nyc/ Router name
br1.chi/ Router name
br1.lax/ Router name
br1.nyc/ Router name
cr1.chi/ Router name
cr1.lax/ Router name
cr1.nyc/ Router name
mpls1.chi/ Router name
r4/ Router name
vr1.lax/ Router name
vr1.nyc/ Router name
admin@mariner1:/services/sp/router/edit brl.chi
admin@mariner1:/services/sp/router/edit/madrid2 snmp
admin@mariner1:/services/sp/router/edit/madrid2/snmp/ hardware_polling
disable

Configuring IPv4 Aliases and Netmasks for Sightline Appliance

Network Interfaces
You can use the ifconfig command to set an alias IPv4 address and netmask for a
Sightline appliance network interface. Sightline can associate any number of IPv6
addresses with an interface; therefore, configuring an alias IPv6 address is not necessary.
When to use the ifconfig command

The ifconfig command allows you to do the following:
n conform to local security or management requirements by providing access to Sightline
appliances on multiple IP subnets
n enable differential routing by providing a Sightline appliance’s main address for normal
access (DNS mapped address) and an alias address to exchange large data streams
Procedure
To set an alias IPv4 address and netmask for a network interface:
1. Log in to the Sightline appliance’s CLI using your administrator user name and
password.
2. Enter / ip interfaces ifconfig network interface_name IPv4_address
netmask alias
Example
The following example shows how to add an IPv4 alias:
admin@mariner1:/# / ip interfaces ifconfig fxp0 10.0.1.13 255.255.255.0
alias
admin@mariner1:/ip/interfaces#

Disabling Sampling on Router Interfaces

You can disable sampling on specific router interface SNMP indexes instead of on entire
routers.
Disabling sampling on router interfaces

1. To disable sampling on a router interface:
2. Log in to the CLI for the Sightline appliance that monitors the router.
3. Enter / system attributes set collector.collector_
name.router.router_name.sampling_disabled_indices = “indexes_list”
Tip
Enter the indexes_list as integers separated by commas.
Example
The following example shows how to disable sampling for the router “chicago1” on the
indexes 1 and 3:
admin@mariner1:/# system attributes set
collector.mariner1.router.chicago1.sampling_disabled_indices = “1,3”
admin@mariner1:/system# / services sp stop
Stopping Sightline services..............done.
admin@mariner1:/system# / services sp start
Starting Sightline services......done.

Manually Running Router Auto-Configuration

You can force Sightline to manually run the Auto-Configuration of interfaces.
When to manually run router Auto-Configuration

Manually running router Auto-Configuration is useful in the following situations:
n when you first install a system (to avoid waiting for the next scheduled Auto-
Configuration time)
n to see why the traffic for a peer has changed dramatically
You cannot manually configure the Auto-Configuration schedule. Auto-Configuration

occurs automatically every four hours, at 50 minutes past the hour (for example, 02:50,
06:50, 10:50).
For information about Auto-Configuration rules, see “Auto-Configuration Heuristics” in the

Running router Auto-Configuration manually

To manually run router Auto-Configuration:
1. Log in to the Sightline leader appliance using the administrator user name and
password.
2. Enter / services sp auto-config run
Example
The following example shows how to manually run router Auto-Configuration.
admin@mariner1:/# / services sp auto-config run
admin@mariner1:/#

Configuring Loopback Interfaces

To enable layer 3 interface redundancy, you can configure up to five loopback interfaces
on Sightline appliances. Loopback interfaces allow you to maintain links as well as
ArborFlow collection, BGP peering, and SNMP querying when one of your interfaces goes
down.
Important
The primary and secondary failover interfaces for a loopback interface configuration
must be on separate broadcast domains or subnets.
Services that do not use loopback interfaces

The following services do not use loopback interfaces:
n NTP requests
n DNS requests
n SMTP
n syslog
n SNMP traps
Configuring loopback interfaces

To configure loopback interfaces:
1. Log in to the CLI of the Sightline appliance on which you want to configure a loopback
interface.
2. Enter / ip interface ifconfig loopback interface_number IP_address
interface_number = the loopback interface number, which can be 1 through 5
IP_address = the IP address of the loopback interface
3. Enter / ip route failover primary interface
interface = the name of the Sightline interface that you want to configure as
primary
4. Enter / ip route failover secondary interface
interface = the name of the Sightline interface that you want to configure as
secondary
5. Enter / ip route add network default_gateway failover failover_
interface.
network = the default route or another destination network that will use interface
redundancy
default_gateway = the gateway of the destination network that will use interface
redundancy
failover_interface = the name of one of the Sightline interfaces that will be
used for interface redundancy
6. Repeat Step 5 for the second Sightline interface that will be used for interface
redundancy.
7. Enter / services sp router edit name bgp update_source IP_address
name = the name of the router that you are configuring

IP_address = the IP address of the Sightline loopback interface that the router
will peer with
8. Add the IP address of the loopback interface to your router’s configuration.
9. If your router is already configured as a BGP peer with the Sightline appliance, then
remove the existing physical interface IP address from the router’s BGP configuration.
10. Repeat Step 7 through Step 9 for each router that you want to establish a BGP session
with Sightline using the loopback interface.
11. If you want SNMP queries from the Sightline appliance to the router to be sourced
from the loopback interface, then enter / services sp router edit name snmp
local_ip_address set IP_address
name = the name of the router that you are configuring
IP_address = the IP address of the Sightline loopback interface from which
SNMP queries should be sourced
12. To have the Sightline appliance set the BGP router ID of the appliance to the loopback
interface IP address, then enter / services sp device edit name bgp router_
id set IP_address
name = the name of the appliance that you are configuring
IP_address = the IP address of the Sightline loopback interface for the appliance
that you are configuring
13. If you changed the IP address on a leader appliance, then do the following to
re-bootstrap your appliances:
l On the leader appliance, enter / services sp bootstrap leader IP_address
zone_secret role nodeldb
zone_secret = the zone secret for the deployment
role = the role to assign to the appliance
Enter bi for the data storage role, cp for the traffic and routing analysis role, fs
for the Flow Sensor appliance, and pi for the user interface role. The Flow
Sensor appliance is only applicable with appliance-based licensing.
Note
With appliance-based licensing, the different types of Sightline appliances have
fixed roles. For information on the relationships between appliance types and
appliance roles, see "Introduction to Sightline Appliances" in the Sightline and
l On the non-leader appliances, enter the following commands:
l If the appliance has the user interface role (pi), enter / services sp stop
l / services sp bootstrap nonleader IP_address zone_secret role
zone_secret = the zone secret for the deployment
Enter bi for the data storage role, cp for the traffic and routing analysis
role, fs for the Flow Sensor appliance, and pi for the user interface role.
The Flow Sensor appliance is only applicable with appliance-based
licensing.

Note
With appliance-based licensing, the different types of Sightline appliances
have fixed roles. For information on the relationships between appliance
types and appliance roles, see "Introduction to Sightline Appliances" in the
l If the appliance has the user interface role (pi), enter / services sp start
A non-leader user interface device will take additional time to start, because it will
be resynchronizing the database. Resynchronizing should take less than 10
minutes; however, large databases on slow connections could take longer.
14. If you configured a loopback interface on a non-leader appliance, then log in to the
web UI of the leader and update the IP address of the non-leader appliance.
See “Configuring Sightline Appliances” in the Sightline and Threat Mitigation System
User Guide .

Configuring the BGP Interface on a TMS Appliance

You can assign the BGP interface for a BGP peering session to a specific configured
management interface. This is useful if your TMS appliance has multiple configured
management interfaces.
The TMS will use any available management interface for the BGP interface when one of
the following are true:
n The BGP interface is assigned to a misconfigured management interface. For example,
if the management interface is configured as mgt1 on the TMS appliance and mgt0 on
the router.
n The BGP interface is not assigned to a management interface.
Configuring the BGP interface on a TMS appliance

To assign the BGP interface to a configured management interface on a TMS appliance:
1. Log in to the TMS appliance’s CLI by using the administrator user name and
password.
l To view the BGP interface setting, enter services tms deployment bgp
interface
l To set the BGP interface, enter services tms deployment bgp interface set
interface
interface = the name of the management interface
l To clear the BGP interface, enter services tms deployment bgp interface
clear

Configuring Multiple VLAN Subinterfaces on a TMS Appliance

You can configure multiple VLAN subinterfaces on either mgt0 or mgt1. After you
configure VLAN subinterfaces, you will need to add a new default route if you do not want
to use the existing default route. You should also add access rules to the VLAN
subinterfaces for the recommended services.
Note
You cannot configure multiple VLAN subinterfaces on mgt1 for the MCM-2 platform.
Adding multiple VLAN subinterfaces on a TMS appliance

To add multiple VLAN subinterfaces on a TMS appliance.
password.
2. Enter / ip interfaces vlan {mgt0|mgt1}VLAN_number
VLAN_number = the number of the VLAN
3. Repeat Step 2 for each VLAN that you want to add.
4. To display the VLAN subinterfaces that you added, enter / ip interfaces show
5. To save the configuration changes, enter config write
Configuring VLAN subinterfaces on a TMS appliance

You configure VLAN subinterfaces in the same way that you configure the parent
interfaces.
To configure a VLAN subinterface:

password.
2. Enter / ip interfaces ifconfig subinterface_ name IP_address netmask up
subinterface_ name = the name of the subinterface (for example: mgt1.1,
mgt1.2, or mgt0.1)
IP_address = the IP address of the subinterface
If you enter an IPv6 address, then you must also include the prefix length.
netmask = the netmask for the subinterface in dotted-quad format
If you included the prefix length with the IP address, then do not include the netmask.
3. Repeat Step 2 for each VLAN subinterface that you added.
Adding a new default route for a VLAN subinterface

If you do not want to use the exiting default route with a VLAN subinterface, you must
delete it and then add a new default route for the VLAN subinterface.
Warning
Before you delete the default route entry, make sure you have physical access to the
appliance or that you understand how your system is connected to the appliance so that
you do not lock yourself out.

To add a new default route for a VLAN subinterface:

password.
2. Enter ip route delete default.
3. Enter ip route add default IP-address subinterface_name.
IP_address = the IP address of the subinterface
mgt1.2, or mgt0.1)
Note
To use IPv6 transport to access IPv6-enabled network services that are outside the
subnet local to the interface, you must have a configured IPv6 default route.
4. Repeat Step 3 for each VLAN subinterface that you added.
Adding access rules to a VLAN subinterface

To add access rules to a VLAN subinterface:
password.
2. Enter ip access add https subinterface_ name CIDR_block
mgt1.2, or mgt0.1)
CIDR_block = the CIDR block of the source network that you want to use for this
service
3. Enter ip access add ssh subinterface_ name CIDR_block
mgt1.2, or mgt0.1)
service
4. Enter ip access add ping subinterface_ name CIDR_block
mgt1.2, or mgt0.1)
service
5. Repeat Step 2 through Step 4 for each VLAN subinterface that you added.
6. Enter ip access commit
Removing a VLAN subinterface on a TMS appliance

To remove a subinterface on a TMS appliance:
password.

Important
You must remove any ip access rules that have been added to the subinterface
before you remove a VLAN subinterface.
2. To determine what ip access rules have been added to the subinterface, enter / ip
access show
3. Delete any ip access rules that were added to the subinterface that you are removing.
To delete an access rule, use the same command that was used to add them but
replace add with delete.
See “Adding access rules to a VLAN subinterface” on the previous page.
4. Enter / ip interfaces vlan parent_interface_name VLAN_number delete
parent_interface_name = mgt0 or mgt1
VLAN_number = the number of the subinterface

File Format for the / services sp data bgp dump <router>

Command
To see routing table information, you can run the / services sp data bgp dump
router command. You can then view the file by running the / system files view
filename command. This topic describes the format of the file that is generated when
you run this command.
File format
The file contains the following information:
Time|BGP|QUERY START|Peering Router|Prefix|AS Path|Origin|Nexthop|
Local Preference|MED|Community|Atomic Aggregate|Aggregator|
Originator|Cluster List|Extended Communities


Chapter 6
Upgrading Sightline and TMS Software
This section describes how to upgrade your Sightline and TMS software.
In this section
Upgrading the Software and Installing Maintenance Releases on a Sightline

Appliance 124
About Upgrading Software and Installing Maintenance Releases on TMS
Appliances 132
Upgrading the Software and Installing Maintenance Releases on TMS Appliances 135
Manually Upgrading the TMS Firmware on a Chassis-based TMS Appliance 140
Adding Software Updates to the Appliances in Your Deployment 141

Upgrading the Software and Installing Maintenance Releases

on a Sightline Appliance
This topic describes how to upgrade major, minor, or maintenance software versions on
Sightline appliances from either a CD, a downloaded file, or an external USB flash drive.
You can upgrade any appliance to a newer software version.
Important
With a cloud-based flexible license deployment, if you are upgrading the leader from SP
7.x, then do not use the procedures in this topic. Instead, see "Upgrading a Leader VM
from SP 7.x to SP 8.x" in the Sightline Virtual Machine Installation guide. Upgrading a
leader from SP 7.x requires additional steps that are not included in these procedures.
On a leader appliance that has a user interface role, you can use the CLI to copy software
updates to the appliances in your deployment. See “Adding Software Updates to the
Appliances in Your Deployment” on page 141.
Because Sightline has multi-version support, you do not have to upgrade all of the
Sightline appliances in your deployment at the same time. See "Multi-Version Support in
Sightline and TMS Software" in the Sightline and Threat Mitigation System Compatibility
Guide .
Important
You must upgrade your Sightline devices in a specific order. For more information, see
"Multi-Version Deployment Upgrade Process" in the Sightline and Threat Mitigation
System Compatibility Guide . Be aware of the following when upgrading:
n You must upgrade the leader Sightline device before upgrading any other user interface
devices in your deployment.
n When upgrading from SP 8.2 or higher, we recommend stopping all user interface
devices prior to upgrading. Stopping user interface devices avoids failover and cross-
version compatibility issues.
n The upgraded leader must be running when you upgrade the other user interface
devices. If the leader is not upgraded or not running, you will need to manually resync
the database when it is.
n When upgrading from a version lower than SP 8.2, non-leader user interface devices
take additional time to upgrade because they are syncing the database. Syncing the
database should take less than 10 minutes; however, large databases on slow
connections could take longer.
n When upgrading from SP 8.2 or higher, a database sync for non-leader user interface
devices is not normally needed. A database sync is only needed if the devices have been
down for an extended time period, usually on the order of hours. Syncing the database
should take less than 10 minutes; however, large databases on slow connections could
take longer.
Before you begin

You must contact Arbor Technical Assistance Center to obtain the certificate for your
appliance if you plan to use the appliance for one of the following:
n remote services
n web UI secure login

Chapter 6 Upgrading Sightline and TMS Software
Important
If you have an uncommitted configuration when you perform an upgrade, your
uncommitted changes will be lost. Verify that you have committed all necessary
configurations before you begin this procedure.
Upgrading the software from a downloaded file

To upgrade the software from a downloaded file:
1. Verify that you committed all necessary configurations.
Warning
Uncommitted configurations are lost if you do not commit them before you
upgrade.
3. Enter / system files directory disk:
4. From the Arbor Technical Assistance Center site (https://support.arbornetworks.com),
download the following new file versions for your appliance:
l arbos-6.2-xxxx
l Peakflow-SP-9.0-xxxx
5. To specify the destination of the files, enter system files copy
protocol://host/directory_path/file_name disk:
protocol = the protocol used to download the file
host = the IP address of the remote computer
directory_path = the directory path to the file
file_name = the name of the file that you want to install
6. If you are using scp to download the files, when prompted, enter the user_password
7. Repeat the previous two steps for all files.
8. To stop currently running services, enter services sp stop
9. Enter / system files
10. To view the build number of the installation, enter directory disk
11. To view the version of software that is currently installed, enter system files show
12. To uninstall a software patch from versions prior to 7.0, enter uninstall file_name
file_name = the name of the software patch that you want to uninstall
Important
You must uninstall patches in the reverse order in which they are listed. For example,
if there are five patches listed, uninstall the fifth patch first, then repeat this step for
the fourth, third, second, and first patches. Versions starting with 7.0 do not have
patches, so you can skip this step for those versions.
13. To uninstall the previous appliance software file, enter uninstall file_name
file_name = the name of the software release file that you want to uninstall
14. Enter install disk:arbos-6.2-build
build = the build number in the file name
15. Enter reload
16. Enter y
17. After the appliance reloads, log in again using the administrator user name and
password.

18. To install the new Sightline software, enter / system files install
disk:Peafklow-SP-9.0-build
21. To verify that you successfully upgraded the software, enter system files show
Upgrading the software from a CD

To upgrade the software from a CD:
Warning
upgrade.
4. Enter system cdrom unlock
5. Remove the old CD and insert the new CD in the media tray.
6. Enter system cdrom lock
9. To view the version and build numbers of the installation, enter directory cd
10. To view the version of software that is currently installed, enter / system files
show
Important
13. Enter install cd:arbos-6.2-build
Note
The file name must match the name on the CD.
14. Enter reload
15. Enter y
password.
cd:Peakflow-SP-9.0-build


Upgrading the software from an external USB flash drive

To upgrade the software from an external USB flash drive:
Warning
upgrade.
4. Plug in the USB flash drive that contains ArbOS and the upgrade Sightline software.
7. To view the version and build numbers of the installation, enter directory usb
8. To view the version of software that is currently installed, enter system files show
Important
11. Enter install usb:arbos-6.2-build
Note
The file name must match the name on the USB device.
12. Remove the external USB flash drive.
13. Enter reload
14. Enter y
password.
16. Reinsert the external USB flash drive.
usb:Peakflow-SP-9.0-build

Example of upgrading the software on an Sightline appliance

The following is an example of upgrading an SP 6.0 leader appliance that has the traffic
and routing analysis role to SP 7.0.1 using a downloaded file:
Sightline/6.0 (reds)
login: admin
Sightline v6.0
Welcome to Peakflow
admin@reds:/# system files copy

scp://user@filehost.arbor.net/arbor/files/arbos-6.2-xxxx disk:
user@filehost.arbor.net's password: **********
arbos-6.2-xxxx 100% 6218KB 6.1MB/s 00:01
admin@reds:/# system files copy
scp://user@filehost.arbor.net/arbor/files/Peakflow-SP-7.0.1.tar.gz
disk:
user@filehost.arbor.net's password: **********
100% |********************************************* 497 KB 00:03
admin@reds:/# / services sp stop
Stopping Sightline services.......done.
admin@reds:/# / system files dir disk:
Directory listing of device disk:
Filename Kbytes Date/Time Type
Peakflow-SP-CP-6.0-CDHD-B 232944 Nov26 21:51 Signed package
Peakflow-SP-CP-6.0-patch-1-B.tar.gz 4987 Nov26 22:20 Signed package
Peakflow-SP-CP-6.0-xxxx 235888 Nov26 22:44 Signed package
arbos-5.3-CDHD-B 96490 Nov26 21:51 Signed package
arbos-6.2-xxxx 105175 Nov26 22:44 Signed package
authorized_keys 64 Nov26 22:04 Text file
health.sh 2 Nov26 22:04 Text file
ssh_host.keys 10 Nov26 22:04 SSH host keys
tb.arbor.net.tgz 4 Nov26 22:04 Signed package
Free space: 1.3G of 2.0G (32% used)
admin@reds:/# / system files show
Installed packages:
ArbOS_5.3 ArbOS 5.3 system files (build CDHD-B) (arch i686)
Peakflow-SP-CP-6.0 NETSCOUT® Arbor Sightline (build CDHD-B)

Peakflow-SP-CP-6.0-patch-2 SP 6.0 Patch 2 2012 build CIKD-B)

Peakflow-SP-CP-6.0-patch-3 SP 6.0 Patch 3 2012 build CJZM-B)
cert-*.tb.arbor.net-0F9E NETSCOUT® Arbor certificate 0F9E
admin@reds:/# / system files uninstall Peakflow-SP-CP-6.0-patch-3
Uninstalling package Peakflow-SP-CP-6.0-patch-3..done.
admin@reds:/# / system files uninstall Peakflow-SP-CP-6.0-patch-2
Uninstalling package Peakflow-SP-CP-6.0-patch-2..done.
admin@reds:/# / system files uninstall Peakflow-SP-CP-6.0
Uninstalling package Peakflow-SP-CP-6.0..done.
admin@reds:/# / system files install disk:arbos-6.2-xxxx
Extracting package...
Changes to ArbOS will take effect after the next reload.
admin@reds:/# reload
You are about to reboot the system. Do you wish to proceed? [n] y
094: Rebooting the system..
Broadcast messagSending all processes the TERM signal...
Sending all processes the KILL signal...
Syncing hardware clock to system time
Unmounting loopback filesystems:
Unmounting file systems:
Please stand by while rebooting the system...
root (hd0,0)
Filesystem type is ext2fs, partition type 0x83
kernel /boot/kernel-arbux-smp console=ttyS0,9600n8 root=/dev/ram0
ramdisk=24480
vdso=0 acpi=no rw init=/linuxrc-disk
[Linux-bzImage, setup=0x1400, size=0x4d6ad0]
initrd /boot/initrd.gz
[Linux-initrd @ 0x37a19000, 0x5d6778 bytes]
....................................................................
.....�..............................................................
....................................................................
....................................................................
....................................................................
..................****................................**************
boot:
clean, 63/124928 files, 141851/497980 bloc.ks
INIT: version 2.86 booting
002: Scanning for filesystems
003: Using system disk

004: Checking file system integrity

system: clean, 121/979200 files, 68048/1955913 blocks
data: clean, 1196/4372480 files, 437955/69928936 blocks
boot: clean, 63/124928 files, 141851/497980 blocks
005: Configuring swap devices
006: Configuring software packages
007: Restoring system configuration
INIT: Entering runlevel: 2
ArbOS/6.2 (reds)
reds login:
ArbOS v6.2
Welcome to Peakflow
admin@reds:/# / system files install disk:Peakflow-SP-7.0.1-xxxx
Extracting package...done.
Writing SNMP system description...done.
Upgrading to 7.0.1-xxxx...
Adding CDN Proxy mitigation storage...done
Adding Flowspec TMS offramp mitigation storage...done
Adding profiled interface alert storage...done
Adding router_name and interface_name to the attack table...
...done
Checking database schema
....................................................................
....................................................................
....................................................................
.................done
Database upgrade done
Updating managed object scoping configuration...done
Removing redundant tag indices.done
Setting offramp_method to BGP for all TMS devices and clusters...done
Saving SP configuration...
Updating saved command cache this may take a while)...000: SP
services are not running
done
Upgrade successful. Welcome to 7.1-xxxx.
admin@reds:/# / services sp start
Starting SP services......done.

admin@reds:/# config write

Saving SP configuration...
admin@reds:/# / system files show
Installed packages:
ArbOS_6.2 ArbOS 6.2 system files (build xxxx)
Peakflow-SP-7.0.1-xxxx NETSCOUT® Arbor Sightline (build xxxx)
cert-*.tb.arbor.net-0F9E NETSCOUT® Arbor certificate 0F9E
admin@reds:/#

About Upgrading Software and Installing Maintenance

Releases on TMS Appliances
This topic includes important information to consider before you upgrade or install a
maintenance release on a TMS appliance.
Upgrading or installing maintenance releases from a CD

If you want to upgrade or install maintenance releases from a CD, you must contact Arbor
Technical Assistance Center to request a CD. See “Contacting the Arbor Technical
Assistance Center” on page 11.
ArbOS and TMS build numbers and architecture suffixes

When you upgrade the software or install a maintenance release on a TMS appliance, you
must verify that the ArbOS and TMS software packages have the same build number.
For 64-bit upgrades and installations only: verify that the ArbOS and TMS software
packages have the same architecture suffix. For example, if you are upgrading to a TMS
5000 appliance, the 64-bit ArbOS and TMS software packages should have the architecture
suffix x86_64.
Multi-version support
Because Sightline has multi-version support, you may not have to upgrade your TMS
appliances when you upgrade the leader appliance.
See "Multi-Version Support in Sightline and TMS Software" in the Sightline and Threat
Mitigation System Compatibility Guide .
About software maintenance releases

Arbor releases software maintenance releases to correct bugs or other product issues in
the Sightline software. You are not required to install a software maintenance release;
however, if the issues that are corrected in a software maintenance release affect your use
of the product, we recommend that you install it.
Verifying that the license key is valid

When you upgrade a TMS appliance, you should verify that you have a valid license key. To
verify that you have a valid license key, you need to view the TMS alerts.
To check for a valid license key:

2. Enter services tms show alerts
If the following message appears in the list of alerts, then you do not have a valid
license key.
System Status 'License' is 'Critical' (Product and license key must
be specified)
To find the serial number that is needed to obtain a valid license key from Arbor Technical
Assistance Center, see “Obtaining a valid license key for your TMS appliance” on the
facing page.

Obtaining a valid license key for your TMS appliance

To obtain a valid license key for your TMS appliance:
2. Enter / system hardware
3. Copy the serial number.
The serial number is the Chassis Serial Number excluding the portion in parentheses.
See “Example output for obtaining a serial number for a chassis-based TMS
appliance” below.
4. To obtain a valid license key, contact Arbor Technical Assistance Center
Example output for obtaining a serial number for a chassis-based TMS appliance
The following example shows the Chassis Serial Number for a TMS 4000 appliance:
admin@tms4000:/# system hardware
Boot time: Wed Nov 28 22:59:51 2013, 16:25 ago
Load averages: 0.08, 0.09, 0.08
BIOS Version: 4.6.3 System Board
Model: Tionesta
Processor: Intel(R) Xeon(R) CPU L5408 @ 2.13GH
Processor: Intel(R) Xeon(R) CPU L5408 @ 2.13GH
Memory Device: No Module Installed A1_BANK DIMM9B2
Chassis Serial Number: 1044219-010 (CDA-1200Z)
Slot 0: Type: shelf
Slot 0: Firmware : 2.7.4
Slot 1: Type: mcm2
Slot 1: Model: 0-12489-04
Slot 1: Serial Number: CX8-01347
Slot 1: Firmware 0: xe50-ipmc-v1.3.2b01
Slot 2: Type: psm40
Slot 2: Model: 0-12380-E03
Slot 2: Serial Number: CZ9-09858
Slot 2: Firmware 0: fm40-ipmc-v2.3.1r00
Slot 2: Firmware 1: fm40-ppc-v2.3.5r00
Slot 2: Firmware 2: fm40-ppc-v2.3.5r00
Slot 3: Type: apm-e
Slot 3: Model: 0-15286-03
Slot 3: Serial Number: CJC-3602N
Slot 3: Firmware 0: 20132103000
Slot 3: Firmware 1: cnode-fw-pp81-v1.1.0r02

Slot 4: Type: apm-e

Slot 4: Model: 0-15286-04
Slot 4: Serial Number: CJC-380CP
Slot 4: Firmware 0: 2012103000
Slot 5: Type: apm-e
Slot 5: Model: 0-15286-04
Slot 5: Serial Number: CJC-380CM
Slot 6: Type: apm-e
Slot 6: Model: 0-15286-04
Slot 6: Serial Number: CJC-380CJ

Upgrading the Software and Installing Maintenance Releases

on TMS Appliances
This topic describes how to upgrade and install maintenance releases on a TMS appliance.
The instructions in this topic apply to following:
n NETSCOUT® Arbor TMS 2300 series and 2800 appliances
n chassis-based NETSCOUT® Arbor TMS 4000, 5000, and HD1000 appliances
Warning
For chassis-based TMS appliances, the upgrade process can take up to 70 minutes. After
you start the upgrade, let it run uninterrupted until it completes. DO NOT pause or stop
the upgrade while it is in progress.
Important
Before completing the procedures in this topic, you should review the information in
“About Upgrading Software and Installing Maintenance Releases on TMS Appliances”
on page 132 .
Valid upgrade sources

You can upgrade and install maintenance releases on a TMS 2300 series, 2800, 4000,
5000, or HD1000 appliance from a downloaded file, USB CD-ROM, or USB thumb drive.
Upgrading the software

To upgrade the software:
1. Log in to the appliance’s CLI using the administrator name and password.
2. To save any uncommitted configurations, enter config write
Uncommitted configurations are lost if you do not commit them before you upgrade.
3. Enter services tms stop
4. To save the configuration before you begin the upgrade, enter config write
5. Enter system files
6. Enter show
All of the currently installed software files appear.
7. To remove the old TMS software version, enter uninstall Arbor-TMS-8.4 (or the
version that you want to remove).
8. Choose your next steps based on the method that you use to upgrade:
Method Procedure
downloaded file See “Installing the software from a downloaded file” on the
next page.
CD-ROM or USB See “Installing the software from a CD-ROM or USB

CD-ROM CD-ROM” on the next page.
USB thumb drive See “Installing the software from a USB thumb drive” on
page 137.

Installing the software from a downloaded file

To install the software from a downloaded file:
Note
In the ArbOS and TMS software package file names in this procedure, -build is the build
number and x.y is the ArbOS version number. For 64-bit ArbOS and TMS software
packages only, -arch is the architecture suffix. For example, the 64-bit ArbOS and TMS
software packages for a TMS 5000 appliance have the architecture suffix x86_64.
1. Download the necessary software packages from the NETSCOUT® Arbor Update
Server to a location that is accessible by the TMS appliance.
The update server is located at https://update.arbor.net
2. To copy the ArbOS file from the location where you downloaded it, enter one of the
following commands:
copy ftp://[user:password@]A.B.C.D[:port]/arbos-x.y-build[-arch]
disk:
copy http://A.B.C.D[:port]/arbos-x.y-build[-arch] disk:
copy scp://[user@]A.B.C.D[:port]/arbos-x.y-build[-arch] disk:
3. To view the directory listing, enter directory disk:
4. Enter install disk:arbos-x.y-build[-arch]
5. Enter reload
6. To confirm your choice, enter y
The appliance restarts with the new ArbOS version.
7. Log in to the appliance using the administrator user name and password.
8. Enter system files
9. Repeat Step 2 through Step 4 for the TMS 9.0 file.
10. To view the directory listing, enter directory disk:
11. To install the new TMS software version, enter install
disk:Arbor-TMS-9.0-build[-arch]
12. To start TMS services, enter / services tms start
13. To save your configuration changes, enter config write
Installing the software from a CD-ROM or USB CD-ROM

To install the software from a CD-ROM or USB CD-ROM:
Note
1. Enter cdrom unlock
2. Remove the old CD and insert the new CD in the CD drive.
3. Enter cdrom lock
4. To view the directory listing, enter directory cd:

The file names in the directory listing include the build number that you need to install
the upgrade.
5. Enter install cd:arbos-x.y-build[-arch]
6. Enter reload
9. To view the directory listing, enter system files directory cd:
Installing the software from a USB thumb drive

To install the software from a USB thumb drive:
Note
1. Insert the thumb drive into the USB port.
Important
Verify that the necessary software packages reside in the root directory on the USB
thumb drive.
2. To view the directory listing, enter directory usb:
The file names in the directory listing include the build number that you need to install
the upgrade.
3. Enter install usb:arbos-x.y-build[-arch]
4. Enter reload
7. To view the directory listing, enter system files directory usb:

Example of upgrading the software on a TMS appliance

The following is an example of upgrading a TMS appliance from a downloaded file. In this
example, in the ArbOS and TMS software package file names shown, replace build with
the build number, x.y with the current ArbOS version number, and x.w with the previous
ArbOS version number. For 64-bit TMS software package file names only, replace arch
with the architecture suffix.
Welcome to ArbOS.
admin@mariner:/# / services tms stop

Stopping Arbor Networks TMS services........done.
admin@mariner:/# system files
admin@mariner:/system/files# show
Installed packages:
ArbOS_x.w ArbOS x.w system files (build build)
Arbor-TMS-8.4 NETSCOUT® Arbor TMS 8.4 (build build)
admin@mariner:/system/files# uninstall Arbor-TMS-8.4
Uninstalling package Arbor-TMS-8.4..done.
admin@mariner:/system/files# copy http://1.2.3.4/arbos-x.y-build
[-arch] disk:
admin@mariner:/system/files# directory disk:
arbos-x.y-build[-arch] 6215 Apr21 20:27 Signed package
admin@mariner:/system/files# install disk:arbos-x.y-build[-arch]
admin@mariner:/system/files# reload
Do you wish to proceed? [n] y
johndoe:/Users/johndoe$ ssh admin@mariner
admin@mariner's password: ********
Arbor TMS v8.4

Welcome to ArbOS.
admin@mariner:/# system files
admin@mariner:/system/files# copy http://1.2.3.4/Arbor-TMS-9.0-build
[-arch] disk:

admin@mariner:/system/files# directory disk:

arbos-x.y-build[-arch] 6215 Apr21 20:27 Signed package
Arbor-TMS-9.0-build[-arch] 171324 Apr20 20:26 Signed package
admin@mariner:/system/files# install disk:Arbor-TMS-9.0-build
[-arch]Extracting package...done.
Performing 9.0 upgrade, this may take awhile...done.
admin@mariner:/system/files# /
admin@mariner:/# services tms start
Starting NETSCOUT® Arbor TMS services...done.
admin@mariner:/#

Manually Upgrading the TMS Firmware on a Chassis-based

TMS Appliance
If you get a TMS firmware upgrade alert for your chassis-based TMS appliance, follow the
instructions in this topic to manually upgrade the TMS firmware. You can use a TMS CLI
command to manually upgrade the TMS firmware for the blade in the slot that you specify.
See “To upgrade the TMS firmware manually” below.
Note
About TMS firmware upgrades

When you install new TMS software on a chassis-based appliance, the system
automatically installs the appropriate TMS firmware upgrades on the blades in the chassis.
If you change the appliance hardware configuration, you might get an alert that tells you to
upgrade the TMS firmware in one or more slots. For example, on a TMS 4000, you might
get a firmware upgrade alert for slot 3 after you replace the APM blade in that slot. The
firmware upgrade is required to fully support the hardware change.
Slot numbers for blades that support firmware upgrades

You can manually upgrade the TMS firmware in certain APM blades and PSM blades. Use
the slot number in the TMS appliance chassis to specify the blade to upgrade.
The following table lists the slot numbers for the blades that support firmware upgrades in
each chassis-based TMS appliance:
Appliance Blade Slot Number

TMS 4000 PSM-40 2
APM-10 or APM-E 3, 4, 5, or 6
TMS 5000 PSM-400 1
APM-E 3, 4, 5, or 6
To upgrade the TMS firmware manually

To manually upgrade the firmware on a specific blade in a chassis-based TMS appliance:
2. Enter / services tms firmwareupgrade slot
slot = the slot number for the blade to upgrade. See “Slot numbers for blades
that support firmware upgrades” above.
3. Repeat Step 2 for each blade that you need to upgrade.

Adding Software Updates to the Appliances in Your

Deployment
Important
The software update functionality provided by System Maintenance > Software
Updates will be unavailable after March 31, 2018. The latest software releases and user
documentation can be downloaded from the Arbor Customer Portal
(https://support.arbornetworks.com). For additional information or assistance, please
contact the Arbor Technical Assistance Center at https://support.arbornetworks.com.
After you enable software updates in the web UI (Administration > System
Maintenance > Software Updates), you can use the CLI to copy the software updates
to the appliances in your deployment.
This procedure can only be performed on a leader appliance.
For details about enabling software updates, see “Enabling Software Updates” in the
Adding software updates to appliances

To add software updates to the appliances in your deployment:
1. Verify that you enabled software updates in the web UI (Administration > System
Maintenance > Software Updates).
2. On the leader appliance, log in to the CLI using your administrator user name and
password.
3. To view the list of available software release updates from the Arbor update server,
enter / services sp software list pull
4. To download a software release from the update server to the leader appliance, enter
/ services sp software pull release_name
5. To view the list of available releases that can be distributed to the appliances in your
network, enter / services sp software list push
6. Enter / services sp software push release_name appliance_name
appliance_name = the appliance to which you want to distribute the software
upgrade
Tip
To push a release to more than one appliance, you can separate multiple appliance
names with commas.
7. Log in to the CLI for the appliance that you want to update.
8. (Sightline Appliances Only) To view the available software release updates for the
appliance, enter / services sp software copy?
You do not need to perform this step for TMS appliances. After you push a release to a
TMSappliance, it is ready to be installed.
9. To copy the release to the local disk, enter / services sp software copy file_
name
You can now install the software update.
For installation instructions, see “Upgrading the Software and Installing Maintenance
Releases on a Sightline Appliance” on page 124 .

Example
The following example shows how to add a software release update to an appliance in
your deployment:
admin@mariner1:/# services sp software ?
copy Copy software from staging area to disk
disable Disable software update checking
enable Enable software update checking
list Show list of options
proxy/ Configure a proxy for downloading updates
pull Pull software from update server
push Push software to other appliances
server Configure software update server
show Show the current software update checking status
status/ Show status of devices
admin@mariner1:/# / services sp software pull?
SP-9.0 Package to pull from update server
SP-TMS-9.0 Package to pull from update server
admin@mariner1:/# / services sp software pull SP-9.0
Downloading Peakflow-SPVARIABLE-9.0-xxxx
#####################################################################
Download complete Peakflow-SP-9.0-xxxx
Downloading arbos-6.2-xxxx
#####################################################################
Download complete arbos-6.2-xxxx
All downloads completed
admin@mariner1:/# / services sp software push?

SP-9.0 Package
SP-TMS-9.0 Package
admin@mariner1:/# / services sp software push SP-9.0
<collector_list> Comma-separated list of collectors
sp1 Peakflow appliance
cp2 Peakflow appliance
bi1 Peakflow appliance
fs1 Peakflow appliance
fs2 Peakflow appliance
tms1 Peakflow appliance
tms2 Peakflow appliance
admin@mariner1:/# / services sp software push SP-9.0 sp1
Copying package Peakflow-SP-9.0 to sp1
#####################################################################

Copy of Peakflow-SP-9.0-xxxx to sp1 complete

Copying package arbos-6.2 to sp1
#####################################################################
Copy of arbos-6.2-xxxx to sp1 complete
Release SP-9.0 successfully copied
admin@sp1:/# services sp software ?

copy Copy software from staging area to disk
disable Disable software update checking
enable Enable software update checking
list Show list of options
proxy/ Configure a proxy for downloading updates
pull Pull software from update server
push Push software to other appliances
server Configure software update server
show Show the current software update checking status
status/ Show status of devices
admin@sp1:/# / services sp software copy?
Peakflow-SP-9.0-xxxx File
arbos-6.2-xxxx File
admin@sp1:# / services sp software copy Peakflow-SP-9.0-xxxx
admin@sp1:#


Chapter 7
Reinstalling Sightline and TMS Software
This section describes how to reinstall the operating system and other necessary software
for Sightline and TMS appliances in the case of an emergency situation.
In this section
Reinstalling Sightline Appliance Software 146

Reinstalling TMS Software on a Chassis-based TMS Appliance 155
Restoring TMS Software from Flash on a Chassis-based TMS Appliance 161

Reinstalling Sightline Appliance Software

This section describes how to reinstall the software on the Sightline appliances.
Caution
Reinstalling an appliance erases all data from the system and returns it to its factory state.
This should only be done in an emergency situation and under the direction of Arbor
Technical Assistance Center.
Before you begin

To reinstall an Sightline appliance, verify that you have the following:
n the corresponding CD, if the appliance has a media tray
n your appliance software certificate (optional)
Reinstalling Sightline appliance software

To reinstall Sightline appliance software:
1. If your appliance has a media tray, verify that you have inserted the Sightline software
CD that contains ArbOS version 6.2 in the media tray.
2. Choose one of the following methods to connect the appliance to initiate recovery:
l Connect a VGA monitor and keyboard to the appropriate ports on the back of the
appliance.
l Connect a serial cable from the serial console to the appliance.
3. Log in to the appliance by using the administrator name and password.
4. Enter reload now
You can manually turn the power off and on if the appliance is not responding.
5. To start the boot menu, press any key when you see the message, “Press any key to
continue.”
6. At the boot menu, select one of the following options:
l (re)install (VGA) if you are using a monitor and keyboard.
l (re)install (serial console) if you are using the serial method.
A warning message appears that states reinstalling removes all data.
7. To confirm that you want to begin the install process, enter y when prompted.
8. To initialize the disk, enter y
9. When prompted to install the ArbOS software package, enter y
10. When prompted to install the Sightline appliance software, enter y
11. When prompted to reinitialize the flash, enter n
Setting the hostname

To set the hostname:
n Enter a hostname for the appliance.

Chapter 7 Reinstalling Sightline and TMS Software
Configuring interfaces
To configure interfaces:
1. Determine if you are using the listed interface.
l If yes, enter an IP_address for the listed interface.
l If no, press ENTER, and go to the procedure on enabling access to services.
See “Enabling access to services” below.
2. Enter a netmask for the interface.
3. Enter the IP_address of the default route gateway.
Enabling access to services

Note
You can press ENTER to either bypass a setting or to proceed to configuring the next
service.
To enable access to services:

1. When prompted to set ArborFlow access, do one of the following:
l For an appliance that has the user interface role, press ENTER.
l For an appliance that has the data storage or traffic and routing role, or for a Flow
Sensor appliance, enter the CIDR_block from which you want to have ArborFlow
access to the appliance.
2. When prompted to set BGP access, do one of the following:
l For an appliance that has the data storage or user interface role, press ENTER to
deny all BGP access to the appliance.
l For an appliance that has the traffic and routing role or for a Flow Sensor
appliance, enter the CIDR_block from which you want to have BGP access to the
appliance.
Note
Router data configuration will automatically add BGP access later as needed.
3. Enter the CIDR_block from which you want to allow Cloud Signaling access.
4. If prompted, enter the CIDR_block from which you want to allow FTP access to the
appliance.
5. Enter the CIDR_block from which you want to allow HTTP access to the appliance.
6. When prompted to set HTTPS access, do one of the following:
l If you are configuring a leader appliance or an appliance that has the user interface
role, then enter the CIDR_block of a network from which you want to enable
HTTPS access.
l If you are configuring a Flow Sensor appliance (appliance-based licensing only) or a
non-leader appliance that has the traffic and routing analysis role or the data
storage role, then press ENTER.
7. Repeat Step 6 for each network from which you want to enable HTTPS access.
8. Enter the CIDR_block from which you want to allow ping access to the appliance.
9. Repeat Step 8 for each network from which you want to enable ping access.
10. (All but Flow Sensor appliances) Enter the CIDR_block from which you want to allow
SNMP queries to the appliance.

11. If prompted, press ENTER to deny all SPCOMM access to the appliance.
Note
Configurations that you perform later (bootstrap command for non-leaders and
leader configuration for Sightline UI) will automatically add SPCOMM access as
needed.
12. If prompted, press ENTER at the TFTP access prompt.
13. If prompted, press ENTER to skip configuring VRRP access.
Sightline does not support VRRP.
14. Enter the CIDR_block of the network from which you want to enable SSH access.
15. Repeat Step 14 for each network from which you want to enable SSH access.
16. Enter the IP_address of the DNS server that you want the appliance to use.
See “About adding a DNS server” below.
17. Repeat Step 16 for each DNS server.
18. When prompted to set the time and date, do one of the following:
l Enter the date in the format mmddHHMMyyyy.SS (month, day, hour, minute, year,
second).
l Enter the IP_address or FQDN hostname of the NTP server that you want the
appliance to use.
See “About adding an NTP server” below.
About adding an NTP server

You can add an NTP server on a local or global basis. Entering an NTP server command
during the reinstallation process is a local setting; this means that Sightline associates the
NTP server with the individual appliance. Local settings take precedence over global
settings.
For additional information about adding NTP servers, see:

n “Configuring NTP Servers” on page 34
n “Configuring Network Services” in the Sightline and Threat Mitigation System User
Guide .
About adding a DNS server

You can add a DNS server on a local or global basis. Entering a DNS server command
during this reinstallation process is a local setting; this means that Sightline associates the
DNS server with the individual appliance. Local settings take precedence over global
settings.
For additional information about adding DNS servers, see:

n “Configuring DNS Servers” on page 31
n “Configuring Network Services” in the Sightline and Threat Mitigation System User
Guide .
Adding a global DNS server

To add a global DNS server:
n Enter / services dns server add IP_address
IP_address = IP address of the DNS server

Changing the administrator password

To change the administrator password:
2. Enter the new_password
3. Enter the new_password again.
Installing the certificate

To install the certificate:
1. Enter / system files copy URL disk:
URL = the shared network resource where the certificate is located. (It can be
either an HTTP or FTP location.)
2. After the download is complete, enter / system files install disk:file_name
file_name = the file name of the certificate package
Note
Using a certificate to reinstall an appliance is optional.
Initializing the appliance

To initialize the appliance:
1. After the import is complete, enter / services sp bootstrap {leader |
nonleader} IP_address zone_secret role
{leader | nonleader} = choose the mode in which the appliance runs
IP_address = the IP address of the leader appliance
zone_secret = the word or phrase that is used by all appliances in the
deployment for internal communication
for the Flow Sensor appliance, and pi for the user interface role. The Flow Sensor
appliance is only applicable with appliance-based licensing.
Note
With appliance-based licensing, the different types of Sightline appliances have fixed
roles. For information on the relationship between appliance types and appliance
roles, see "Introduction to Sightline Appliances" in the Sightline and Threat
2. To delete the existing alert and mitigation database, enter y
3. To commit and activate the configuration, enter y
Adding a flexible license to your deployment

To add a flexible license to your deployment:
1. Copy the license file to your leader appliance and store it in the following directory:
/base/store/files/license_file
license_file = the name of the license file
2. Log in to the leader appliance’s CLI by using the administrator name and password.
3. To import the license file, enter / services sp license flexible import

disk:license_file
license_file = the name of the license file
Committing configuration changes and starting services

To commit configuration changes and to start services:
l If the Commit (and activate) configuration? prompt appears, enter y
l To save the configuration, enter config write
2. To start the appliance, enter / services sp start
Assigning the license mode to an appliance

If you have uploaded a flexible license, you can assign the flexible or appliance-based
license mode to the appliance.
To assign a license mode to an appliance:

1. To assign a license mode, enter / services sp device edit appliance_name
license_mode set { appliance | flexible}
appliance_name = the name of appliance
{ appliance | flexible} = the license mode in which to run the appliance
If you select appliance, the appliance is assigned the appliance-based license
mode. If you select flexible, the appliance is assigned the flexible license mode.
2. To verify the license mode of an appliance, enter / services sp device edit
appliance_name license_mode show
appliance_name = the name of appliance
Example of reinstalling Sightline software on a leader appliance

The following is an example of reinstalling Sightline software on a leader appliance (an
appliance that has the user interface role or the traffic and routing analysis role) that does
not have a media tray:
arbor:/#reload now
INIT: Sending psnmpd[14934]: Received TERM or STOP signal... shutting
down...
dmvd[10584]: dmvd shutdown

717: Cannot stop /base
Sending all processes the TERM signal...
Unmounting loopback filesystems
Unmounting remaining filesystems
umount2: Device or resource busy
umount: /base: device is busy
umount2: Device or resource busy
umount: /base: device is busy
Remounting remaining filesystems readonly

Version 1.20.1093 Copyright (C) 2005-2010 American Megatrends, Inc.

Press <F2> to enter setup, <F12> Network Boot
Initializing In BIOS Version MT33 (Build Oct 24, 2007)
HA -0 (Bus 4 Dev 14) Intel(R) RAID Controller SROMBSAS18E

FW package: 7.0.1-0075
1 Virtual Drive(s) found on the host adapter.
1 Virtual Drive(s) handled by BIOS
Press <Ctrl><Y> for Preboot CLI
>>>>>> Press <Ctrl><G> to enter the RAID BIOS Console <<<<<<<

Copyright (c) 2007 LSI Corporation. All rights reserved


Bios Version: S5000.86B.15.00.0101.110920101604
Platform ID: T5000PAL
8 GB system memory found
Current Memory Speed: 667 MT/s (333 MHz)
Intel(R) Xeon(R) CPU E5440 @ 2.83GHz
Intel(R) Xeon(R) CPU E5440 @ 2.83GHz
Booting from BIOS Partition 1
USB keyboard detected
Press any key to continue.

GNU GRUB version 0.97 (625K lower / 2613352K upper memory)
+--------------------------------------------------------------+
| usb (serial console) |
| disk (serial console) |
| second disk (serial console) |
| (re)install from usb (serial console) |
| usb (VGA) |
| disk (VGA) |
| second disk (VGA) |
| (re)install from usb (VGA) |
| |
| |
| |

| |
| |
| |
+--------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the
commands before booting, 'a' to modify the kernel arguments
before booting, or 'c' for a command-line.
Booting '(re)install from on-board flash (serial console)'
root (hd0,0)
Filesystem type is ext2fs, partition type 0x83
kernel /boot/kernel-arbux-smp console=ttyS0,9600n8 root=/dev/ram0
ramdisk=24480
vdso=0 acpi=no rw init=/linuxrc-flash-install
[Linux-bzImage, setup=0x1400, size=0x4dd670]
initrd /boot/initrd.gz
[Linux-initrd @ 0x37a1a000, 0x5d58f1 bytes]
...............****............................................
..............................**************boot: clean, 68/.124928
files, 14...2305/497980 blocks
INIT: version 2.86 booting
010: Using flash disk
Do you want to begin the install process?

This will remove all current data and configuration [n] y
Initializing filesystem "boot".........................done.

Writing boot blocks....done.
Initializing filesystem "system".........................done.
Initializing filesystem "data"..........................done.
Initializing swap partition.....done.
system: clean, 11/979200 files, 67839/1955913 blocks
data: clean, 11/5322720 files, 221686/83853275 blocks
boot: clean, 28/124928 files, 26497/497980 blocks
Installing software package "flash:arbos-6.2-HB2K-x86_64"

System hostname? [arbos] mariner

IP address for interface eth0: [none] 10.0.0.5
Netmask for interface eth0: [255.255.255.0] 255.255.255.0
IP address for interface eth1: [none]
Default route: [none] 10.0.1.1
arborflow access from which network? [done] 10.0.0.0/8

arborflow access from which network? [done]
bgp access from which network? [done] 10.0.0.0/8

bgp access from which network? [done]
cloudsignal access from which network? [done] 10.0.0.0/8

cloudsignal access from which network? [done]
http access from which network? [done] 10.0.0.0/8

http access from which network? [done]
https access from which network? [done] 10.0.0.0/8

https access from which network? [done]
openflow access from which network? [done]
ping access from which network? [done] 10.0.0.0/8

ping access from which network? [done]
snmp access from which network? [done] 10.0.0.0/8

snmp access from which network? [done]
spcomm access from which network? [done] 10.0.0.0/8

spcomm access from which network? [done]
SSH access from which network? [done] 10.0.0.0/8

SSH access from which network? [done]
Generating new SSH host key file...............done.
DNS server IP address: [done] 10.1.0.11

DNS server IP address: [done] 10.1.1.11
DNS server IP address: [done]
Generating new SSH host key file...............done.
Current time and date: [041013002017.13]041013002017.13
NTP server IP address: [done] 10.0.1.16
NTP server IP address: [done]
021: Done rc.sysinit

init: sysinit main process (2173) killed by TERM signal
Sending all processes the TERM signal...

Unmounting loopback filesystems

Unmounting remaining filesystems
Remounting remaining filesystems readonly
[ 432.418650] reboot: Restarting system

Reinstalling TMS Software on a Chassis-based TMS Appliance

This topic describes how to reinstall the TMS software on a chassis-based TMS appliance.
Note
Caution
Reinstalling the TMS software on an appliance erases all data from the system and
returns it to its factory state. This should only be done in an emergency situation and
under the direction of the Arbor Technical Assistance Center.
Note
For instructions on restoring the TMS software from flash, see “Restoring TMS Software
from Flash on a Chassis-based TMS Appliance” on page 161 .
Initial steps
Complete the following initial steps to begin reinstalling the TMS software on a
chassis-based TMS appliance:
1. Depending on the method you are using to reinstall the appliance, insert the USB
device or CD-ROM into the appliance.
2. To initiate recovery, connect a serial cable from the serial console to the appliance.
3. Restart the appliance.
You can manually turn the power off and on if the appliance is non-responsive.
4. To start the boot menu, press any key when you see the message, “Press any key to
continue.”
5. At the boot menu, select [Serial Console] (re)install from usb disk.
6. To confirm that you want to reinstall when the warning message appears, enter y
The ArbOS and TMS software packages are installed, and the databases are built.
Configuration steps
After the reinstall, complete the following steps at the configuration prompts:
1. Enter the system_hostname
2. When prompted to change the password for the admin user, type y and then follow
the prompts to change the password, otherwise type n.
3. Enter the IP_address for the mgt0 management interface.
If you enter an IPv6 address, then you must also include the prefix length.
4. Enter the netmask for the mgt0 management interface.
If you entered an IPv6 address in Step 3, then this prompt does not appear.
5. Press ENTER to accept the auto selected media speed for this interface.
You can use the CLI to reconfigure the media speed at a later time.
See “Setting the management interface media speed (optional)” on page 157.
6. Repeat Step 3 through Step 5 for the remaining interfaces.
You can press ENTER at the prompt if you want to skip configuring an interface.
7. Enter the IP_address of the default route.

Note
To use IPv6 transport to access IPv6-enabled network services that are outside the
subnet local to the interface, you must configure an IPv6 default route.
8. Enter the CIDR_block of the source network that you want to use the following
services:
l BGP
l FTP
l HTTP
l HTTPS
Note
You must configure HTTPS so that the TMS appliance’s manager and leader
appliances can securely communicate with the TMS appliance. The manager
appliance and leader appliance might not be the same.
l mountd
l NFS
l NTP
l Ping (recommended)
l SNMP
l SUN RPC
l Telnet
l TFTP
l SSH (recommended)
Note
You can press ENTER at the prompt if you want to skip configuring access to a
service.
9. Enter the date in the format mmddHHMMyyyy.SS (month, day, hour, minutes, year,
seconds).
10. Enter the IP_address of the NTP server.
11. (USB only) After the installation is complete, but prior to reboot, remove the USB
device to ensure that the appliance does not reboot from the USB device.
The appliance reboots from disk, which has the installed ArbOS and TMS software
packages.
Follow the procedures below to complete the reinstallation using the CLI.
Changing the administrator password

To change the default administrator password:
2. Enter the new_password
3. Enter the new_password again.
Setting the zone secret

To set the zone secret:
Enter / services tms secret set zone_secret

Setting the default SSH host key and starting SSH services
To set the default SSH host key:
1. Enter / services ssh key host set default
2. To generate a default SSH host key, enter y
3. Enter / services SSH start
Setting the management interface media speed (optional)

If you want to reconfigure the auto selected management interface media speeds:
Enter / ip interfaces media mgmt_intf speed {10 | 100 | 1000} duplex

{half | full}
mgt_intf = The management interface that you want to configure, mgt0 or mgt1.
{10 | 100 | 1000} = Choose the interface media speed.
{half | full} = Choose the duplex mode for the interface.
Note
If you set the interface media speed to 1000, you can only set the duplex mode to full.
(TMS 5000 appliance only) Show or set the speed for all mitigation interfaces
(optional)
If you want to show or set the speed for all mitigation interfaces on a TMS 5000 appliance:
Enter / services tms deployment media {null | 10G | 100G}

null = (value omitted) shows the speed for all mitigation interfaces, 10 Gbps or
100 Gbps
10G = sets the speed for all mitigation interfaces to 10 Gbps
100G = sets the speed for all mitigation interfaces to 100 Gbps
Starting TMS services and committing configurations

To start TMS services and commit your configurations:
1. Enter / services tms start
Example of reinstalling a TMS 4000 appliance using a USB device

The following is an example of reinstalling a TMS 4000 appliance using a USB device:
admin@tms4000:/# reload
You are about to reboot the system. Do you wish to proceed? [n] y
INIT: Sending processes the TERM signal
Sending all proc
Unmounting file systems:

Please stand by while rebooting the system.......?

Adapter 0
[Virtual Disks] No Virtual Disk!
[Physical Disks]
Port Disk Name Size Max Speed SAS Address
3 SATA: C200-MTFDBAC120MAE 114.4GB SATA I/II
Press <Ctrl>+<M> to enter BIOS Setup or <Space> to continue
Copyright (C) 2007 American Megatrends, Inc.
Press <F2> to enter setup.
Booting '[Serial Console] (re)install from usb device'
...............................................................
...............................................................
...............................................................
...............................................................
...............................................................
.................................................?.............
...............................................................
...............................................................
...............................................................
...............................................................
...............................................................
............................****...............................
...................*Starting
udev: [ OK ]
INIT: version 2.86 booting********
Starting udev: [ OK ]
010: Using USB device
Do you want to begin the install process?

This will remove all current data and configuration [n] y
Initializing filesystem "boot".........................done.
Writing boot blocks....done.
Initializing filesystem "system".........................done.
Initializing filesystem "data"..........................done.
Initializing swap partition.....done.
File: arbos-NETSCOUT® Arbor-xxxx Type: Signed package

Installing software package "usb:arbos-6.2-xxxx"

File: .Spotlight-V100 Type: Directory

File: .Trashes Type: Directory
File: ._.Trashes Type: Unknown
File: Peakflow-TMS-9.0-xxxx Type: Signed package
Installing software package "usb:Peakflow-TMS-9.0-xxxx"
Collecting inventory information..done
apm-0-0: rebooting
apm-0-1: rebooting
Building
databases.......................................................
..................................done.
File: boot Type: Directory
System hostname? [arbos] tms4000.tb

IP address for interface mgt0: [none] 10.1.1.1
Netmask for interface mgt0: [255.255.255.0]
Media for interface mgt0: [none]
Default route: [none] 10.2.3.4
bgp access from which network? [done]
ftp access from which network? [done] 0.0.0.0/0

ftp access from which network? [done]
http access from which network? [done] 0.0.0.0/0

http access from which network? [done]
https access from which network? [done] 0.0.0.0/0

https access from which network? [done]
mountd access from which network? [done]
nfs access from which network? [done]
ntp access from which network? [done]
ping access from which network? [done] 0.0.0.0/0

ping access from which network? [done]
snmp access from which network? [done] 0.0.0.0/0

snmp access from which network? [done]
sunrpc access from which network? [done]
telnet access from which network? [done] 0.0.0.0/0

telnet access from which network? [done]
tftp access from which network? [done]
vrrp access from which network? [done]
ssh access from which network? [done] 0.0.0.0/0

ssh access from which network? [done]
Generating new SSH host key file...........................done.
Current time and date: [102715552011.07]

NTP server IP address: [none] 10.8.7.6
INIT: apm-0-0: rebooting
apm-0-1: rebooting
Restarting system.

Restoring TMS Software from Flash on a Chassis-based TMS

Appliance
In the rare case of a software failure on your chassis-based TMS appliance, you can restore
the TMS software to the version contained on the appliance’s flash drive.
Note
Caution
You should only restore the TMS software from flash in an emergency situation under
the direction of the Arbor Technical Assistance Center.
About restoring from the flash drive

When you restore from the flash drive, your software reverts to the version that was
originally installed on the flash drive when you received the appliance. Depending on the
upgrades you have installed, the original version may not have full functionality; however,
it will operate at a level at which you can upgrade to the current release to return the
appliance to full functionality.
Choosing the correct flash recovery procedure

This topic describes two different flash recovery procedures, (A) and (B). Use the following
table to determine which recovery procedure to follow based on your TMS appliance and
the type of Management Control Module (MCM) it contains:
Appliance MCM Procedure (A or B)
MCM-1 A
TMS 4000
MCM-2 or MCM-C B
TMS 5000 MCM-C B
Procedure (A): Flash recovery for a TMS appliance with an MCM-1

To recover from flash on a chassis-based TMS appliance with an MCM-1 installed:
1. Connect to the appliance using serial console, and then reboot the appliance.
2. Press the F3 key when the BIOS screen appears.
Verify that F3 is passed to your terminal application; some OSes capture the key.
3. When the boot selection menu (BBS) appears, select HDD:SM 128MB ATA Flash
Disk.
4. When the grub menu appears, select [Serial Console] (re) install from on-board
flash.
5. Proceed with instructions for a regular installation.
See “Reinstalling TMS Software on a Chassis-based TMS Appliance” on page 155 or
see the NETSCOUT® Arbor TMS 4000 Quick Start Card.
Procedure (B): Flash recovery for a TMS appliance with an MCM-2 or MCM-C
To recover from flash on a chassis-based TMS appliance with an MCM-2 or MCM-C

installed:
1. Connect to the appliance using serial console, and then reboot the appliance.
2. When the grub menu appears, select [Serial Console] (re) install from on-board
flash.
3. Proceed with instructions for a regular installation.
See “Reinstalling TMS Software on a Chassis-based TMS Appliance” on page 155 or
see the NETSCOUT® Arbor TMS 4000 Quick Start Card or NETSCOUT® Arbor TMS 5000
Quick Start Card.

Part II
System Administration

Chapter 8
Configuring the User Interface
This section describes CLI commands that you can use to configure the user interface.
In this section
The XML Menu Schema 166

Enabling the Subscriber Feature 170
Restoring the Default Login Page 171
Overriding the Number of Configuration Changes Shown on the Interface
Configuration History Page 172
Changing How Sightline Sorts Alerts by Importance 173
Changing the Graph View on DoS Alert Listing Pages 174
Changing the Search Result Settings on the Alerts and Mitigation Pages 175
Configuring Prefix Aggregation of IP Addresses for DoS Alerts 177

The XML Menu Schema

A custom menu XML file can contain multiple menu_definition elements. For simplicity
purposes, Sightline comes with one definition per XML file.
Requirements
Every menu XML definition must contain:
n at least one menu_definition element with an id attribute
n one menu element with the id attribute sp_menu_main (e.g. <menu id="sp_menu_
main">)
Note
This XML node describes the top-level menus.
The menu XML file may contain an arbitrary number of sub-menu menu elements. Each
sub-menu definition must have a unique id attribute.
Each menu element can contain:

n a text attribute for ASCII that the system displays as menu text
n an auth attribute with boolean & or | or tokens

n a device attribute indicating which device types for this menu should appear
n a url attribute indicating what URL opens when this menu is selected
n a link attribute to link to other menu definitions or a URL
Arbor menu XSD

The following is the Arbor menu XML Schema Definition (XSD):
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:simpleType name="descriptionType">
<xs:restriction base="xs:string">
<xs:pattern value="[a-zA-Z1-9\s\.\)\(\-]+"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="menuType">
<xs:sequence>
<xs:element name="item" type="itemType" minOccurs="0"
maxOccurs="1000"/>
<xs:element name="menu" type="menuType" minOccurs="0"
maxOccurs="1000"/>
</xs:sequence>
<xs:attribute name="id" type="xs:string" use="required" />
</xs:complexType>
<xs:complexType name="itemType">
<xs:sequence>

Chapter 8 Configuring the User Interface
<xs:element name="pagematch" type="xs:string" minOccurs="0"

maxOccurs="3"/>
<xs:element name="separator" type="separatorType" minOccurs="0"
maxOccurs="3"/>
</xs:sequence>
<xs:attribute name="text" type="xs:string"/>
<xs:attribute name="auth" type="xs:string"/>
<xs:attribute name="link" type="xs:string"/>
<xs:attribute name="url" type="xs:string"/>
<xs:attribute name="device" type="xs:string"/>
</xs:complexType>
<xs:complexType name="includeType">
<xs:attribute name="file" type="xs:string"/>
</xs:complexType>
<xs:complexType name="menu_definitionType">
<xs:sequence>
<xs:element name="description" type="descriptionType"
minOccurs="0" maxOccurs="1"/>
<xs:element name="include" type="includeType" minOccurs="0"
maxOccurs="1"/>
<xs:element name="menu" type="menuType" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="id" type="xs:string" use="required" />
</xs:complexType>
<xs:complexType name="separatorType">
<xs:attribute name="padding" type="xs:string" />
<xs:attribute name="size" type="xs:string" />
<xs:attribute name="image" type="xs:string" />
</xs:complexType>
<xs:element name="peakflow">
<xs:complexType>
<xs:sequence>
<xs:element name="menu_definition" type="menu_definitionType"
minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="version" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
</xs:schema>

Basic XML menu example

The following example shows how to define one top-level menu (System), which contains
one sub-menu (Status). It also shows how to define a UI menu-item which has a web-
page URL under the System menu (sp_menu_system).
<?xml version="1.0" encoding="utf-8"?>
<peakflow version="1.0">
<menu_definition id="default">
<description>This is an example menu. </description>
<menu id="sp_menu_main">
<item text="System" auth="sp_status" link="sp_menu_system" />
</menu>
<menu id="sp_menu_system">
<item text="Status" auth="sp_status" link="sp_menu_peer_status" />
<item text="UI" auth="sp_admin" url="/system/ui" />
</menu>
</menu_definition>
</peakflow>
XML menu example that links to other XML menus

A common use for a custom menu is to add additional menus to one of the default menu
sets. To simplify the creation of derivative menu sets, an XML menu definition might
include other menu definitions, as shown in the following example:
<?xml version="1.0" encoding="utf-8"?>
<peakflow version="1.0">
<menu_definition id="traffic.xml">
<description>Traffic and Routing</description>
<include file="default.xml"/>
<default url="/page?id=my_peakflow"/>
<menu id="sp_menu_main">
<item text="System" auth="sp_status" link="sp_menu_system"/>
<item text="Alerts" auth="sp_alerts" link="sp_menu_alerts"/>
<item text="Reports" link="sp_menu_default_reports"/>
<item text="Administration" link="sp_menu_admin"/>
</menu>
<menu id="sp_menu_alerts">
<item text="Ongoing" auth="sp_alerts" url="/page?id=alerts_ongoing">
<pagematch>/page?id=alerts_ongoing</pagematch>
<pagematch>/page?id=alert_view</pagematch>
</item>
<item text="Recent" auth="sp_alerts" url="/page?id=alerts_recent">
<pagematch>/page?id=alerts_recent</pagematch>
<separator/>
</item>
</menu>
<menu id="sp_menu_admin_mobj">
<item text="Managed Objects" auth="sp_admin"
url="/page?id=managed_object_list">

<pagematch>/page?id=managed_object_list</pagematch>
</item>
</menu>
</menu_definition>
</peakflow>

Enabling the Subscriber Feature

You must enable the Subscriber feature in the CLI before you can create and view data
about subscriber groups in the web UI.
Enabling the Subscriber feature

To enable the Subscriber feature:
1. Log in to the leader appliance’s CLI using the administrator user name and password.
2. Enter / services sp model subscribers enable
Example
The following is an example of enabling the Subscriber feature:
admin@mariner1:/# / services sp model subscribers enable

Restoring the Default Login Page

You can restore a customized login page (configured in the web UI) to the Sightline default
login page. This can be useful if incorrect HTML results in a blank login page.
See “Customizing the Login Page” in the Sightline and Threat Mitigation System User
Guide .
Restoring the default login page

To restore the default login page:
1. Using the administrator user name and password, log in to the CLI of the appliance
whose login page you want to clear.
2. Enter / services sp portal login_page clear
3. To confirm that you want to remove the customized login page, enter y
Example
The following is an example of restoring the default login page:
admin@mariner:/# / services sp portal login_page clear
Are you sure you want to remove your login page customization?
(this cannot be undone)? [n] y

Overriding the Number of Configuration Changes Shown on

the Interface Configuration History Page
By default, Sightline limits the number of configuration changes shown to 1000 on the
Interface Configuration History page (Administration > Monitoring > Interface
Configuration History ). You can change this number in the CLI.
For more information about monitoring interface configuration history, see “Monitoring
Interface Configuration History” in the Sightline and Threat Mitigation System User Guide .
Procedure
To change the number of the configuration changes shown on the Interface Configuration
History page:
1. Log in to the leader appliance’s CLI using the administrator user name and password.
2. Enter / services sp auto-config interface revisions set number
number = the maximum number of configuration changes you want to display on
the Interface Configuration History page
Example
The following example shows how to set the configuration changes to display to 2000:
admin@mariner1:/# / services sp auto-config interface ?
revisions Set the max configuration history versions to
display
rules/ Interface classification regular expression rules
run Start interface classification
admin@mariner1:/# / services sp auto-config interface revisions set 2000
admin@mariner1:/#

Changing How Sightline Sorts Alerts by Importance

By default, when Sightline sorts alerts by importance in the web UI, it first sorts alerts by
severity level (high, medium, or low) and then by the maximum severity percent value (for
DoS alerts only). However, you can change how Sightline sorts alerts in the Importance
column on the Alert pages. This feature allows you to configure the primary and
secondary importance options by which you want Sightline to sort alerts. You can
prioritize how Sightline sorts alerts based on the following importance options:
n level (high, medium, or low severity level)
n percent (maximum severity percent)

n impact (maximum impact of alert traffic)
For additional information about severity level, maximum severity percent, and maximum
impact of alert traffic, see "About key alert information on the Summary tab" and "Why
maximum severity percent, maximum impact of alert traffic, and maximum observed
values might not match" in the Sightline and Threat Mitigation System User Guide .
Changing alert sorting order

To change how Sightline sorts alerts by importance in the web UI:
2. Enter / services sp alerts search column_sort importance set primary
secondary
primary = {level | percent | impact}
secondary = {level | percent | impact}

Changing the Graph View on DoS Alert Listing Pages

Sightline bases the graphs on the DoS alert listing pages on the data in the Impact column.
You can also change the graphs to show classic data, which shows data points for
individual routers and interfaces that are involved in the alert.
Changing the graph view of DoS alerts

To change the graph view:
password.
2. Enter / services sp preferences minigraph_type set {classic | impact |
default}.
The default setting is impact.

Changing the Search Result Settings on the Alerts and

Mitigation Pages
You can use the CLI to change the default settings for the search results that appear on the
alerts and mitigation pages in the web UI. For both alerts and mitigations, you can modify
the number shown per page and the maximum number of returned results.
The default settings are 10 alerts per page and 100 maximum returned results.
Changing the alerts shown per page

To change the alerts per page:
2. To view your current alert search settings, enter / services sp alerts search
show
3. Enter / services sp alerts search per_page set number
number = the number of search results you want shown per page
Changing the maximum number of returned alerts

To change the maximum number of returned alerts:
2. Enter / services sp alerts search max_results set number
number = the maximum total number of search results
Restoring the default alert settings

To restore the default setting for alerts per page:
2. Enter / services sp alerts search per_page set default
To restore the default setting for maximum number of alert results:
2. Enter / services sp alerts search max_results set default
Changing the mitigations shown per page

To change the mitigations per page:
2. To view your current alert search settings, enter / services sp mitigation
search show
3. Enter / services sp mitigation search per_page setnumber
number = the number of search results you want shown per page

Changing the maximum number of returned mitigations

To change the maximum number of returned mitigations:
2. Enter / services sp mitigation search max_results set number
number = the maximum total number of search results
Restoring the default mitigation settings

To restore the default setting for mitigations per page:
2. Enter / services sp mitigation search per_page set default
To restore the default setting for maximum number of mitigation results:
2. Enter / services sp mitigation search max_results set default

Configuring Prefix Aggregation of IP Addresses for DoS Alerts

The aggregation of IP address prefixes on the DoS alert pages is enabled by default. Prefix
aggregation makes it easier to identify the addresses associated with an attack. Aggregated
prefixes for a managed object can include IP addresses that do not match the managed
object. If you want to ensure that Sightline only includes IP addresses in the DoS alerts that
match the managed object, then you can disable prefix aggregation. When you disable
prefix aggregation, it is disabled for all managed objects.
Important
If you disable prefix aggregation of IP addresses, Sightline can only display the top 200
individual source and destination IP addresses on the Traffic Details tab of a DoS alert.
Sightline can also display only top traffic patterns for individual IP addresses.
You use the CLI to disable the aggregation of IP addresses. If you have disabled prefix
aggregation of IP addresses, you can then use the CLI to enable prefix aggregation. You
can also use the CLI to clear the prefix aggregation settings. When you clear the prefix
aggregation settings, the default settings are restored, which currently means that prefix
aggregation is enabled.
Where aggregated IP addresses appear on the DoS alert pages

Aggregated IP addresses can appear in the following tables of a DoS alert:
n Alert Characterization table on the Summary tab
n Top Traffic Patterns table on the Summary tab and the Traffic Details tab
n Source and destination address tables on the Traffic Details tab
For information about these tables, see the following:

n “About the Summary Tab on a DoS Alert Page” in the Sightline and Threat Mitigation
System User Guide
n “About the Traffic Details Tab on a DoS Alert Page” in the Sightline and Threat Mitigation
System User Guide
Disabling prefix aggregation of IP addresses for DoS alerts

To disable prefix aggregation of IP addresses for DoS alerts:
2. Enter / services sp data dos ip_aggregation disable
3. To view the aggregation settings, enter / services sp data dos ip_
aggregation show
Enabling prefix aggregation of IP addresses for DoS alerts

To enable prefix aggregation of IP addresses for DoS alerts:
2. Enter / services sp data dos ip_aggregation enable
aggregation show

Clearing prefix aggregation of IP addresses for DoS alerts

To clear prefix aggregation of IP addresses for DoS alerts:
2. Enter / services sp data dos ip_aggregation clear
aggregation show

Chapter 9
Configuring User Account and User
Group Settings
This section describes CLI commands that you can use to configure user account and user
group settings.
In this section
Hiding Non-Local User Data on the User Account Login Records Page 180
How Sightline Header-Based Single Sign-On Works 181
Configuring Header-Based Single Sign-On 183
Changing the Default RADIUS/TACACS+ User Group 185

Hiding Non-Local User Data on the User Account Login Records

Page
By default, the User Account Login Records page in the web UI displays the last login
attempts of all configured users and any other users who logged in to the web UI since the
last time the system restarted. This can include users who have been deleted from the
system and those who have external TACACS+ or RADIUS accounts. If you do not want
non-local users’ information to be displayed on the User Account Login Records page, then
you can hide their data.
Hiding non-local user data

To hide non-local users’ data on the User Account Login Records page:
1. Log in to the leader appliance’s CLI by using the administrator user name and
password.
2. Enter / services aaa local advanced hide_non_local_history enable

Chapter 9 Configuring User Account and User Group Settings
How Sightline Header-Based Single Sign-On Works

Sightline allows single sign-on using HTTP header authentication, which is an
authorization mechanism that uses an HTTP header variable to specify a user name.
Applications that support single sign-on HTTP header authentication allow access for valid
HTTP header user names, without requiring the user to re-enter their user name and
password.
Supported products
Sightline uses both IBM's WebSeal and Tivoli Policy Director products to provide a web
proxy and single sign-on authentication mechanism. For HTTP header authentication, the
web proxy sets the HTTP header to the login ID for the authenticated user, which maps
directly to the Sightline login ID.
Important
You must have an Sightline user account (login ID) to use single sign-on. For instructions
about how to create a user account, see “Configuring User Accounts” in the Sightline and
About access rules and web proxy security

To use a web proxy, you can configure Sightline’s remote address access rules so that
header-based authentication is only allowed from your web proxy servers. This provides
additional security by limiting header spoofing. After you configure remote access rules,
every time you access the Sightline web user interface, Sightline verifies that the remote
address is on the configured list of IP addresses before it allows HTTP header
authentication. If the IP address meets standard HTTPS access rules but is not on the
remote address list, single sign-on does not work, and Sightline displays the standard
login page.
See “Configuring Header-Based Single Sign-On” on page 183.
Using the web proxy for the first time

When you log in to the Sightline web user interface using the web proxy for the first time,
the web proxy does the following:
1. Intercepts the HTTPS communication sent to the Sightline appliance.
2. Displays an HTML page that prompts you to enter your user name and password for
authentication.
3. Sets the HTTP header value according to the information you entered.
4. Logs you in to the Sightline web user interface and displays the Summary page.
Using the web proxy for ongoing log in requests

After you configure single sign-on, every time you request web access to Sightline, the web
proxy server passes the HTTP header value, and Sightline verifies that the value is the
same. If the value changes, Sightline automatically directs you to the web proxy login page
for you to log in as a new user, updates the header value, and reauthenticates you as the
new user.

If the authentication expires (times out), Sightline redirects you to the configured logout
page, so you can re-enter your user information, and then automatically logs you in to the
Sightline web user interface.
How to log out using single sign-on

The web proxy supports user-initiated logouts from within the Sightline web user interface
if you configure a logout URL. When you log out from the Sightline web UI, Sightline
redirects you to the logout page for your single sign-on system so that you can log out
from the single sign-on system and Sightline.

Configuring Header-Based Single Sign-On

You must configure and enable HTTP header authentication on your Sightline appliance
before you can use single sign-on.
Task overview
To configure single sign-on HTTP header authentication, you must complete the following
tasks:
Single sign-on HTTP header authentication configuration tasks
Task Description
1 Enable HTTP header authentication.
2 Configure the HTTP header value.
3 Configure a URL to which you want to direct users who fail to authenticate.
4 Configure a URL to connect users who log out from Sightline so that they can
log out from the single sign-on system.
5 Enable remote access rules.
6 Add remote access rules for the web proxy servers to limit the IP addresses
that can connect to Sightline through single sign-on.
Configuring single sign-on HTTP header authentication

To configure single sign-on HTTP header authentication:
1. Log in to the Sightline appliance CLI using SSH.
2. Navigate to the / services sp sso menu.
3. To enable HTTP header authentication, enter http_header enable
4. To set the HTTP header value, enter http_header set header value
header value = the header variable that specifies a user name (for example:
http_user_id)
5. To redirect invalid users, enter http_header invalid_user set URL
URL = where you want to redirect invalid users
Important
You cannot enter the ? character in a URL because it is a reserved character in the
Sightline CLI that activates the help. Instead, enter %3f.
6. To redirect users when they log out, enter http_header logout set URL
URL = where you want to redirect users when they log out
Important
You cannot enter the ? character in a URL because it is a reserved character in the
Sightline CLI that activates the online help. Instead, enter %3f.
7. To enable IP or CIDR block address rules, enter http_header remote_address
enableIP addresses

IP addresses = the web proxy servers that you want to allow to communicate
with Sightline for single sign-on
Tip
You can enter IP addresses or CIDR blocks, and enter multiple addresses as a
comma-separated list.
8. To save the settings, enter config write
Example
The following example shows how to configure single sign-on HTTP header
authentication:
host: ssh leader.sample.net
username: admin
password; *******
Last Login: UI on Tue Mar 6 21:36:08 2013 from 10.0.0.1
Sightline v5.8
Welcome to Peakflow
admin@leader:/# services sp sso

http_header/ Configure HTTP header authentication
show Show SSO configuration
admin@leader:/services/sp/sso# http_header?
disable Disable HTTP header based authentication
enable Enable HTTP header based authentication
header Configure username header variable
invalid_user Configure invalid user redirection URL
logout Configure logout redirection URL
remote_address/ Configure remote address access limiting
show Show HTTP header configuration
admin@leader:/services/sp/sso# http_header enable
admin@leader:/services/sp/sso# http_header header set http_user_id
admin@leader:/services/sp/sso# http_header invalid_user set https://
webseal_server.sample.net/failure.html
admin@leader:/services/sp/sso# http_header logout set https://
webseal_server.sample.net/logout.html
admin@leader:/services/sp/sso# http_header proxy_path set arborsp
admin@leader:/services/sp/sso# http_header remote_address enable
admin@leader:/services/sp/sso# http_header remote_address add
10.0.1.0/24
admin@leader:/services/sp/sso# config write

Changing the Default RADIUS/TACACS+ User Group

If you add a RADIUS or TACACS+ user without specifying a specific user group, the user is
added to the system_user group by default. If the system_user group has inappropriate
privileges for your RADIUS or TACACS+ users, you can change the default RADIUS or
TACACS+ user group to a pre-configured group or create your own custom group.
For more information about user groups, see “About Account Groups” in the
Changing the default RADIUS/TACACS+ user group

To change the default RADIUS/TACACS+ user group:
1. Log in to the Sightline leader appliance’s CLI using your administrator user name and
password.
2. Enter / services aaa groups default set group_name
group_name = the group name that you want set as the default
If you want to use a custom group as the default, you must first create that group in the
web UI.
For more information about creating custom user groups, see “Configuring Account
Groups” in the Sightline and Threat Mitigation System User Guide .
Example
The following example shows how to set the system_none group (with no privileges) as
the default for any RADIUS/TACACS+ user that does not have a specified group.
admin@mariner1:/# services aaa groups default set system_none
admin@mariner1:/services/aaa/groups# config write


Chapter 10
Configuring DoS Detection Settings
This section describes CLI commands that you can use to configure DoS detection
settings.
In this section
Combining Duplicate Sets of Shared Host Detection Settings 188

Converting Managed Objects and Services to Use Custom Sets of Host Detection
Settings 190
Disabling and Enabling Host Detection Misuse Types 191
Resetting DoS Evaluation Baselines 193
Disabling and Enabling Auto-detection of VPN Sites 194

Combining Duplicate Sets of Shared Host Detection Settings
You can use the CLI to identify and combine duplicate sets of shared host detection
settings. Duplicate sets of shared host detection settings all have identical settings. When
you combine duplicate sets of shared host detection settings, a single set is assigned to
each managed object or service that had one of the duplicate sets. You then have to edit
only a single set of shared host detection settings to change the settings for each managed
object or service using the shared set. See "About Shared Host Detection Settings" in the
The CLI allows you to display every set of shared host detection settings and groups the
duplicate sets together. You can also display just the sets of shared host detection settings
that are duplicates of a specific set. After you identify duplicate sets of shared host
detection settings, you can then combine all of the duplicate sets into a single set, or you
can combine just some of the duplicate sets into a single set. For information about the
CLI commands, see “Using CLI Commands” on page 16 .
Displaying every set of shared host detection settings with duplicate sets grouped
together
You can use this procedure to display every set of shared host detection settings with the
sets arranged so that duplicate sets are grouped together. You can then look at the
duplicate sets and determine if you want to combine any or all of them into a single set.
To display every set of shared host detection settings with duplicate sets grouped together:
password.
2. Enter / services sp detection host shared duplicate show
Displaying sets of shared host detection settings that are duplicates of a specific set
You can use this procedure to display the sets of shared host detection settings that are
duplicates of a set that you specify. You can then look at the duplicate sets and determine
if you want to combine any or all of them into a single set.
To display sets of shared host detection settings that are duplicates a specific set:
password.
2. Enter / services sp detection host shared duplicate show name
name = the name of the set of shared host detection settings that you want use to
identify the other sets with the same settings
Note
If the name contains spaces, then enclose the name in double quotation marks.

Chapter 10 Configuring DoS Detection Settings
Combining every set of shared host detection settings that are duplicates of a
specific set
You can use this procedure to combine every set of shared host detection settings whose
settings are duplicates of a set that you specify. After the sets of settings are combined,
each duplicate set is deleted, unless the duplicate set is the Default set or the Disabled set.
The combined set of settings is then assigned to each managed object or service to which
the duplicate sets were formerly assigned. If you want to combine only some of the sets
that are duplicates of a given set of settings, see “Combining selected sets of shared host
detection settings that are duplicates of a specific set” below.
To combine every set of host detections settings that are duplicates of a specific set:
password.
2. Enter / services sp detection host shared duplicate combine all name
name = the name of the set of host detection settings to which you want to
combine all of its duplicates
Note
If the name contains spaces, then enclose the name in double quotation marks.
Combining selected sets of shared host detection settings that are duplicates of a
specific set
You can use this procedure to combine selected sets of shared host detection settings
whose settings are duplicates of a set that you specify. After the sets of settings are
combined, each duplicate set is deleted, unless the duplicate set is the Default set or the
Disabled set. The combined set of settings is then assigned to each managed object or
service to which the duplicate sets were formerly assigned. If you want to combine all of
the sets that are duplicates of a given set of settings, see “Combining every set of shared
host detection settings that are duplicates of a specific set” above.
To combine selected sets of shared host detection settings that are duplicates of a specific
set:
password.
2. Enter / services sp detection host shared duplicate combine selected
name_1 {name_2,name_3,..,name_n}
name_1 = the name of the set of shared host detection settings to which you want
to combine all of its duplicate sets that you specify
name_2,name_3,..,name_n = the names of each of the duplicate sets of shared host
detection settings that you want to combine with the name_1 set
Note
You must enclose name_2,name_3,..,name_n in braces and separate each name with
a comma and no space. If a name contains spaces or commas, then enclose the
name in double quotation marks (for example, “copied from XYZ”).
Note
If any set of shared host detection settings specified by name_2,name_3,..,name_n is
not a duplicate of the name_1 set, then its settings are ignored and are not combined
with the name_1 set.

Converting Managed Objects and Services to Use Custom Sets

of Host Detection Settings
You can use CLI commands to convert all or some of your managed objects and services
from using shared sets of host detection settings to using a custom set. A custom set
allows you to edit the settings for each individual managed object and service to better
match the threat against it. It also allows managed service administrators to edit the host
detection settings for their profile managed objects. After conversion, the custom set for
each managed object and service uses the same settings as the shared set that was
previously assigned.
For additional information about how to configure sets of host detection settings, see
"Configuring Host Detection for Managed Objects" in the Sightline and Threat Mitigation
System User Guide . For information about using CLI commands, see “Using CLI
Commands” on page 16.
Converting every managed object and service to use custom sets

To convert all managed objects and services that have shared host detection settings to
use individual custom sets with the same settings:
password.
2. Enter / services sp managed_objects convert_to_custom_host_set all
A list of managed objects and services that will be converted is displayed.
3. Enter y
Converting a set of managed objects and services to use custom sets

To convert a set of managed objects and services that have shared host detection settings
to use custom sets with the same settings:
password.
2. Enter / services sp managed_objects convert_to_custom_host_set
filter filter
filter = an expression that filters the managed object list
For example, AS matches any managed object with "AS" in its name
A list of managed objects and services that will be converted is displayed.
3. Enter y

Disabling and Enabling Host Detection Misuse Types

You can use a CLI command to disable or enable a host detection misuse type across all
sets of custom and shared host detection settings. See "Configuring Host Detection for
Managed Objects" in the Sightline and Threat Mitigation System User Guide .
By default, every host detection misuse type in a set of host detection settings is enabled
except for the Total Traffic misuse type. If you experience an inordinate number of alerts
because a misuse type is enabled, you can quickly disable that misuse type in every set of
host detection settings. After you disable a misuse type, you can use the Sightline web
UI to modify its settings in individual sets of host detection settings so that when they are
enabled they do not trigger false alerts.
After you modify the settings of a misuse type in individual sets of host detection settings,
you can then manually enable the misuse type in those sets of host detection settings, or
you can use the CLI to enable that misuse type for every set of host detection settings.
Note
The names you assign to user-defined misuse types are not displayed in the CLI. If you
want to disable a user-defined misuse type in every set of host detection settings, we
recommend using the web UI to disable it. See Disabling a user-defined misuse type
everywhere in the Sightline and Threat Mitigation System User Guide .
Disabling or enabling a host detection misuse type

To enable or disable a host detection misuse type:
password.
2. Enter / services sp detection host types {disable | enable} misuse_
type_label.
misuse_type_label = the label of the misuse type that you want to enable or
disable. See “Host detection misuse type labels” below.
Important
This command disables or enables the host detection misuse type in every set of
host detection settings.
Host detection misuse type labels

The following are the predefined host detection misuse types with the misuse type label
that is used in the CLI command to enable or disable that misuse type:
Labels for predefined host detection misuse types
Misuse Type Misuse Type Label

chargen Amplification chargen_amp
CLDAP Amplification cldap_amp
DNS dns

Labels for predefined host detection misuse types (Continued)
Misuse Type Misuse Type Label

DNS Amplification dns_amp
ICMP icmp
IP Fragment ipfrag
IPv4 Protocol 0 ipnull
IP Private ippriv
L2TP Reflection/Amplification l2tp
mDNS Reflection/Amplification mdns
memcached Amplification memcached_amp
MS SQL RS Amplification mssql_amp
NetBIOS Reflection/Amplification netbios
NTP Amplification ntp_amp
RIPV1 Reflection/Amplification ripv1
rpcbind Reflection/Amplification rpcbind
SNMP Amplification snmp_amp
SSDP Amplification ssdp_amp
TCP ACK tcpack
TCP null tcpnull
TCP RST tcprst
TCP SYN tcpsyn
TCP SYN/ACK Amplification tcpsynack
Total Traffic total
UDP udp

Resetting DoS Evaluation Baselines

If you deploy Sightline in a laboratory situation, you can test the DoS detection capabilities
by resetting the DoS evaluation baseline. This baseline is used as a model of “normal”
traffic, which takes packets per second and bandwidth into account. It also includes
information about the volume and type of traffic seen on the network.
After you start the evaluation baseline period, Sightline will monitor traffic for the specified
duration. At the end of that time, the monitored traffic is used to create the evaluation
baseline, which is then used for profiled DoS detection. Because of this, you should make
sure that the traffic used to generate the baseline is already running before you enable
evaluation baseline mode.
Note
Unlike normal baseline monitoring, the evaluation baseline is not updated again until
you run the reset baseline command.
Important
We recommend that you do not perform this procedure in your normal day-to-day
operation.
Resetting the DoS evaluation baseline

To reset the DoS evaluation baseline for your Sightline deployment:
password.
2. Enter / services sp detection profiled eval_baseline enable
baseline_period
baseline_period = seconds
5. Enter / services sp data database reset baseline
7. Log in to each non-leader appliance you are using and repeat Step 4 through Step 6.
Example
The following example shows how to log in to an Sightline leader and reset the DoS
evaluation baseline to 20 minutes:
admin@mariner1:/# / services sp detection profiled eval_baseline
enable 1200
admin@mariner1:/# / services sp stop
Stopping Sightline services..............done.
admin@mariner1:/# / services sp data database reset baseline
Reset baseline database? (This operation cannot be undone) [n] y
Deleting baseline data. This could take a while...done.
admin@mariner1:/# / services sp start
Starting Sightline services......done.

Disabling and Enabling Auto-detection of VPN Sites

By default, VPN sites are detected and configured automatically when the match type of a
VPN managed object is a route target and the VPN sites match the configured route
targets. These auto-detected VPN sites appear on the VPN Sites tab when you edit a
VPN managed object and as child managed objects on the Configure Managed Objects
page. If you do not want Sightline to automatically detect VPN sites, you can use a CLI
command to disable auto-detection.
If you disable auto-detection of VPN sites after VPN sites have been auto-detected for a
VPN managed object, then the auto-detected VPN sites will continue to be associated with
the VPN managed object. If you later decide to enable auto-detection of VPN sites, you can
then use a CLI command to enable auto-detection. You can also use a CLI command to
reset the auto-detection settings to the default setting of enabled.
For additional information, see the following topics in the Sightline and Threat Mitigation
System User Guide :
n Configuring Match Settings for Managed Objects
n About the VPN Sites Tab

n Configuring VPN Site Managed Objects
Disabling or enabling auto-detection of VPN sites

To enable or disable auto-detection of VPN sites:
password.
2. Enter services sp managed_objects auto_detect vpnsites {disable |
enable}
3. To determine if auto-detection of VPN sites is enabled or disabled, enter services
sp managed_objects auto_detect vpnsites show
Resetting the VPN site auto-detection settings to the default setting of enabled

By default, the VPN site auto-detection settings are enabled. If you disable the auto-
detection settings, you can use a CLI command to reset the settings to the default setting
of enabled.
To reset the auto-detection settings to the default setting of enabled:

password.
2. Enter services sp managed_objects auto_detect vpnsites clear

Chapter 11
Configuring Mitigation Settings
This section describes CLI commands that you can use to configure mitigation settings.
In this section
Changing the Default Traffic-Triggered Auto-Mitigation Settings 196

Configuring the Mitigation Return Time Interval 197
Configuring the Sample Packet Recording Settings 198
Disabling the Whitelisting of Hosts with the SSL Negotiation Countermeasure 199
Enabling Blocked-Host Logging on TMS Appliances 200
Rate Limiting Layer 2 and Layer 3 Conversion Charts 201
Using 6PE to Divert and Mitigate IPv6 Traffic 203
Configuring Custom Blackhole Nexthop Templates 207

Changing the Default Traffic-Triggered Auto-Mitigation

Settings
When traffic-triggered auto-mitigation is enabled in the web UI, Sightline starts
auto-mitigations when a managed object’s traffic exceeds 100 pps on any TMS appliance.
If during mitigation the TMS appliance does not detect at least the threshold amount of
traffic for a period of five minutes, then Sightline ends the mitigation. You can change the
default threshold and timeout values for traffic-triggered auto-mitigation using the CLI.
These settings are global and cannot be configured on a per-managed object basis.
Changing the default timeout value

To change the default traffic-triggered auto-mitigation timeout value:
2. Enter / services sp mitigation auto-mitigation traffic timeout set
minutes
minutes = the number of minutes that must pass without traffic being reported
before Sightline ends a mitigation
Changing the default threshold value

To change the default traffic-triggered auto-mitigation threshold value:
2. Enter / services sp mitigation auto-mitigation traffic threshold set
value
value = the amount of traffic (in pps) at which Sightline begins auto-mitigating a
managed object

Chapter 11 Configuring Mitigation Settings
Configuring the Mitigation Return Time Interval

When mitigation orchestration is enabled (see "About TMS Mitigation Orchestration" in the
Sightline and Threat Mitigation System User Guide ), mitigations are moved from
over-capacity TMS groups to under-capacity TMS groups. Mitigations moved by mitigation
orchestration are returned to their original TMS group on a specific time interval. You
configure the time interval through the Sightline CLI.
Showing the current return time interval

The return time interval defaults to 360 minutes (6 hours). You can view the current return
time interval when the default value has been overridden.
To view the current value:

1. Log in to the leader appliance's CLI by using the administrator name and password.
2. Enter services sp tms show commands.
mitigation_return_retry_interval does not appear in the output if the default
value has not been overridden.
Setting the return time interval

To set the mitigation return time interval:
2. Enter services sp tms mitigation_return_retry_interval set { interval
| never }
interval = the number of minutes before Sightline tries to return a mitigation
Use never to never return mitigations to their original TMS group.
Sightline tries to return mitigations to their original TMS group every interval minutes
after they are moved.
Resetting the return time interval to the default value

To reset the return time interval to the default value of 360 minutes (6 hours):
2. Enter services sp tms mitigation_return_retry_interval clear.

Configuring the Sample Packet Recording Settings

You can use Sightline to record a packet capture (PCAP) file. The default recording settings
for a PCAP file are 5,000 packets or 60 seconds of recording, whichever occurs first. You
can use the CLI to modify the default settings.
For more information, see “About Sample Packets” in the Sightline and Threat Mitigation
System User Guide .
Viewing the sample packet recording settings

To view the sample packet recording settings:
1. Log in to the appliance’s CLI using the administrator user name and password.
2. Enter / services sp mitigation sample_packets show
Configuring the sample packet recording settings

To configure the sample packet recording settings:
2. To set the maximum number of packets to record, enter / services sample_
packets max_packets set number
number = the maximum number of sample packets that you want to record
Note
The maximum number of packets that a TMS appliance can record is 100,000.
3. To set the maximum number of seconds for the recording, enter / services
sample_packets max_seconds set number
number = the maximum number of seconds that you want to record sample
packets
Note
The maximum number of seconds that a TMS appliance can record sample packets
is 900.
Resetting the default sample packet recording settings

To reset the default sample packet recording settings:
2. To reset the default maximum number of packets to record, enter / services
sample_packets max_packets clear
3. To reset the default maximum number of seconds for the recording, enter /
services sample_packets max_seconds clear

Disabling the Whitelisting of Hosts with the SSL Negotiation

Countermeasure
The SSL Negotiation countermeasure whitelists a host that completes the SSL handshake
and sends application data. Because of this whitelist, attackers might complete a
handshake, send application data, and then attack without being mitigated. If this
happens, you can use the CLI to disable the whitelisting of hosts with the SSL Negotiation
countermeasure.
Disabling whitelisting of hosts with the SSL Negotiation Countermeasure

To disable the whitelisting of hosts with the SSL Negotiation Countermeasure:
2. Enter / services tms registry main set mitigation tls_form
whitelist_enable = 0
To re-enable whitelisting with the SSL Negotiation countermeasure, set the value to 1.

Enabling Blocked-Host Logging on TMS Appliances

You can configure a TMS appliance to automatically send a message to a remote syslog
server when a mitigation adds a host to the blocked hosts list. Once configured, the TMS
appliance immediately sends a syslog message to the remote server each time it updates
the blocked hosts list. The message contains the IP address of the blocked host as well as
the TMS countermeasure that caused the IP address to be blocked.
Blocked-host logging is disabled by default.
Setting the host and port number for the log file location
You need to set the host IP address where the logs will be written. You can also set the
host port number that will be used to write the logs. If you do not set a host port number,
port number 514 will be used by default.
To set the host and the host port number where the logs will be written:
2. Enter / services tms registry main set logger default_syslog_host =
host_IP_address
3. (Optional) Enter / services tms registry main set logger default_
syslog_port = host_port_number
Enabling blocked-host logging

To enable blocked host logging and send the data to a dedicated file:
2. Enter / services tms registry main set logger default_local_logging_
enabled = 1
Disabling blocked host logging

To disable blocked host logging:
2. Enter / services tms registry main set logger default_local_logging_
enabled = 0
Example
The following example shows how to set a log file location and enable blocked-host
logging on a TMS appliance:
admin@tms:# services tms
admin@tms:/services/tms# registry main set logger default_syslog_host
= 192.0.2.1
admin@tms:/services/tms# registry main set logger default_syslog_port =
514
admin@tms:/services/tms# registry main set logger default_local_
logging_enabled = 1

Rate Limiting Layer 2 and Layer 3 Conversion Charts

When you use the rate limiting countermeasure to ensure that a downstream target is not
overwhelmed, it is important to account for the additional GRE encapsulation added to the
traffic on output from the TMS appliance. This section includes Layer 2 and Layer 3
conversion charts, which provide the following:
n the expected overhead of the GRE tunnel based on the input rate
n a rate limit suggestion based on a target output rate (matching the original input rate)
after the addition of the GRE tunnel
About the Layer 2 conversion chart

IXIA Layer 2 IMIX was used which includes the following packet distribution:
n 6 @ 64 bytes
n 4 @ 570 bytes
n 1 @ 1518 bytes
Note
The average packet size is 380 bytes.
Layer 2 chart
The following Layer 2 conversion chart provides GRE encapsulation overhead based on
input rate with IMIX packet distribution:
Layer 2 conversions
Total Output L2 Bit Ratelimit Value to Match

Input L2 Bit Rate Rate with GRE Input
100.00M 106.31M 93.69M
250.00M 265.78M 234.22M
500.00M 531.56M 468.44M
750.00M 797.35M 702.65M
1000.00M 1063.13M 936.87M
1500.00M 1594.69M 1405.31M
2000.00M 2126.26M 1873.74M
2500.00M 2657.82M 2342.18M
3000.00M 3189.38M 2810.62M
Note
Layer 2 header calculated using Ethernet encapsulation.

About the Layer 3 conversion chart

IXIA Layer 3 IMIX was used, which includes the following packet distribution:
n 6 @ 40 bytes
n 4 @ 546 bytes
n 1 @ 1494 bytes
Note
The average packet size is 356 bytes.
Layer 3 chart
The following Layer 3 conversion chart provides GRE encapsulation overhead based on
input rate with IMIX packet distribution:
Layer 3 conversions
Total Output L3 Bit Ratelimit Value

Input L3 Bit Rate Rate with GRE to Match Input
100.00M 106.74M 93.26M
250.00M 266.85M 233.15M
500.00M 533.69M 466.31M
750.00M 800.54M 699.46M
1000.00M 1067.38M 932.62M
1500.00M 1601.07M 1398.93M
2000.00M 2134.76M 1865.24M
2500.00M 2668.45M 2331.55M
3000.00M 3202.14M 2797.86M

Using 6PE to Divert and Mitigate IPv6 Traffic

If you use IPv4 MPLS for most of the traffic in your network, you can use 6PE (IPv6
Provider Edge) to divert and mitigate IPv6 traffic.
Important
To divert and mitigate traffic using 6PE, the TMS appliance must be running TMS 8.1 or
higher.
About configuring your deployment to mitigate IPv6 traffic using 6PE

To use 6PE to divert and mitigate IPv6 traffic, you must use the CLI to make the following
configuration changes to your Sightline and TMS deployments:
n Configure the BGP session with a monitored provider edge router to have labeled
unicast BGP capabilities.
When Sightline starts an IPv6 mitigation using 6PE, it announces a labeled unicast route
to a provider edge router along with an MPLS label that you select. The router applies
the MPLS label to the packets of the IPv6 traffic to be mitigated. It then encapsulates the
traffic and forwards it across the MPLS portion of your network. See “Configuring a
BGP session to have labeled unicast BGP capabilities” on the next page.
Note
When Sightline triggers a mitigation using 6PE, a "Sent mpls labeled route
announcement" annotation is added to the mitigation.
n Set an MPLS label and an IPv4 next hop on one or more TMS appliances.
The MPLS label and IPv4 next hop enable the TMS appliances to receive the diverted
traffic. You use the same MPLS label that the provide edge router adds to packets of
traffic that are to be diverted for mitigation. See “Setting an MPLS label and an IPv4
next hop on a TMS appliance” on the next page.
n On the TMS appliances that have the MPLS label set, enable all of the TMS ports to
process MPLS labels.
By enabling the ports of a TMS appliance to process MPLS labels, you also enable the
appliance to pop the MPLS labels. After MPLS labels are popped, the TMS appliance
mitigates the IPv6 traffic and forwards the mitigated traffic using the forwarding method
configured for that appliance. See “Enabling a TMS port to process MPLS labels” on
page 205.
Note
If one or more TMS appliances in a TMS group have label popping enabled, then a
message about this label popping ability appears below the TMS Group setting on the
Summary tab of the TMS Mitigation Status page.
Important things to know when using 6PE to mitigate IPv6 traffic

The following are important things to know when using 6PE to mitigate IPv6 traffic:
n The ports for each TMS appliance that is in the group must have the same
MPLS processing setting, while the ports of a different TMS that is in the group can have
a different MPLS setting. For example, the ports of one TMS appliance that are in a TMS
group can have the MPLS processing setting enabled, while the ports of another TMS
appliance that is in the same TMS group can have the MPLS processing setting disabled.

n The TMS All group should not be used when using 6PE to mitigate IPv6 traffic because
Sightline is not able to validate the mitigation with the All group.
n A TMS group can have TMS appliances that are enabled to pop MPLS labels and other
TMS appliances that are not enabled to pop MPLS labels.
n TMS ports that are enabled to process MPLS labels, can also be used to mitigate IPv4
traffic and IPv6 traffic that does not have MPLS labels.
n A TMS appliance pops all of the MPLS labels. It does not pop just the label that was
added to divert the traffic for mitigation.
Configuring a BGP session to have labeled unicast BGP capabilities

For Sightline to be able to announce a labeled unicast route to a monitored provider edge
router, the BGP session that Sightline has with the router must have labeled unicast BGP
capabilities.
To configure a BGP session to have labeled unicast BGP capabilities:

1. Log in to the Sightline leader appliance's CLI using your administrator user name and
password.
3. To enable the labeled unicast BGP capability, enter / services sp router edit
router_name bgp capabilities labeled_unicast enable
router_name = the name of the router
This command configures this setting for the primary BGP session. You can replace
bgp with bgp2 to configure this setting for the secondary BGP session.
Setting an MPLS label and an IPv4 next hop on a TMS appliance

To set an MPLS label and IPv4 next hop on a TMS appliance:
password.
2. To view your appliances, enter / services sp device edit ?
3. Enter / services sp device edit tms_name labeled_unicast mpls_label
set mpls_label
tms_name = the name of the TMS appliance
mpls_label = the MPLS label that you want to set on the TMS appliance
Encapsulated IPv6 traffic that is to be mitigated is diverted to TMS appliances that
have this label set. The accepted format for an MPLS label is 0x???? (for example,
0xfeed or 0x1234).
4. Enter / services sp device edit tms_name nexthop set next_hop
next_hop = the IPv4 diversion next hop address of the TMS appliance
Encapsulated IPv6 traffic that is to be mitigated is sent to the IPv4 address that is
encoded as an IPv4-mapped IPv6 address in the route announcemnt that
Sightline sends.

Enabling a TMS port to process MPLS labels

To enable a TMS port to process MPLS labels:
password.
2. To view your TMS ports, enter / service sp device edit tms_name [physical_
ports | logical_ports] show commands
3. Enter / service sp device edit tms_name [physical_ports | logical_
ports] edit port_name mpls_label enable
port_name = the name of the TMS port
Important TMS appliance settings when using 6PE

When you use 6PE to divert and mitigate traffic, a TMS appliance that is configured to
mitigate this traffic must have specific settings selected on the Deployment and Patch
Panel tabs. The following table lists these settings with the required selection:
Tab Setting Setting selection

Deployment Deployment Type list Diversion
Capabilities list Advanced
Forwarding Mode list Patch Panel
Patch Panel Peer from System list Sightline
Diversion Method options BGP
Default IPv4 Diversion (optional) If you want the

Nexthop settings appliance to mitigate IPv4 traffic,
select Other and specify the IPv4
address of an existing interface on
the TMS appliance.
Default IPv6 Diversion (optional) If you want the

Nexthop settings appliance to also be able to
mitigate IPv6 traffic without using
6PE, select Other and specify the
IPv6 address of an existing
interface on the TMS appliance.
BGP Peering Sessions box A BGP peering session of a router

that has been configured to
handle labeled unicast traffic.
IPv6 Nexthop box in the An IPv6 next hop that is

Interfaces section appropriate for the mitigated
traffic.

For more information about the settings on the Deployment and Patch Panel tabs, see
"Configuring Deployment Settings for a TMS Appliance, TMS-ISA, or Cisco ASR 9000 vDDoS
Protection" and "Configuring Patch Panel Settings for a TMS Appliance or Cisco ASR 9000
vDDoS Protection" in the Sightline and Threat Mitigation System User Guide .

Configuring Custom Blackhole Nexthop Templates

In addition to the default blackhole nexthop template values that Sightline uses to inject
blackhole routes, which you can set on the Edit Blackhole Nexthop Template Values page
(Administration > Mitigation > Blackhole Nexthops ), you can use the CLI to add
custom blackhole nexthop templates. When using the CLI, you can add templates one at a
time and in bulk.
Displaying a list of all custom templates

To display a list of all custom blackhole nexthop templates stored in the system:
2. Enter services sp mitigation nexthop custom show
Adding custom templates in bulk

To add custom blackhole nexthop templates in bulk:
1. Prepare a file that contains a comma-separated list of blackhole nexthop templates.
The acceptable file format is:
label,IP_address
Keep the following in mind when preparing the list of blackhole nexthop templates:
l You can include spaces and commas in the label if you wrap the label in quotation
marks.
l You cannot use the same label more than once in the list.
l You can use the same IP address multiple times in the list.
l IP address can be IPv4 or IPv6.
2. Copy the file that contains the blackhole nexthop templates to your leader or backup
leader appliance and store it in the following directory: /base/store/files/filename
filename = the name of the file that contains the blackhole nexthop templates
4. Enter services sp mitigation nexthop custom import disk:filename
filename = the name of the disk file that contains the blackhole nexthop
templates, for example, nexthop.csv
Important
When you add custom templates in bulk, any custom templates already stored in the
system will be deleted and replaced with the content of the disk file.
Adding a single custom template

To add a custom blackhole nexthop template:
2. Enter services sp mitigation nexthop custom {ipv4 | ipv6} add label ip
IP_address
{ipv4 | ipv6} = the IP version of the blackhole nexthop
label = the label that appears in the Sightline web UI

IP_address = the IP address of the blackhole nexthop

Deleting a single custom template

To delete a custom blackhole nexthop template:
2. Enter services sp mitigation nexthop custom {ipv4 | ipv6} delete label
label = the label of the custom blackhole nexthop template you want to delete
Deleting all custom templates

To delete all custom blackhole nexthop templates:
2. Enter services sp mitigation nexthop custom clear

Chapter 12
Configuring Reports
This section describes CLI commands that you can use to configure report settings.
In this section
Disabling and Enabling Transit Traffic and Transit Research Reporting 210
Overriding the Default Number of Items Listed in a Report Data Table 212

Disabling and Enabling Transit Traffic and Transit Research

Reporting
You can disable the transit traffic reporting feature and the transit research reporting tools
in the CLI so that the BGP transit reports and the transit research tool reports do not
appear in the web UI. When you disable or enable transit traffic reporting, the Peering
Traffic Exchange tools and the Traffic Engineering tools are also disabled or enabled.
When you disable or enable transit research reporting, the Transit Research tools are
disabled or enabled.
Note
These reports are enabled by default. You can disable and enable them with the CLI only
on the leader appliance.
References:
n For more information about transit traffic reports, see “Additional information about
the BGP Attributes (Transit) filter” in the Sightline and Threat Mitigation System User
Guide .
n For more information about transit research tools, see “About the Transit Research
Tools” in the Sightline and Threat Mitigation System User Guide .
n For more information about the Peering Traffic Exchange tools, see “About the Peering
Traffic Exchange Tools” in the Sightline and Threat Mitigation System User Guide .
n For more information about the Traffic Engineering tools, see “About the Traffic
Engineering Tools” in the Sightline and Threat Mitigation System User Guide .
About BGP transit reporting

The standard BGP attribute reports provide visibility into one direction for traffic entering
and leaving your network's peering edge. More specifically, these reports provide details
about the BGP attributes (origin AS, peer AS, transit ASNs, nexthops, and communities) for
the source route when traffic is entering your network and for the destination route when
the traffic is leaving your network.
The BGP transit reports report on BGP attributes associated with the “other” side of the
traffic not included in the standard BGP attribute reports. More specifically, these reports
provide details about the BGP attributes for the destination route when traffic is entering
your network and for the source route when traffic is leaving your network.
Disabling transit traffic reporting

To disable transit traffic reporting:
password.
2. Enter / services sp model transit disable
3. To commit the setting to the appliance, enter config write
Tip
You can use the show command to view the current setting.

Chapter 12 Configuring Reports
Enabling transit traffic reporting

To enable transit traffic reporting:
password.
2. Enter / services sp model transit enable
Tip
About transit research reporting

You can use the Transit Research tools to view detailed source and destination data about
the traffic that transits your network to help you determine whether you should establish
direct peering relationships.
Disabling transit research reporting

To disable transit research reporting:
password.
2. Enter / services sp model transit_research disable
Tip
Enabling transit research reporting

To enable transit research reporting:
password.
2. Enter / services sp model transit_research enable
Tip

Overriding the Default Number of Items Listed in a Report

Data Table
By default, most Sightline reports show the top 100 items that match a report’s selection
criteria in the data table. The reports that show this default number include the Explore
Traffic page and most time-series data reports under the Reports menu. You can
override the default to be a number between 1 and 1000. The list of exempted reports is
included below.
Note
This setting is not applied if you explicitly set the limit in the XML of an edited or custom
report.
List of exempt reports

The following reports are not affected by this override command:
n ATLAS reports
n IPv6 reports (except IPv6 Applications Compare Report and IPv6 Customer or Peer TCP
or UDP reports)
n Dashboard reports
n Top Talkers reports
n Raw Flows reports
n Peering tools reports
n Customer traffic engineering tools reports (source or destination analysis)
n Profile Transit Research reports
n TMS DNS reports (FQDN and RDN)
n Services HTTP reports
Overriding the default number of report data table items

To override the default number of items included in a report data table:
1. Log in to the leader appliance’s CLI by using an administrator name and password.
2. Enter / services sp preferences traffic2_default_items set number
number = a value between 1 and 1000
Note
You must log out and log back into the web UI to see the updated value in your reports.
Reverting back to the system default

To clear the override number you set and revert back to the system default of 100 items in
a report data table:
2. Enter / services sp preferences traffic2_default_items clear
Note
You must log out and log back in to the web UI to see the updated value in your reports.

Chapter 13
Monitoring the System
This section describes CLI commands and other information for monitoring the state of
your Sightline and TMS deployment.
In this section
Configuring Alert Management Software 214

Enabling and Disabling System Alert Notifications 218
Sightline Syslog Output Format BNF 221
Configuring Syslog to Send the Sightline Appliance Log Messages to a Remote
Host 229
Configuring Syslog to Send the TMS Appliance Log Messages to a Remote Host 231
Configuring Limits for Appliance Metrics 232

Configuring Alert Management Software

You can use an SNMP-based network management system (or console) to monitor the
health of your Sightline appliances.
For information on the SNMP OIDs used by Sightline to poll routers, see “SNMP public
OIDs that Sightline uses to poll routers” on page 282 .
Note
You can download up-to-date MIBs from the Sightline web UI on the SNMP tab of the
Configure Network Services page (Administration > System Maintenance >
Network Services).
For information on downloading a MIB file, see "Configuring Network Services" in the
SNMP OIDs used by management systems to poll Sightline appliances

Management systems use the following SNMP OIDs to poll Sightline appliances:
SNMP OIDs used to poll Sightline appliances
SNMP OID Object Name

.1.3.6.1.2.1.1.1.0 sysDescr
.1.3.6.1.2.1.1.2.0 sysObjectID
.1.3.6.1.2.1.1.3.0 sysUptime
.1.3.6.1.2.1.1.4.0 sysContact
.1.3.6.1.2.1.1.5.0 sysName
.1.3.6.1.2.1.1.6.0 sysLocation
.1.3.6.1.2.1.1.7.0 sysServices
.1.3.6.1.4.1.9694.1.4.2.1.1.0 deviceCpuLoadAvg1min
.1.3.6.1.4.1.9694.1.4.2.1.4.0 deviceDiskUsage
.1.3.6.1.4.1.9694.1.4.2.1.5.0 devicePhysicalMemory
.1.3.6.1.4.1.9694.1.4.2.1.6.0 devicePhysicalMemoryInUse
.1.3.6.1.4.1.9694.1.4.2.1.7.0 devicePhysicalMemoryUsage
.1.3.6.1.4.1.9694.1.4.2.1.8.0 deviceSwapSpace
.1.3.6.1.4.1.9694.1.4.2.1.9.0 deviceSwapSpaceInUse
.1.3.6.1.4.1.9694.1.4.2.1.10.0 deviceSwapSpaceUsage

Chapter 13 Monitoring the System
SNMP OIDs used to poll Sightline appliances (Continued)
SNMP OID Object Name

.1.3.6.1.4.1.9694.1.4.2.1.11.0 deviceTotalFlows (deprecated; use deviceTotalFlowsHC
instead)
.1.3.6.1.4.1.9694.1.4.2.1.12.0 deviceTotalFlowsHC
Note
Sightline also exposes IF-MIB, which provides network interface traffic information. IF-
MIB is defined in RFC-2863. In addition to OIDs in the previous table and IF-MIB, other
OIDs might be exposed by Sightline; however, they are not officially supported.
SNMP OIDs used by management systems to poll TMS appliances

Management systems use the following SNMP OIDs to poll TMS appliances:
SNMP OIDs used to poll TMS appliances
SNMP OID Object

.1.3.6.1.4.1.9694.1.5.2.1.0 tmsHostFault
.1.3.6.1.4.1.9694.1.5.2.2.0 tmsHostUpTime
.1.3.6.1.4.1.9694.1.5.2.3.0 deviceCpuLoadAvg1min
.1.3.6.1.4.1.9694.1.5.2.6.0 deviceDiskUsage
.1.3.6.1.4.1.9694.1.5.2.7.0 devicePhysicalMemoryUsage
.1.3.6.1.4.1.9694.1.5.2.8.0 deviceSwapSpaceUsage
.1.3.6.1.4.1.9694.1.5.2.9.0 tmsTrapString
.1.3.6.1.4.1.9694.1.5.2.10.0 tmsTrapDetail
.1.3.6.1.4.1.9694.1.5.2.11.0 tmsTrapSubhostName
.1.3.6.1.4.1.9694.1.5.2.12.0 tmsTrapComponentName
.1.3.6.1.4.1.9694.1.5.2.13.0 tmsTrapBgpPeer
.1.3.6.1.4.1.9694.1.5.2.14.0 tmsTrapGreSource
.1.3.6.1.4.1.9694.1.5.2.15.0 tmsTrapGreDestination
.1.3.6.1.4.1.9694.1.5.2.16.0 tmsTrapNexthop
.1.3.6.1.4.1.9694.1.5.5.1.1.0 tmsVersion
.1.3.6.1.4.1.9694.1.5.5.1.2.0 tmsLastUpdate
.1.3.6.1.4.1.9694.1.5.5.2.1.0 tmsMitigationLastUpdate

SNMP OIDs used to poll TMS appliances (Continued)
SNMP OID Object

.1.3.6.1.4.1.9694.1.5.5.2.2.0 tmsMitigationNumber
.1.3.6.1.4.1.9694.1.5.5.2.3.0 tmsMitigationTable
.1.3.6.1.4.1.9694.1.5.5.2.3.1.1.0 tmsMitigationIndex
This is an entry of the tmsMitigationTable.
.1.3.6.1.4.1.9694.1.5.5.2.3.1.2.0 tmsMitigationId
.1.3.6.1.4.1.9694.1.5.5.2.3.1.3.0 tmsDestinationPrefix
.1.3.6.1.4.1.9694.1.5.5.2.3.1.4.0 tmsDestinationPrefixMask
.1.3.6.1.4.1.9694.1.5.5.2.3.1.5.0 tmsMitigationName
Note
Sightline also exposes IF-MIB, which provides network interface traffic information. IF-
MIB is defined in RFC-2863. In addition to OIDs in the preceding table and IF-MIB, other
OIDs might be exposed by Sightline; however, they are not officially supported.
SNMP OID traps used by management systems

SNMP OID traps send information to the management system in response to a traffic
event (instead of when polled).
SNMP OID traps used by management systems
SNMP OID Object

.1.3.6.1.4.1.9694.1.5.3.0.1.0 hostFault
.1.3.6.1.4.1.9694.1.5.3.0.2.0 greTunnelDown
.1.3.6.1.4.1.9694.1.5.3.0.3.0 greTunnelUp
.1.3.6.1.4.1.9694.1.5.3.0.4.0 tmsLinkUp
This is obsolete. TMS now sends IF-MIB::linkUp
instead.
.1.3.6.1.4.1.9694.1.5.3.0.5.0 tmsLinkDown
This is obsolete. TMS now sends IF-MIB::linkDown
instead.
.1.3.6.1.4.1.9694.1.5.3.0.6.0 subHostUp
.1.3.6.1.4.1.9694.1.5.3.0.7.0 subHostDown
.1.3.6.1.4.1.9694.1.5.3.0.8.0 tmsBgpNeighborDown

SNMP OID traps used by management systems (Continued)
SNMP OID Object

.1.3.6.1.4.1.9694.1.5.3.0.9.0 tmsBgpNeighborUp
.1.3.6.1.4.1.9694.1.5.3.0.10.0 tmsNexthopDown
.1.3.6.1.4.1.9694.1.5.3.0.11.0 tmsNexthopUp
.1.3.6.1.4.1.9694.1.5.3.0.12.0 tmsMitigationError
.1.3.6.1.4.1.9694.1.5.3.0.13.0 tmsMitigationSuspended
.1.3.6.1.4.1.9694.1.5.3.0.14.0 tmsMitigationRunning
.1.3.6.1.4.1.9694.1.5.3.0.15.0 tmsConfigMissing
.1.3.6.1.4.1.9694.1.5.3.0.16.0 tmsConfigError
.1.3.6.1.4.1.9694.1.5.3.0.17.0 tmsConfigOk
.1.3.6.1.4.1.9694.1.5.3.0.18.0 tmsHwDeviceDown
.1.3.6.1.4.1.9694.1.5.3.0.19.0 tmsHwDeviceUp
.1.3.6.1.4.1.9694.1.5.3.0.20.0 tmsHwSensorCritical
.1.3.6.1.4.1.9694.1.5.3.0.21.0 tmsHwSensorOk
.1.3.6.1.4.1.9694.1.5.3.0.22.0 tmsSwComponentDown
.1.3.6.1.4.1.9694.1.5.3.0.23.0 tmsSwComponentUp
.1.3.6.1.4.1.9694.1.5.3.0.24.0 tmsSystemStatusCritical
.1.3.6.1.4.1.9694.1.5.3.0.25.0 tmsSystemStatusDegraded
.1.3.6.1.4.1.9694.1.5.3.0.26.0 tmsSystemStatusNominal

Enabling and Disabling System Alert Notifications

System alerts are enabled by default so that you can view them in the web UI. However,
system alert notifications are disabled by default. If you want to receive system alert
notifications, you can enable them in the CLI. You can also disable notifications if you find
that you are receiving too many for a specific alert type.
System alerts
You can enable notifications for the following types of system alerts:
n clock skew
n 15-minute CPU load
n high disk usage
n dropped flows
n high memory usage
n process error
n short-term terrd runtime
Enabling alert notifications

To enable alert notifications:
1. To see the alert types for which you can enable notifications, in the CLI, enter /
services sp alerts system_errors ?
2. To see the current configuration for each type of alert notification, enter show
3. Enter / services sp alerts system_errors alert_type notifications
enable
alert_type = the system alert type that you want to enable
5. Configure the thresholds for system alerts and the default notification group in the
web UI.
References:
n For information about configuring the thresholds for system alerts, see “Configuring
Sightline System Monitoring Alerts” in the Sightline and Threat Mitigation System User
Guide .
n For information about setting the default notification group to receive the system alert
notifications, see “Configuring Global Notification Settings for Alerts” in the
Example: enabling notification for dropped flows alerts

The following example shows how to enable notifications for dropped flows alerts:
admin@mariner:/# services sp alerts system_errors ?
clock_skew/ Configure clock skew alerts
cpu_load/ Configure 15-minute CPU load alerts
disk_space/ Configure high disk usage alerts
dropped_flows/ Configure dropped flows alerts
mem_usage/ Configure high memory usage alerts

process_errors/ Configure process error alerts

show Show system alert configuration
terrd_runtime/ Configure short-term terrd runtime alerts
admin@mariner:/# services sp alerts system_errors show
Device system error alert settings:
Process error alerts:
Alert: enabled
Notifications: disabled
CPU 15-minute load alerts:
Alert: enabled
Threshold: 5
Disk space alerts:
Alert: enabled
Notifications: enabled
Threshold: 70%
Dropped flows alerts:
Alert: enabled
Threshold: 300
Memory usage alerts:
Alert: enabled
Threshold: 70%
Short-term terrd alerts:
Alert: enabled
Threshold: 1100 seconds
System clock skew alerts:
Alert: enabled
Threshold: 90 seconds
admin@mariner:/# services sp alerts system_errors dropped_flows
notifications enable
Disabling alert notifications

To disable alert notifications:
1. To see the alert types for which you can disable notifications, in the CLI, enter /
services sp alerts system_errors ?
2. Enter show alert_type notifications disable

alert_type = the system alert type that you want to disable.


Sightline Syslog Output Format BNF

You can use the Sightline SNMP and Remote Syslog output to integrate with external
management systems.
Note
In the DoS alert formats described below, the third section is specific to DoS Profiled
Router, the fourth section is specific to DoS Host, and the fifth section is specific to DoS
Profiled Network.
Output format
I. Conventions
The syslog format is described in pseudo BNF.
/* This is a comment */
INTEGER = whole number eg 10
FLOAT = decimal number eg 10.25
DATE = YYYY-mm-dd HH:MM:SS +-ZZZZ /* ISO 8601: 1970-01-01 00:00:00 +0000 */
LOCAL_DATE = YYYY-mm-dd HH:MM:SS LOCAL_TZ
SECONDS = count of seconds
IP = IP address eg 10.0.1.1
CIDR = prefix in cidr notation eg 10.0.1.0/24
TEXT = non whitespace characters
MESSAGE = TEXT + possible whitespace
NAME = TEXT + possible whitespace
USERNAME = TEXT
APPLICATION_NAME = TEXT + possible whitespace
FAMILY = customer | profile | peer | vpn | vpnsite | worm
SERVICE_ELEMENT = jitter | loss | bps | pps
UNIT_KMG = bps | pps | Kbps | Kpps | Mbps | Mpps | Gbps | Gpps
USAGE_TYPE = high | low
ROUTER_TYPE = Edge | Core
LICENSE_ROUTER = ROUTER_TYPE routers
LICENSE_RESOURCE = LICENSE_ROUTER
DIRECTION = incoming | outgoing
II. Common Syslog Message format
/*
* Top-level definition
*/
syslog_msg = msg_header msg_body
/*
* msg_header description
*/
msg_header = <priority>date tag:
/* msg_header fields */

priority = INTEGER /* logical OR of facility and severity */

date = mmm dd HH:MM:SS /* Jan 01 00:00:00 - no year */
tag = [pfsp] /* process description - no PID */
The remainder of this document describes the message bodies for different
syslog message types.
III. Description of DoS Profiled Router Alert syslog msg_body
/*
* dos profiled router msg_body description
*/
msg_body = anomaly anomaly_type id INTEGER status status_type
severity INTEGER classification classification_type
impact “FLOAT UNIT_KMG/FLOAT UNIT_KMG” detail_body
/* anomaly_body fields */
anomaly_type = NONE | AH | Bandwidth | ESP | GRE | ICMP | ICMPv6 |
Multi Protocol | TCP | UDP
status_type = ongoing | done
classification_type = low | medium | high /* 1=low, 3=medium, 5=high */
impact “FLOAT UNIT_KMG/FLOAT UNIT_KMG” /* 10.34 Mbps/10.34 Kpps */
/* detail_body description */
detail_body = resource_body | router_body*
/*
* For DoS profiled router syslog messages, there will be one message
* containing a resource body, followed by a message containing a router body
* for each input and output interface in the alert.
*
* A source or destination CIDR of 0.0.0.0/0 means N/A. Only a source or a
* destination is valid, not both.
*/
/* resource_body description */
resource_body = ipVer ip_version src CIDR TEXT dst CIDR TEXT start DATE
duration SECONDS percent FLOAT rate FLOAT rateUnit rateUnit_type
protocol protocol_type flags flags_type url TEXT,
(managed object "managed_object_name"),
(parent managed object "parent_name"), (Router "router_name"),
(Interface "interface_name")
/* resource_body fields */
ip_version = 4 | 6
rateUnit_type = bps | pps /* eg Mbps, Kpps */
protocol_type = proto | multi-protocol | nil
proto = tcp | udp | gre | esp | ... /* IP protocol name */
flags_type = [SAFRPUEW] | nil /* tcp flags */
parent_name = name | nil /* nil if managed object isn't a child. */

/* router_body description */
router_body = [router CIDR router_name TEXT] interface INTEGER
interface_name "TEXT" DIRECTION
IV. Description of DoS Host Alert syslog msg_body
/*
* dos host alert msg_body description
*/
msg_body = Host Detection alert #INTEGER, start_detail | stop_detail
/*
* start_detail description. Sent with all notifications that an alert has
* started.
*/
start_detail = start LOCAL_DATE, duration SECONDS, direction DIRECTION,
host IP, signatures (signature+),
impact FLOAT UNIT_KMG/FLOAT UNIT_KMG, importance INTEGER,
managed_objects ("managed_object_name"),
(parent managed object "parent_name")
/*
* stop_detail description. Sent with all notifications that an alert has
* stopped.
*/
stop_detail = start LOCAL_DATE, duration SECONDS, stop LOCAL_DATE,
importance INTEGER, managed_objects ("managed_object_name"),
is now done, (parent managed object "parent name")
/* start_detail and stop_detail fields */
signature = <unknown> | ICMP | IP Fragmentation | IPv4 Protocol 0 | IP
Private |
TCP NULL | TCP SYN | TCP RST | Total Traffic | DNS | UDP
impact FLOAT UNIT_KMG/FLOAT UNIT_KMG /* 10.34 Mbps/10.34 Kpps */
V. Description of DoS Profiled Network syslog msg_body
/*
* dos profiled network msg_body description
*/
msg_body = Profiled Network alert #INTEGER, start_detail | stop_detail
/*
* start_detail description. Sent with all notifications that an alert has
* started.
*/
start_detail = start LOCAL_DATE, duration INTEGER, direction DIRECTION,
managed object "NAME", countries "COUNTRY_CODES",
importance INTEGER, expected FLOAT UNIT_KMG/INTEGER UNIT_KMG,
observed FLOAT UNIT_KMG/INTEGER UNIT_KMG,

impact FLOAT UNIT_KMG/INTEGER UNIT_KMG,

(parent managed object "NAME")
/*
* stop_detail description. Sent with all notifications that an alert has
* stopped.
*/
stop_detail = start LOCAL_DATE, duration SECONDS, stop LOCAL_DATE,
direction DIRECTION, managed object NAME,
countries "COUNTRY_CODES", importance INTEGER,
impact FLOAT UNIT_KMG/FLOAT UNIT_KMG is now done,
(parent managed object "nil")
/* start_detail and stop_detail fields */
country_codes = XX,XX... /* eg, US,CA... */
VI. Other Syslog message bodies
/*
* Other types of syslog messages and their corresponding msg_body
definitions
*/
/* Autoclassification restart */
msg_body = Autoclassification was restarted on DATE by NAME
/* BGP Trap */
msg_body = BGP Trap "NAME": Prefix CIDR TRAP_TYPE; Timestamp: LOCAL_
DATE; Old BGP attributes: BGP_ATTR; New BGP attributes: BGP_ATTR
TRAP_TYPE = down | up | change
/* BGP Down start */
msg_body = BGP down for router NAME session NAME, leader NAME since LOCAL_
DATE
/* BGP Down end */
msg_body = BGP restored for router NAME session NAME, leader NAME at LOCAL_
DATE
/* BGP Instability */
msg_body = BGP instability router NAME threshold INTEGER (updates/5
min.) observed INTEGER (updates/5 min.) started at LOCAL_DATE with
Alert ID: ALERT_ID
/* BGP Instability End */
msg_body = BGP Instability for router NAME ended at LOCAL_DATE with
Alert ID: ALERT_ID
/* Configuration Change */
msg_body = The configuration was changed on leader NAME to version
FLOAT by NAME/USERNAME at LOCAL_DATE
/* Device Down */
msg_body = SP/TMS device NAME unreachable by NAME since LOCAL_DATE
/* Device Up */
msg_body = SP/TMS device NAME reachable again by NAME at LOCAL_DATE

/* Flow Down */
msg_body = Flow down for router NAME, leader NAME since LOCAL_DATE
/* Flow Restored */
msg_body = Flow restored for router NAME, leader NAME at LOCAL_DATE
/* Hardware Failure Alert start */
msg_body = Hardware failure on NAME since LOCAL_DATE: TEXT
/* Hardware Failure Alert Done */
msg_body = Hardware failure on NAME done at LOCAL_DATE: TEXT
/* Interface Usage Alert start */
msg_body = USAGE_TYPE interface usage alert #INTEGER started at LOCAL_
DATE for router NAME interface "NAME" speed FLOAT Mbps threshold INT%
observed FLOAT Mbps pct FLOAT%
/* Interface Usage Alert Done */
msg_body = USAGE_TYPE interface usage alert #INTERGER ended at LOCAL_
DATE for router NAME interface "NAME"
/* License Alert Start */
msg_body = License Alert: LICENSE_RESOURCE (INTEGER) exceeds the
licensed limit of INTEGER, alert id: INTEGER
/* License Alert Done */
msg_body = License alert ended at LOCAL_DATE: LICENSE_RESOURCE
(INTEGER) exceeds the licensed limit of INTEGER, alert id: INTEGER
/* Managed Object Threshold */
msg_body = USAGE_TYPE usage alert #INTEGER for FAMILY NAME threshold
INTEGER UNIT_KMG observed FLOAT UNIT_KMG, (parent managed object "NAME")
/* Managed Object Threshold Done */
msg_body = USAGE_TYPE usage alert #INTEGER for FAMILY NAME done,
/* SNMP Down */
msg_body = SNMP down for router NAME, leader NAME since LOCAL_DATE
/* SNMP Up */
msg_body = SNMP restored for router NAME, leader NAME at LOCAL_DATE
/* BGP Hijack */
msg_body = BGP Hijack local_prefix CIDR router NAME bgp_prefix CIDR
bgp_attributes BGP_ATTR started: LOCAL_DATE
/* BGP Hijack Done */
msg_body = BGP Hijack for prefix CIDR router NAME done at LOCAL_DATE
/* Fingerprint Threshold */
msg_body = USAGE_TYPE usage alert #INTEGER for fingerprint NAME
threshold INTEGER UNIT_KMG observed INTEGER UNIT_KMG
/* Fingerprint Threshold Done */
msg_body = USAGE_TYPE usage alert #INTEGER for fingerprint NAME done
/* GRE Down */
msg_body = GRE tunnel NAME (IP > IP) down for destination IP, leader
NAME since LOCAL_DATE

/* GRE Down Done */

msg_body = GRE tunnel NAME (IP > IP) restored for destination IP,
leader NAME at LOCAL_DATE
/* TMS Fault */
msg_body = TMS 'TEXT' fault for resource 'TEXT' on TMS NAME (alert #INTEGER)
/* TMS Fault */
msg_body = TMS 'TEXT' fault for resource 'TEXT' on TMS NAME cleared
(alert #INTEGER)
/* Service Threshold */
msg_body = USAGE_TYPE SERVICE_ELEMENT usage alert INTEGER for service
NAME, APPLICATION_NAME threshold FLOAT UNIT_KMG observed FLOAT UNIT_KMG
/* Service Threshold Done */
msg_body = USAGE_TYPE SERVICE_ELEMENT alert INTEGER for service NAME done
/* TMS mitigation start */
msg_body = TMS mitigation NAME started at DATE, leader NAME
/* Third party mitigation start */
msg_body = Third party mitigation NAME started at LOCAL_DATE, leader NAME
/* Blackhole mitigation start */
msg_body = Blackhole mitigation NAME started at LOCAL_DATE, leader NAME
/* Flowspec mitigation start */
msg_body = Flowspec mitigation NAME started at LOCAL_DATE, leader NAME
/* Routing failover start */
msg_body = Routing failover alert #INTEGER, start LOCAL_DATE, duration
INTEGER, device NAME
/* Routing failover interface start */
msg_body = Routing failover interface alert #INTEGER, start LOCAL_DATE,
duration INTEGER, device NAME, interface list NAME
/* Routing failover interface end */
msg_body = Routing failover interface alert #INTEGER on NAME is now
done. started at LOCAL_DATE, ended at LOCAL_DATE, duration INTEGER
/* Cloud Signal Fault */
msg_body = Cloud signaling fault 'MESSAGE', "NAME" from appliance
"NAME" (alert #INTEGER)
/* Cloud Signal Fault Done */
msg_body = Cloud signaling fault 'MESSAGE', "NAME" from appliance
"NAME" cleared (alert #INTEGER)
/* Coud Signal Mit Request start */
msg_body = Cloud signaling mitigation request alert #INTEGER, start
LOCAL_DATE for managed object "NAME" from Pravail ID "NAME", (parent
managed object "NAME")
/* Coud Signal Mit Request Done */
msg_body = Cloud signaling mitigation request alert #INTEGER, start
LOCAL_DATE, stop LOCAL_DATE for managed object NAME is now done,

/* Traffic Triggered auto-mitigation start */

msg_body = Traffic-triggered auto-mitigation alert #INTEGER, start
LOCAL_DATE for managed object "NAME", (parent managed object "NAME")
/* Traffic Triggered auto-mitigation done */
msg_body = Traffic-triggered auto-mitigation alert #INTEGER, start
LOCAL_DATE, stop LOCAL_DATE for managed object NAME is now done,
/* DNS baseline start */
msg_body = DNS baseline alert on NAME for 'NAME' since LOCAL_DATE:
expected INTEGER observed INTEGER
/* DNS baseline done */
msg_body = DNS baseline alert on NAME for 'NAME' done at LOCAL_DATE:
observed mean INTEGER, observed max INTEGER
/* interface classification restart */
msg_body = Interface classification was started on NAME by USERNAME at
LOCAL_DATE
/* TMS mitigation stop */
msg_body = TMS mitigation NAME stopped at LOCAL_DATE, leader NAME
/* Third party mitigation stop */
msg_body = Third party mitigation NAME stopped at LOCAL_DATE, leader NAME
/* Blackhole mitigation stop */
msg_body = Blackhole mitigation NAME stopped at LOCAL_DATE, leader NAME
/* Flowspec mitigation stop */
msg_body = Flowspec mitigation NAME stopped at LOCAL_DATE, leader NAME
/* Alert script run */
msg_body = Alert script NAME ran at LOCAL_DATE, leader NAME
/* Device Error Core Dump */
msg_body = Process error in (NAME.INTEGER) detected for device: NAME at
LOCAL_DATE, alert id: INTEGER
/* Device Error System Load start */
msg_body = High 15 minute CPU load average: FLOAT detected for device:
NAME, alert id: INTEGER
/* Device Error System Load done */
msg_body = High system load alert ended for device: NAME at LOCAL_DATE,
alert id: INTEGER
/* Device Error disk space start */
msg_body = High disk space utilization: INTEGER% detected for device:
NAME, alert id: INTEGER
/* Device Error disk space done */
msg_body = High disk utilization alert ended for device: NAME at LOCAL_
DATE, alert id: INTEGER
/* Device Error terrd runtime start */
msg_body = High short-term database runtime: SECONDS seconds for
device: NAME, alert id: INTEGER

/* Device Error terrd runtime done */

msg_body = High short-term database runtime alert ended for device:
NAME at LOCAL_DATE, alert id: INTEGER
/* Device Error dropped flows start */
msg_body = Dropped flows detected: INTEGER flows for device: NAME,
alert id: INTEGER
/* Device Error dropped flows done */
msg_body = Flow stability alert ended for device: NAME at LOCAL_DATE,
alert id: INTEGER
/* Device error memory usage start */
msg_body = High system memory utilization: INTEGER% for device: NAME,
alert: id INTEGER
/* Device error memory usage done */
msg_body = High memory usage alert ended for device: NAME at LOCAL_
/* Device error clock skew start */
msg_body = System clock skew detected: SECONDS seconds for device:
NAME, alert: id INTEGER
/* Device error clock skew done */
msg_body = System clock skew alert ended for device: NAME at LOCAL_
BGP_ATTR =
ASPATH|ORIGIN|NEXTHOP|LOCALPREF|MED|COMMUNITY|ATOMICAGG|AGGREGATOR|ORIG
INATOR|CLUSTER
NEXTHOP = CIDR | none
ORIGIN = IGP | EGP | INCOMPLETE | AGGREGATE
ATOMICAGG = AG | ""
AGGREGATOR = ASX CIDR | "NULL"
ASX = "AS".INTEGER (e.g. AS253)
CLUSTER = CIDR[ CIDR[ CIDR...]]]
(note: BGP_ATTR definition is an exact string -- | characters are field
delimiters)
/* Examples */
|IGP|192.122.182.102|100|0|237:900||NULL|204.39.192.29|198.108.89.145
198.110.131.145 (null aspath)
2914 8011|IGP|206.223.119.12|110|1|237:2 237:1300 2914:410||NULL||

Configuring Syslog to Send the Sightline Appliance Log

Messages to a Remote Host
By default, syslog stores its logs on the local Sightline appliance. You can configure the
Sightline appliance to have syslog send the log messages to a remote host.
To configure these settings on a TMS appliance, see “Configuring Syslog to Send the TMS
Appliance Log Messages to a Remote Host” on page 231 .
Determining if the log messages are sent to a remote host

To determine if syslog is sending the log messages to a remote host:
password.
2. Enter / services sp notification groups edit notification_group show
notification_group = the notification group for which you want to determine if
syslog is sending its log messages to a remote host
Information about the notification group is displayed, including information about
whether or not it is sending syslog information to a remote host. If syslog is not
sending the log messages to a remote host, the remote host value will be blank. If
syslog is sending the log messages to a remote host, it will display the name of the
remote host.
Sending the log messages to a remote host

To configure syslog to send the log messages to a remote host:
password.
2. Enter / services sp notification groups edit notification_group
syslog
notification_group = the notification group whose syslog messages you want
to send to a remote host
3. To set the destination, enter destination set ip_address
ip_address = the IPv4 address of the remote host where you want syslog to
send the log messages
Note
To send the syslog messages to multiple remote hosts, enter the IPv4 address of
each remote host, separated by commas.
4. To view a list of available facility levels, enter facility set ?
5. To set the facility level, enter facility set facility_level
facility_level = the name of the facility level that you configured on the
remote host for the syslog messages
The syslog messages that match the notification group will be sent to the remote
host with this facility level. If you do not set the facility level, it will default to the
facility level of daemon.
6. To view a list of available security levels, enter security set ?

7. To set the severity level, enter severity set severity_level

severity_level = the name of the severity level that you configured on the
remote host for the syslog messages
The syslog messages that match the notification group will be sent to the remote
host with this severity level. If you do not set the severity level, it will default to
severity level of warning.
8. To set the port, enter port set port_number
port_number = the port number that you configured on the remote host for the
syslog messages
If you do not set the port, it will default to port 514.
Stopping the sending of the log messages to a remote host

To stop syslog from sending the log messages to a remote host:
password.
2. Enter / services sp notification groups edit notification_group
syslog destination clear
notification_group = the notification group whose syslog messages you want
to stop sending to a remote host

Configuring Syslog to Send the TMS Appliance Log Messages

to a Remote Host
By default, syslog stores its logs on the local TMS appliance. You can configure the TMS
appliance to have syslog send the log messages to a remote host.
To configure these settings on an Sightline appliance, see “Configuring Syslog to Send the
Sightline Appliance Log Messages to a Remote Host” on page 229 .
Determining if the log messages are sent to a remote host

To determine if syslog is sending the log messages to a remote host:
2. Enter / services logging remote
If syslog is not sending the log messages to a remote host, it will display none as the
remote host. If syslog is sending the log messages to a remote host, it will display the
name of the remote host.
Sending the log messages to a remote host

To configure syslog to send the log messages to a remote host:
2. Enter / services logging remote set host_name
host_name = the name of the host where you want syslog to send the log
messages
Stopping the sending of the log messages to a remote host

To stop syslog from sending the log messages to a remote host:
2. Enter / services logging remote clear

Configuring Limits for Appliance Metrics

Five of the health metrics that appear on the Per Appliance Metrics and Metric
Comparison tabs of the Appliance Monitoring page (System > Status > Appliance
Monitoring ) have limits that are configured by default. You can use the CLI to change any
of these default limits and to set a limit for any of the other metrics. When you configure a
limit for a metric, you configure it for a specific appliance, and you must use an integer for
the limit. For information about the default limits, see "About the Metric Comparison Tab
on the Appliance Monitoring Page" in the Sightline and Threat Mitigation System User
Guide .
The configured limit appears as a dashed line on the graph of the metric for that
appliance. This dashed line represents what is considered to be the maximum amount of
usage that should be seen for that appliance for that metric. This line makes it easy to see
when a metric is approaching its limit.
The System-Wide and Appliance Limits document lists the enforced and guideline limits
for NETSCOUT® Arbor appliances. In this document, only the limits that are followed by
an asterisk are appliance metrics that appear on the Appliance Monitoring page. Before
configuring a limit for an appliance metric, consult this document to see if it includes limits
for that metric. You can access this document at https://support.arbornetworks.com/.
To configure a limit for an appliance metric

To configure a limit for an appliance metric:
password.
2. To configure the limit, enter / services sp device edit appliance_name
metrics metric_label limit set limit
appliance_name = the name of the appliance whose metric limit you want to
configure
metric_label = the label for the metric whose limit you want to configure
limit = the number at which you want to set the limit for the metric
For a list of the metric labels, see “Appliance metric labels” on the facing page.
3. To display the configured limit, enter / services sp device edit appliance_
name metrics metric_label show
To clear a limit for an appliance metric

To clear a limit for an appliance metric:
1. Log in to the Sightline leader appliance’s CLI using the adminishtrator user name and
password.
2. To clear the configured limit, enter / services sp device edit appliance_name
metrics metric_label limit clear
appliance_name = the name of the appliance whose metric limit you want to
clear

metric_label = the label for the metric whose limit you want to clear
For a list of the metric labels, see “Appliance metric labels” below.
3. To commit the clearing of the limit of an appliance metric, enter config write
Appliance metric labels

The following table lists the different metrics with their metric label. For a description of
each of the metrics, see "Viewing General Appliance Statistics" in the Sightline and Threat
Metric labels with recommended and enforced limits
Appliance Metric Metric Label

Active users pi_active_users
BGP messages received per second bgp_messages_received_per_second
BGP peering sessions (Established) bgp_peering_sessions_established
BGP peering sessions configured bgp_peering_sessions_configured
BGP routes bgp_routes
CPU load cpu_load
Disk (data partition) used % disk_data_partition_used_percent
DoS alert refine jobs dos_alert_refine_jobs
Flow (ArborFlow) bps sent flow_arborflow_bps_sent
Flow (ArborFlow) pps sent flow_arborflow_pps_sent
Flow (Total) bps received flow_total_bps _received
Flow (Total) pps received flow_total_pps_received
Flows (ArborFlow) dropped per 5 flows_arborflow_dropped_per_5_minutes

minutes
Flows (ArborFlow) received per second flows_arborflow_received_per_second
Flows (ArborFlow) sent per second flows_arborflow_sent_per_second
Flows (Core) processed per second flows_core_processed_per_second
Flows (Core) received per second flows_core_received_per_second
Flows (Edge) processed per second flows_edge_processed_per_second
Flows (Edge) received per second flows_edge_received_per_second
Flows (Total) dropped per 5 minutes flows_total_dropped_per_five_minutes
Flows (Total) processed per second flows_total_processed_per_second
Flows (Total) received per second flows_total_received_per_second

Metric labels with recommended and enforced limits (Continued)

Interfaces in flow per 5 minutes interfaces_in_flow_per_five_minutes
Interfaces total interfaces_total
Interfaces with detailed statistics tracked Interfaces_with_detailed_statistics_tracked
IPv4 traffic received (bps) bps_in_ipv4
IPv4 traffic received (pps) pps_in_ipv4
IPv6 traffic received (bps) bps_in_ipv6
IPv6 traffic received (pps) pps_in_ipv6
Items tracked per 5 minutes items_tracked_per_five_minutes
Items tracked per day items_tracked_per_day
Managed objects matched in/out per managed_objects_matched_in_out_per_second

second
Managed objects matched per flow managed_objects_matched_per_flow
Managed objects matched per second managed_objects_matched_per_second
Managed objects with data stored managed_objects_with_data_stored
Memory used % memory_used_percent
Packets dropped per second packets_dropped_per_second
Packets received per second packets_received_per_second
Page views page_views
Routers configured routers_configured
Routers configured for SNMP polling routers_configured_for_snmp_polling
Routers responding to SNMP polling routers_responding_to_snmp_polling
Routers sending flow routers_sending_flow
TMS devices configured to send tms_devices_configured_to_send_arborflow

ArborFlow
TMS devices managed tms_devices_managed
TMS devices sending ArborFlow tms_devices_sending _arborflow
TMS ongoing mitigations tms_ongoing_mitigations
Traffic database bytes read (short-term) traffic_database_bytes_read_short_term
Traffic database bytes written (short- traffic_database_bytes_written_short_term

term)

Metric labels with recommended and enforced limits (Continued)

Traffic database files (short-term) traffic_database_files_short_term
Traffic database run time (long-term) traffic_database_runtime_long_term
Traffic database run time (short-term ) traffic_database_runtime_short_term
Traffic database write duration(s) traffic_database_write_duration
Virtual memory used % virtual_memory_used_percent


Chapter 14
System Maintenance
This section describes CLI commands and other information for maintaining your
Sightline deployment.
In this section
Viewing Available Disk Space 238

About High Availability Configuration 239
Configuring Scheduled Backups of Individual Appliances 242
Manually Switching to the Backup Leader Appliance 244
Recovering After a Failover 245
Setting a Timestamp Suffix 247

Viewing Available Disk Space

You can view the available disk space on an Sightline appliance. This helps with capacity
planning and anticipating possible problems with appliance performance.
Disk space partitions

Disk space is divided into three partitions:
n boot
n data
n system
The data partitions can reach capacity, depending on your system’s logging and traffic
monitoring parameters. If your system is close to capacity, contact your NETSCOUT®
Arbor Consulting Engineer.
Viewing available disk space on an Sightline appliance

To view the available disk space on an Sightline appliance:
password.
2. Enter / system disks show
Example
The following example shows how to view the disk space on the mariner1 appliance.
admin@mariner1:/# / system disks show
Filesystem status:
Filesystem Size/Used Inodes/Used
boot 1011M/438M (43%) 132059/35 (0%)
data 264G/794M (0%) 71235850/30452 (0%)
system 3.9G/687M (17%) 515941/19865 (4%)
RAID volume 0,0 status:
Controller status:
Controller Memory: 64 Mbytes
Battery State: Ok
Controller Software: 5.2-0 (Build #xxxx)
Volume status:
Type: Mirror, Size: 279GB, Task: None
Disk Vendor Model Firmware
0:00:0 SEAGATE ST3300007LC 0005
0:01:0 SEAGATE ST3300007LC 0005
admin@mariner1:/system/disks#

Chapter 14 System Maintenance
About High Availability Configuration

Introduction
To implement a high availability system, your Sightline deployment must include at least
two Sightline appliances that have the user interface role. One appliance must be
configured as the leader and the other must be configured as the backup leader.
When you configure high availability, Sightline automatically synchronizes data (in real-
time) between the leader appliance and all Sightline appliances in the deployment that
have the user interface role. You can configure the backup leader to take over
automatically if the leader has been out of contact for a specified time period with minimal
data loss. Alternatively, you can manually initiate the failover to the backup leader.
Note
With flexible licensing on a physical appliance, you must upload the flexible license to
both the leader appliance and the backup leader appliance. You can upload the flexible
license to the leader appliance on the Deployment Status page (System > Status >
Deployment Status). To upload the flexible license to the backup leader, you must use
the CLI. See "Uploading a Flexible License" in the Sightline and Threat Mitigation System
User Guide.
Note
With cloud-based flexible licensing, you configure the leader so that it has access to the
license server and the backup leader automatically receives the URL configuration that it
needs to access the license server. See Sightline and Threat Mitigation System Licensing
Guide at https://support.arbornetworks.com.
Synchronization
The system automatically synchronizes the following information between the leader and
the backup leader (and any other appliances that have the user interface role in your
deployment):
n alert data
n mitigation data
n configuration and configuration history
n interface classification and interface history
Tip
To see this in the web UI, navigate to the Interface Configuration History page
(Administration > Monitoring > Interface Configuration History ).
n custom menus (“skins”)
n custom XML report templates
Important
If you convert the leader appliance to flexible license mode, you must also convert the
backup leader to flexible license mode. For information about uploading a flexible
license to your deployment, see "Uploading a Flexible License" in the Sightline and
Threat Mitigation System User Guide.
Reports and high availability

Scheduled reports and manual reports are run on all appliances in your deployment that

have the user interface role; however, the results from a manual report can only be viewed
on the appliance on which it was run. When a failover occurs, scheduled reports appear
on the backup appliance, but any manual reports run on the original leader do not. Also,
the results of scheduled reports that are created before a backup appliance is added to
your deployment do not appear on the backup appliance. To avoid losing report data, you
can back up your reports using the standard backup process.
You can only perform manual backups on the leader appliance that has the user interface
role.
For instructions about the standard backup process, see “Managing System Backups” in
the Sightline and Threat Mitigation System User Guide .
Deployment requirements
To implement a high availability failover system, your deployment should meet the
following criteria:
n The leader should have a reasonable automatic DoS alert deletion policy configured.
This limits the amount of data that the system must back up.
n The data connection between the leader and the backup leader should be at least 100
Mbps.
About the failover process

When you configure a high availability system, the backup leader receives frequent
heartbeats from the leader. If the backup leader does not receive a heartbeat from the
leader for an amount of time equal to or greater than the failover timeout, then it
automatically initiates the failover process. Alternatively, you can manually initiate a
failover. See “Manually Switching to the Backup Leader Appliance” on page 244.
When a failover occurs, the backup leader performs the following steps:
1. It removes the failed leader from the system configuration. It does this to prevent the
failed leader from recovering and attempting to operate in conflict with the new
leader.
2. It automatically reconfigures itself as the leader of the deployment and reconfigures
all other appliances to recognize it as the new leader.
3. It restarts Sightline services on itself and assumes operation as the leader, with all of
the previously synchronized data from the failed leader.
This does not require a system reboot.
Configuring high availability on an appliance that has the user interface role
You configure the high availability settings on the High Availability tab of an appliance
that has the user interface role. You designate the appliance as a backup leader. You then
specify the number of minutes that you want the backup leader to wait after losing contact
with the leader before it takes over as the leader. If you don’t specify the number of
minutes, the automated failover is disabled.
See “Configuring High Availability Settings” in the Sightline and Threat Mitigation System
User Guide .
Manually switching to the backup leader

If you do not include automatic failover in your high availability configuration or if you

want to switch to the failover leader before the designated failover time, you can manually
switch to the backup leader appliance.
See “Manually Switching to the Backup Leader Appliance” on page 244.
Identifying a failover
The way to identify that a failover occurred depends on how you are using the system at
the time of failover as follows:
Failover indications
Appliance used Indications that a failover occurred

Leader (web UI) You can no longer reach the web UI and most reports stop
working.
In the event that the web UI is reachable, the Appliance Status
page shows that all of the appliances are down.
Backup leader The backup leader stops Sightline services briefly to reconfigure
itself as the leader. For a few minutes, you cannot log in to its web
UI.
Other appliances Pages either time out or are slow to load when the leader fails and
that have the user the backup leader takes over as the leader. The time frame for this
interface role is a few minutes for the actual failover plus the amount of time that
you set for an automatic failover timeout. The original leader is
automatically removed from your deployment, so it does not
appear in the Appliances list in the web UI.
Appliances that do The backup leader sends you an email that informs you that the
not have the user configuration has changed due to a failover.
interface role You only receive an email if you are part of the default notification
group.
Configuration process overview

To configure a high availability failover system:
1. Install the following appliances and add them to your deployment:
l a leader appliance that has the user interface role
l a non-leader appliance that has the user interface role (to server as the backup
leader)
See the Sightline Quick Start Cards for more information.
2. Designate the backup leader.
You can only designate one appliance in your deployment as the backup leader. You
configure a appliance as the backup leader through the web UI.
See “Configuring high availability on an appliance that has the user interface role” on
the previous page.

Configuring Scheduled Backups of Individual Appliances

You can use the CLI to add or delete recurring full and incremental backups of individual
Sightline appliances. When you configure an appliance with its own full or incremental
backup schedule, that appliance is exempted from any corresponding global full or
incremental backup schedule, respectively.
You can view the status of backups on the Manage Backups page (Administration >
System Maintenance > Backups > Backup Status tab) in the web UI.
Adding scheduled backups of an appliance

To add scheduled backups of an individual appliance:
2. Enter / services sp backup schedule appliance set {full | incremental}
time {dom | dow} integer_list URL password
appliance = the appliance on which you want to schedule a backup
{full | incremental} = Enter full if you want to configure full backups, or
enter incremental if you want to configure incremental backups.
time = the time (in hh:mm format) when you want the backup to occur
{dom | dow} = Enter dom if you want backups to occur on certain days of the
month, or enter dow if you want backups to occur on certain days of the week.
integer_list = the appropriate integers, separated by commas, for the days of
the month (1-31) or week (0-6) on which you want backups to occur (0 represents
Sunday)
URL = the URL to the remote host on which you want to store the backup
password = the password required to access the remote host
Deleting the backup schedule for an appliance

To delete the backup schedule for an appliance:
2. Enter / services sp backup schedule appliance clear {full | incremental}
appliance = the appliance on which you want to delete a backup schedule
{full | incremental} = Enter full if you want to delete a full backup schedule,
or enter incremental if you want to delete an incremental backup schedule.
The appliance is now included in any configured global full or incremental backup
schedule.
Viewing the backup schedule for an appliance

To view the backup schedule for an appliance:
2. Enter / services sp backup schedule appliance show
appliance = the appliance whose backup schedule you want to view
Example: viewing the backup schedule for an appliance

The following is an example of viewing the backup schedule for an appliance:

admin@mariner:/# / services sp backup schedule leader_appliance show

Backup Schedule for leader_appliance
Full Backup:
Export URL: scp://user@server/path/
Backup Time: 1:22
Schedule Interval: Monthly
Scheduled Days of the Month: 1,15
Incremental Backups:
Export URL: scp://user@server/path/
Backup Time: 2:33
Schedule Interval: Weekly
Scheduled Days of the Week: 0

Manually Switching to the Backup Leader Appliance

If you have not configured automatic failover or if you want to switch to the backup leader
before the designated failover time, you can manually switch to the backup leader.
Note
You should manually switch to the backup leader only when the leader is offline. If the
leader is online when you manually switch to the backup leader, a warning message
appears.
Switching manually to the backup leader

To manually switch to the backup leader:
1. Log in to the backup leader’s CLI using the administrator user name and password.
2. Enter / services sp backup failover activate
3. To confirm, enter y
Note
It may take a few minutes for the new configuration to propagate to all the other
appliances in your deployment.
Example
The following example shows how to manually switch to a backup leader:
admin@mariner1:/# / services sp backup failover activate
Are you sure? [n] y

Recovering After a Failover

When a failover occurs, Sightline deletes the failed leader from the system configuration.
To maintain high availability functionality, you can either configure the failed leader as the
new backup leader or you can configure it to be the leader again.
For additional information about configuring high availability with a VM leader and VM
backup leader, see Sightline Virtual Machine Installation Guide at
https://support.arbornetworks.com/.
Recovering after a failover

To recover after a failover and restore the failed leader to be the backup leader:
1. Log in to the new leader’s web UI to add the failed leader back to your deployment as
a backup leader. For information about an appliance that has the user interface role,
see “About the User Interface Role” in the Sightline and Threat Mitigation System User
Guide .
2. Log in to the failed leader’s CLI to begin configuring it as the new backup leader.
4. Add the failed leader back into the deployment.
For more information about adding Sightline appliances, see the Sightline Quick Start
Cards.
5. Enter / services sp bootstrap nonleader IP_address zone_secret role
IP_address = IP address of the new leader appliance
for the Flow Sensor appliance, and pi for the user interface role. The Flow Sensor
appliance is only applicable with appliance-based licensing.
Note
With appliance-based licensing, the different types of Sightline appliances have fixed
roles. For information on the relationships between appliance types and appliance
roles, see "Introduction to Sightline Appliances" in the Sightline and Threat Mitigation
System User Guide .
6. To delete the existing Alert and Mitigation database, enter y
7. To confirm the initialization and activate the appliance, enter y
8. To start services on the original leader appliance, enter / services sp start
Sightline synchronizes all data between the appliances, and the failed leader appliance
resumes functionality as the new backup leader.
Note
Reconfigure any appliance specific configurations (for example: SSL certificates,
HTTPS access rules, high availability settings, RADIUS and TACACS+ settings, and
appliance specific users).
Restoring a failed leader to become the leader again

To restore a failed leader to become the leader again:

1. Follow the instructions in “Recovering after a failover” on the previous page for
recovering after a failover.
Wait until the appliance status message in the web UI no longer indicates that the
backup leader (the failed leader) is unsynchronized with the new leader.
2. Follow the instructions in “Manually Switching to the Backup Leader Appliance” on
page 244 to initiate failover to the backup leader (the failed leader in Step 1).
The leader fails, and the backup leader (the original failed leader) becomes the new
leader.
3. Follow the instructions in “Recovering after a failover” on the previous page to
configure the manually failed leader to become the new backup leader.

Setting a Timestamp Suffix

You can define the timestamp format in the CLI so that when you export backups, the files
are all saved in the same preferred format.
This feature is available on any Sightline appliance with a web UI.
To perform all other backup tasks, navigate to the Manage Backups page in the web UI
(Administration > System Maintenance > Backups ).
Supported timestamp formats

The information in the following table is from the
http://php.net/manual/en/function.strftime.php web site:
Supported timestamp formats
Format
Element String Description
Day
%a An abbreviated textual representation of the day.
%A A full textual representation of the day.
%d Two-digit day of the month (with leading zeros).
%j Day of the year; three digits with leading zeros.
%u ISO-8601 numeric representation of the day of the

week.
%w Numeric representation of the day of the week.
Week
%U Week number of the given year, starting with the

first Sunday as the first week.
%V ISO-8601:1988 week number of the given year,

starting with the first week of the year with at least
four weekdays, with Monday being the start of the
week.
%W A numeric representation of the week of the year,

starting with the first Monday as the first week.
Month
%b Abbreviated month name, based on the locale.
%B Full month name, based on the locale.
%h Abbreviated month name, based on the locale (an

alias of %b).
%m Two-digit representation of the month.

Supported timestamp formats (Continued)
Format
Element String Description
Year
%C Two-digit representation of the century (year

divided by 100, truncated to an integer).
%g Two-digit representation of the year going by ISO-

8601:1988 standards (see %V).
%G The full four-digit version of %g.
%y Two-digit representation of the year.
%Y Four-digit representation for the year.
Time
%H Two-digit representation of the hour in 24-hour

format.
%l Two-digit representation of the hour in 12-hour

format.
%l (lower-case Hour in 12-hour format, with a space preceding

“L”) single digits.
%M Two-digit representation of the minute.
%p Upper case “AM” or “PM” based on the given time.
%P lower case “am” or “pm” based on the given time.
%R Same as "%H:%M."
%S Two-digit representation of the second.
%T Same as "%H:%M:%S."
%X Preferred time representation based on locale,

without the date.
%z Either the time zone offset from UTC or the

abbreviation (depends on operating system).
%Z The time zone offset/abbreviation option NOT

given by %z (depends on operating system).
Time and Data
%F Same as "%Y-%m-%d" (commonly used in

database datestamps).
%s Unix Epoch Time timestamp (same as the time()

function).

Setting a timestamp format

To set the timestamp format:
2. Enter / services sp backup remote filename set format
format = the timestamp format
Examples
The following are examples of common timestamp formats:
Example 1
Example 1 shows the following format: %d for the two-digit day of the month, hyphen, %m
for the two-digit month, hyphen, and %Y for the four-digit year.
admin@mariner1:/# services sp backup remote filename set %d-%m-%Y
Date format set. Example: mariner1-backup-16-04-2009-level0.tar
Example 2
Example 2 shows the following format: %Y for the four-digit year, hyphen, %m for the two-
digit month, hyphen, %d for the two-digit day, hyphen, %H for the hour in 24-hour format,
colon, %M for the minutes, colon, and %S for the seconds.
admin@mariner1:/# services sp backup remote filename set
%Y-%m-%d-%H:%M:%S
Date format set. Example: mariner1-backup-2009-04-16-14:10:34-level0.tar
Example 3
Example 3 shows the following format: %b for the three-character month, %d for the two-
digit day, underscore, and %Y for the four-digit year.
admin@mariner1:/# services sp backup remote filename set %b%d_%Y
Date format set. Example: mariner1-backup-Apr16_2009-level0.tar
Example 4
Example 4 shows the following format: % m for the two-digit month, %d for the two-digit
day, and %Y for the four-digit year (2009)
admin@mariner1:/# services sp backup remote filename set %m%d%Y
Date format set. Example: mariner1-backup-04162009-level0.tar


Appendixes

Appendix A
Configuring Flowspec Routers for Traffic
Mitigation
Introduction
Flowspec is a BGP-based IETF standard for exchanging flexible firewall and ACL rules. You
can use routers and switches that support flowspec to integrate with Sightline and mitigate
DoS and DDoS attacks and other anomalous traffic on your network.
The procedures in this section describe Juniper routers; however, the procedures to
configure other brands of routers are similar. For more information about configuring
other flowspec routers, please see the documentation for your router.
In this section
Configuring a Juniper Router to Mitigate Traffic 254

Testing Flow Specification Mitigation 256

Configuring a Juniper Router to Mitigate Traffic

Follow the procedures in this section to configure a Juniper router to use flowspec as a
traffic mitigation option.
Note
Verify that the router you are configuring is flowspec capable. If you are configuring a
Juniper router, it must utilize JunOS version 7.3 or later.
Note
To implement Flowspec ACLs, the Flow Specification capability must be enabled for a
router on the BGP tab of the Add/Edit Router page in the web UI. See "Configuring Router
BGP Settings" in the Sightline and Threat Mitigation System User Guide .
For more information on enabling a flow specification mitigation in the Sightline web UI,
see “Mitigating Using Flow Specification: A Use Case” in the Sightline and Threat Mitigation
System User Guide .
Configuring a Juniper router to mitigate traffic

To configure a Juniper router to mitigate traffic:
1. Navigate to the router’s CLI.
2. Enter set protocols bgp group group name neighbor collector IP address
family inet flow
group name = an arbitrary string as the name of the Arbor mitigations.
collector IP address = the IP address of the Sightline appliance monitoring
this router
3. Enter set policy-options policy-statement policy name from neighbor
collector IP address
policy name = an arbitrary string as the name of the mitigation policy
this router
4. Enter set policy-options policy-statement policy name then accept
policy name = the policy name that you chose in the previous step
5. Enter set protocols bgp group group name neighbor collector IP address
inet flow no-validate policy name
group name = the group name that you chose in Step 2
this router
policy name = the policy name that you chose in Step 3
Example
The following example shows how to configure the Juniper router with the flowspec group
name set to arborsp, a policy name set to arbor_policy, and the IP address of the
Sightline appliance monitoring this router set to 1.2.3.4:
mx240> set protocols bgp group arborsp neighbor 1.2.3.4 family inet
flow
mx240> set policy-options policy-statement arbor_policy from neighbor
1.2.3.4

Appendix A Configuring Flowspec Routers for Traffic Mitigation
mx240> set policy-options policy-statement arbor_policy then accept

mx240> set protocols bgp group arborsp neighbor 1.2.3.4 family inet
flow no-validate arbor_policy

Testing Flow Specification Mitigation

Once you have added flowspec routers in the Sightline web UI and enabled flowspec
filtering on the routers, you can test them to see if they are implementing filters properly.
Testing flowspec router mitigation

To test your flowspec router mitigation:
2. Enter show route flow validation detail
A list of IP addresses representing hosts that are configured to implement filters
appears.
3. Verify that the IP address of the managing Sightline appliance is listed.
4. Log in to the Sightline web UI with an administrative account.
5. Optionally, generate some test traffic to be filtered using third party tools on your
network.
6. Navigate to the Flow Specifications page (Mitigation > Flow Specification).
7. Click Add Flow Specification.
8. Type a unique mitigation name for this test mitigation in the Name box.
9. Type a brief description for this test mitigation in the Description box.
10. Click the Announcement tab.
11. Click Select Routers to open the Router Selection Wizard.
12. Select the router you are testing in the Available Choices pane, and then click the
down arrow to move them to the Selected pane.
13. Click Select.
14. If you generated test traffic, go to Step 15; otherwise, go to Step 16.
15. Click Filter and enter the traffic parameters that match the test traffic you are
generating.
16. Click Save.
17. Select the check box next to the mitigation you just added.
18. Click Start.
20. Enter show firewall filter mitigation name
mitigation name = the name for the test mitigation
The system displays the filter as well as the bytes and packets (if any) that it filters.
Example: Viewing routes

The following example shows how to view the routes and confirm that the Sightline
appliance’s IP address is listed:
m5> show route flow validation detail
inet.0:
0.0.0.0/0
Internal node: no match, consistent, next-as: 0
Active unicast route

Appendix A Configuring Flowspec Routers for Traffic Mitigation
Dependent flow destinations: 1

Origin: 10.0.2.1, Neighbor AS: 0
1.2.3.4/32
Flow destination (1 entries, 0 match origin)
Unicast best match: 0.0.0.0/0
Example: Viewing mitigations

The following example shows how to view the mitigations and verify that a test mitigation
is present on the router and determine if it is filtering traffic:
m5> show firewall filter __dynamic_default_inet__
Filter: __dynamic_default_inet__
Counters:
Name Bytes Packets
192.168.50.54,192.168.50.38 0 0


Appendix A
Configuring Flow and SNMP on Routers
Introduction
This section contains the instructions for configuring your routers and switches to
generate and forward flow and send SNMP information to your Sightline appliances.
In this section
About Configuring Flow Sources 260

Configuring Cisco IOS Routers to Send NetFlow to Sightline 261
Configuring Juniper Routers to Send Flow Monitoring to Sightline 265
Configuring Foundry, Alaxala, and Force10 Devices to Send sFlow to Sightline 271
Configuring Alcatel 7750 Routers to Send cFlowd Data to Sightline 277
Configuring SNMP on the Alcatel 7750 Router 280
Supported SNMP Polling with Alcatel 7750 Router 281
Configuring Routers to Send SNMP Information to Sightline 282

About Configuring Flow Sources

Configuring flow sources allows you to see how traffic is routed on your network. For
instance, you can see where various connections happen on your network and view the
traffic that travels over various switches or routers. You can search by and view the
utilization of a specific router or interface, which can help with capacity planning. You can
also create reports on the Reports pages that include this data.
Router and interface limits

The following factors limit the number of flow sources that you can configure:
n the Sightline appliance monitoring the flow source
n the total number of flows in your deployment

n the amount of traffic
To view current values for supported router interfaces and flow sources, see the Sightline
Release Notes.

Appendix A Configuring Flow and SNMP on Routers
Configuring Cisco IOS Routers to Send NetFlow to Sightline

You can configure your Cisco IOS routers to forward NetFlow to your Sightline appliances.
Supported NetFlow versions

Sightline appliances support NetFlow versions 1, 5, 7, and 9.
For more information about supported NetFlow versions, see the Sightline Release Notes.
Versions used in NetFlow examples

Unless otherwise noted, the examples included in NetFlow examples are for Cisco IOS
Version 12.0(16)S running on a Cisco 12000 Series GSR (Gigabit Switch Router).
Configuring NetFlow settings

To configure NetFlow settings:
1. Log in to the router (through Telnet, console, etc.)
2. Enter enable
3. To authorize editing, at the password prompt, enter the router’s “enable” password
4. To enter configuration mode, enter configure
5. To set the version number, enter ip flow-export version number
If you are configuring appliances that export version 7, then you must configure the
appliance to include the source and destination IP address and ports in the flow
mask.
6. (Optional) To set the sampling rate of the NetFlow from the router, enter ip flow-
sampling-mode packet-interval sampling_rate
Example: configuring NetFlow settings

The following example shows how to log in to the router, set the NetFlow version to 5, and
set the sampling rate to one in 1,000 packets:
$ telnet gsr1
Trying 10.0.1.1...
Connected to gsr1.
Escape character is '^]'.
GSR-1>enable
Password:
GSR-1#configure
Configuring from terminal, memory, or network [terminal]?
enter configuration commands, one per line. End with CNTL/Z.
GSR-1(config)#ip flow-export version 5
GSR-1(config)#ip flow-sampling-mode packet-interval 1000
GSR-1(config)#

Enabling NetFlow on interfaces

To enable NetFlow on certain interfaces:
1. Enter interface interface_name
2. Choose one of the following:
l If you are using sampled NetFlow, enter ip route-cache flow sampled
l If you are using unsampled NetFlow, enter ip route-cache flow
3. Enter exit
4. Repeat Step 1 through Step 3 for each interface that sees inbound traffic.
Example: Enabling NetFlow

The following example shows how to enable NetFlow on Packet Over SONET (POS)
interface 0/0:
GSR-1(config)#interface POS 0/0
GSR-1(config-if)#ip route-cache flow sampled
GSR-1(config-if)#exit
GSR-1(config)#
Enabling NetFlow on selected subinterfaces

To enable NetFlow on subinterfaces:
n In interface or subinterface configuration mode, enter ip flow ingress
Example: Enabling NetFlow on selected subinterfaces

The following example shows how to configure NetFlow on the Gigabit Ethernet
subinterface 1/1.0:
GSR-1 (config)#interface GigabitEthernet1/1.0
GSR-1 (config-subif)# ip flow ingress
About the export IP address

NetFlow is sent out of an interface on the router. The IP address assigned to that interface
is the source IP for all NetFlow packets. This is the export IP address you should configure
in the Sightline interface.
Viewing and configuring the export IP address

To view and configure the NetFlow export IP address:
1. Enter show interfaces FastEthernet interface_name | include Internet
address
The configured IP address appears.
2. To enter configuration mode, enter configure
3. At the prompt, enter the mode of configuration (memory, network, etc.)
Note
If you are configuring from a terminal, you only need to press ENTER at the prompt.
4. Enter ip flow-export source interface_name
5. Press CTRL-Z.

Example: Exporting IP configuration

The following example shows how to export NetFlow on FastEthernet interface 1/1, with
an IP address of 192.168.10.1:
GSR-1#show interfaces FastEthernet 1/1 | include Internet address
Internet address is 192.168.10.1/24
GSR-1#configure
Configuring from terminal, memory, or network [terminal]? terminal
enter configuration commands, one per line. End with CNTL/Z.
GSR-1(config)#ip flow-export source FastEthernet 1/1
Setting the destination IP address

You must specify the appliance’s IP address as the NetFlow destination. You can use any
port; however, if you tee NetFlow from the appliance to another destination, then you
must enter an appropriate UDP port for that destination.
To set the destination IP address:

n Enter ip flow-export destination IP_address port
Setting the active flow timeout

Active flows are ejected from the NetFlow cache after a default period of 30 minutes. If you
do not update this value, it is possible that an attacker can hide attack traffic within a very
small number of extremely long-lived flows. To prevent this, we recommend that you set
the active flow timeout to one minute, which should not affect router performance.
To set the active flow timeout:

n Enter ip flow-cache timeout active timeout
timeout = the timeout value in minutes
Example: setting the destination IP address and flow timeout

The following example shows how to set the destination IP to 192.168.10.11, port 5000
and the active flow timeout setting to one minute:
GSR-1(config)# ip flow-export destination 192.168.10.11 5000
GSR-1(config)# ip flow-cache timeout active 1
Enabling NetFlow on your Sightline appliances

After you configure your routers to forward NetFlow to an Sightline appliance, you must
configure that appliance to receive the flow data.
For these instructions, see the topic "Configuring Appliance Settings for an Sightline
Appliance" in the Sightline and Threat Mitigation System User Guide .
Example: configuring NetFlow on a Cisco switch

The following example shows how to configure unsampled Cisco Catalyst on a switch
running version 12.1(13)E or later:
mls aging long 64
mls flow ip interface-full
mls nde sender version 5 (or 9)

ip flow-export source <Interface>

ip flow-export version 5
ip flow-export destination <IP address> <port number>
interface <Interface>
ip route-cache flow
Example: configuring a Cisco router

The following example shows how to configure an unsampled Cisco router:
ip flow-export source <Interface>
ip flow-export version 5
ip flow-export destination <IP address> <port number>
ip flow-cache timeout active 1
interface <Interface>
ip route-cache flow

Configuring Juniper Routers to Send Flow Monitoring to

Sightline
You can configure your Juniper routers to forward flow monitoring data to your Sightline
appliances.
About Sightline and JunOS integration

Juniper denotes its flow monitoring features as cFlowd, J-Flow, flow monitoring, and
sometimes other terminology. All of these describe flow data that is exported by Juniper
devices in a Netflow-compatible format that can be used by Sightline.
The Juniper architecture exports flow monitoring records that summarize the traffic that
matches a configured sampling filter, or all traffic if sampling is configured directly for an
interface instead of as a filter. The matching traffic is sampled at the configured sampling
rate. Properly configuring flow monitoring is critical for optimal Sightline performance, so
use the information in this topic to familiarize yourself with how these systems integrate.
About Juniper traffic sampling

Juniper traffic sampling allows you to sample a fixed percentage of packet headers from all
or some traffic passing through a Juniper router; it is not intended to capture all received
packets.
See your router documentation to determine whether your router supports this feature.
Supported versions
Juniper supports Netflow-compatible flow monitoring functionality on all M series, T series,
TX matrix, J series, and MX series routers, as well as on SRX-series gateways. The JUNOS
software version needed to support flow monitoring will depend on the specific Juniper
hardware and desired flow monitoring features. When router hardware is released, flow
monitoring support should be available, but it sometimes is not available until several
JUNOS software releases later. It is always best to consult the Juniper release notes for
more information on your specific requirements. EX-series switches support flow
monitoring as of sFlow version 5, and this version is also interoperable with Sightline.
As a general rule, all modern M and T series routers have native RE-based support for flow
version 5. M series and T series routers additionally support optional services PIC modules
that offer better flow monitoring performance, monitoring of MPLS and IPv6 traffic, and
flow version 9. Flow monitoring of MPLS traffic requires JUNOS version 8.3 or later. Flow
monitoring of IPv6 traffic requires JUNOS version 9.3 or later. We recommend JUNOS
version 9.3 or later for all flow version 9 applications due to functionality improvements.
JUNOS version 8.5 is required for flow monitoring on an MX series router using a
Multiservices DPC module. JUNOS version 10.2 is required for inline flow monitoring
without a MS-DPC module. However, because JUNOS version 10.2 without a MS-DPC
module can monitor only a single protocol, an MS-DPC module is required for
multiprotocol monitoring.
J series routers and SRX services gateways support RE-based flow version 5 in JUNOS
versions 7.0 through 10.4. Inline flow monitoring of IPv4 is supported in JUNOS version
10.4 and later for either flow version 5 or flow version 9, although only monitoring of IPv4
is supported.

Recommended sampling rates

Reported traffic rates, at very low sampling rates, are not accurate. As the sampling rate
increases, the reported traffic rates become less accurate. For example, 1/1,000 sampling
is more accurate than 1/1,000,000.
Juniper does not recommend sampling at a rate more frequently than 1/1,000; however,
Arbor has successfully used sampling rates less than 1,000.
Some Juniper routers enforce the active flow timeout parameter. For example, a Juniper
router that is equipped with a Multiservices PIC (MS-PIC) enforces this parameter. For
these routers, we recommend that you set the active flow timeout to one minute, which
should not affect router performance.
For Juniper routers that do not enforce the active flow timeout parameter, it is not
necessary to set active and inactive flow timeouts in JunOS. The sampled packets are
aggregated in one-minute “bins” and flows are always expired at this one-minute interval.
They do not time out or expire based on information in the packet (such as TCP flags).
Because of this, settings like active timeout and inactive timeout do not apply; both are
always one minute.
Sampling configuration commands in JunOS

The following table contains descriptions of many sampling configuration commands:
Sampling configuration command descriptions
Command Description
set forwarding-options Sets a limit on the number of packet headers that
sampling input family inet are sampled per second.
max-packets-per-second Although the maximum allowed value is 65535, the
number system might have a defined hard limit that is lower
than this value. The system-defined hard limit
depends on the type of hardware and software you
use.
set forwarding-options Defines the sampling rate as 1/number (1-in-

sampling input family inet number) of packets. The lower the number, the
rate number larger the percentage of packets sampled.
Important
You must not set this number lower than the
recommended value. If this rate exceeds the max-
packets-per-second or the system’s defined hard
limit, cFlowd output statistics are significantly
under-reported.
set forwarding-options Samples (1+number)/rate packets instead of 1/rate

sampling input family inet packets.
run-length number Important
You must set this value to zero to operate properly
with Sightline.

Sampling configuration command descriptions (Continued)
Command Description
set forwarding-options Sets the IP address of the Sightline appliance that
sampling output cflowd IP_ receives the cFlowd output packets.
address
set forwarding-options Sets the UDP destination port to the port number
sampling output cflowd IP for the Sightline appliance that receives the cFlowd
address port portnumber output packets.
Recommended values are between 2000 and
65535.
set forwarding-options Sets the source as the address of the interface

sampling output cflowd where the flows leave the router.
destination_IP_address Example: If flows are exported out of a Fast
source-address source_IP_ Ethernet port on IP address 1.1.1.1, that is the
address source address.
set forwarding-options Sets the cFlowd output protocol version to the

sampling output cflowd IP_ number you enter.
address version number
Versions for flow monitoring examples

The examples included in the topic use JunOS version 5.5B1.3 on a Juniper M5 Router
unless stated otherwise.
Setting the sampling rate

Select a sampling rate that is appropriate for your traffic load. In addition to the sampling
rate, set the run-length and maximum packets per second (pps) to sample. The run length
of zero indicates that all packets should have an equal probability of being sampled. The
maximum pps rate is set to the largest value allowed to prevent clipping of the sample.
Setting the destination address

You must specify the appliance’s IP address as the cFlowd destination. You can use any
port as the destination. However, if you want to tee the cFlowd stream from the appliance
to another destination, then you must select the appropriate UDP port for that destination.
Example: setting the sampling rate and destination address

The following example shows how to set the sampling to one in 1000 packets (1/1000) and
the destination as port 2055 at IP address 192.168.10.11:
admin@m5# set forwarding-options sampling input family inet rate
1000
admin@m5# set forwarding-options sampling input family inet
run-length 0
admin@m5# set forwarding-options sampling input family inet
max-packets per-second 65535

admin@m5# set forwarding-options sampling output cflowd 192.168.10.11

port 2055
Setting the export IP address

The Juniper router sets the source IP address of the cFlowd packets according to its
internal routing table.
To detect the source address of the cFlowd traffic:

1. Navigate to the Sightline appliance CLI after the configuration is complete.
2. Enter services sp data flow view
Enabling interfaces
You should apply the cFlowd filter to each interface on the router that sees inbound traffic
for your customers.
The following example shows how to enable sampled cFlowd on interface e3/4/1:
admin@m5# set forwarding-options sampling output cflowd 192.168.10.11
version 5
admin@m5# set interfaces e3/4/1 unit 0 family inet sampling
Enabling cFlowd on your Sightline appliances

After you configure your Juniper routers to forward cFlowd packets to your Sightline
appliances, you must enable flow on your appliances so that they can receive the flow
data.
For these instructions, see “Configuring Routers” in the Sightline and Threat Mitigation
System User Guide .
Example: configuring Juniper cFlowd version 9

The following example shows how to configure Juniper cFlowd version 9 on a Juniper
router:
interfaces {
sp-0/0/0 {
unit 0 {
family inet;
family mpls;
}
}
}
forwarding-options {
sampling {
input {
family mpls {
rate 1000;
run-length 0;
max-packets-per-second 7000;

}
}
output {
cflowd 100.10.100.10 {
port 2055;
source-address 100.10.100.15;
version9 {
template {
mpls;
}
}
autonomous-system-type origin;
}
interface sp-0/0/0 {
source-address 100.10.100.15;
}
}
}
}
routing-options {
route-record;
}
protocols {
bgp {
local-as 65400;
group Arbor {
type internal;
local-address 100.10.100.15;
family inet-vpn {
unicast;
}
authentication-key t3lu5labs;
peer-as 65400;
cluster 1.1.1.1;
neighbor 100.10.100.10 {
description ArborFS1-TOROLABFS1;
}
}
}
services {
flow-monitoring {

version9 {
template mpls {
mpls-template {
label-position [ 1 2 3 ];
}
}
}
}
}
snmp {
name TOROLABPE4;
community t3lu5labs {
authorization read-only;
clients {
0.0.0.0/0 restrict;
100.10.100.10/12;
}
}
}

Configuring Foundry, Alaxala, and Force10 Devices to Send

sFlow to Sightline
You can configure your sFlow devices to forward sFlow data to Sightline appliances.
Sightline accepts sFlow versions 2, 4, and 5 from all devices that support sFlow. To monitor
traffic in data networks, the sFlow agent uses sampling technology to capture traffic
information from the device that it monitors. It then uses sFlow datagrams to forward the
sampled traffic information to Sightline for analysis. This results in a thorough, network-
wide view of traffic flows in real time.
To configure your sFlow devices to send flow records to Sightline, you must configure the
agent to forward the flows to an Sightline appliance and then configure the Sightline
appliance to receive them. Configuration instructions vary depending on the type of sFlow
agent that you configure.
sFlow devices
sFlow is a sampled protocol that performs a sampling of flow data and does not forward
every flow across a switch or router to your Sightline appliance. Because of this, Sightline
might not be able to detect or identify security events that require observing every flow.
This topic provides specific configuration instructions for the following router types:
n Foundry
n Alaxala
n Force10
For more information about sFlow devices, see the sFlow organization website at
http://sflow.org.
For more information on a particular type of switch or router, see that router’s product
documentation.
About configuring sFlow on Foundry routers

The following topics cover standard configuration on Foundry switches and provide
examples based on a Foundry FastIron 4802 switch.
Configuring sFlow on Foundry routers

To configure a Foundry router to send sFlow:
1. Log in to the router (through Telnet or SSH).
2. To configure terminal mode so that you can make changes, enter conf t
3. To enable sFlow services on the switch, enter sflow enable
4. To set the version, enter sflow version version
version = the sFlow version number that your router or switch uses
Arbor supports sFlow versions 2, 4, and 5.
5. Enter sflow destination IP_address
IP_address = the Sightline appliance IP address

Tip
You can find the IP address on the Configure Appliances page (Administration >
Appliances) in the Sightline web UI.
6. To enter the configuration mode, enter interface name
name = the name of the interface that you want the switch to use to forward data
to the Sightline appliance
7. To set forwarding for that interface, in the interface menu, enter sflow forwarding
After you configure a Foundry device to send sFlow packets to the Sightline appliance,
it continues forwarding packets until you disable the function.
8. Enter sflow sampling rate
rate = the appropriate sampling rate for the traffic load of your interface
For example, enter 100 if you want the sampling rate of 1 out of every 100 packets.
9. To return to the configuration menu, enter exit
Example: Configuring Foundry sFlow

The following example shows how to configure sFlow settings:
FI4802# conf t
FI4802(config)# sflow enable
FI4802(config)# sflow version 2
FI4802(config)# sflow destination 192.168.1.1
FI4802(config)#interface ethernet 13
FI4802(config-if-e100-13)#sflow forwarding
FI4802(config-if-e100-13)# sflow sampling 100
FI4802(config-if-e100-13)# exit
FI4802(config)#
About optional sFlow settings on Foundry routers

Your sFlow device is configured with default packet size, sampling rate, and polling rate
settings. You can override these settings by entering them manually. The default settings
vary depending on your switch or router. See the product documentation for specific
default settings.
Setting the packet size

You can set the maximum packet size for the sFlow that the switch generates by specifying
the preferred packet size. Smaller packets use more processing power, so you can
increase the packet size to use less resources. Specify any whole number (for the FastIron,
the range is 128 to 1300) to set the maximum packet size.
Setting the switch sampling rate

The switch sampling rate identifies the ratio of packets observed at the data source to the
samples generated. For example, a sampling rate of 100 indicates that, on average, one
sample will be generated for every 100 packets observed on a switch. Select an sFlow
switch sampling rate that is appropriate to your traffic load.
About the switch polling rate

The switch polling rate is the interval between sFlow polls (in seconds).

Example: configuring optional settings

The following example shows how to set the maximum sFlow packet size to 1300, the
switch sampling rate to 200, and the interval to two minutes:
FI4802(config)# sflow max-packet-size 1300
FI4802(config)# sflow sample 200
FI4802(config)# sflow polling-interval 120
About configuring sFlow on Alaxala routers

Configuring sFlow on an Alaxala router is similar to configuring sFlow on a Foundry or
Force10 router.
For more information about configuring sFlow on Alaxala routers, see the Alaxala router
documentation.
Configuring Alaxala routers to send sFlow

To configure an Alaxala router to send sFlow:
2. To enable administrative changes, enter enable
3. Enter the router’s administrative password
4. To enter configuration mode, enter config
5. To enable sFlow export for this router, enter sflow yes
6. To enter sFlow configuration mode, enter sflow
7. Enter set destination IP_address
IP_address = the Sightline appliance IP address
Tip
You can find the IP address on the Configure Appliances page (Administration >
Appliances) in the Sightline web UI.
8. Enter sample rate
rate = the sample rate that is appropriate for the traffic load of your interface
(This value is an integer from 0 to 14, calculated using the formula (2*4^n).)
Example: Enter sample 3 to set the sampling rate to be 1 out of every 128 packets.
This is calculated by the method (2*4^3=128).
9. Enter version version
version = the sFlow version number that you want the switch to use
Currently Arbor supports sFlow versions 2, 4, and 5.
10. To exit the configuration, enter exit
Viewing your Alaxala sFlow configuration

To view your Alaxala sFlow configuration:
n Enter show sflow
Example: configuring Alaxala routers to send sFlow

The following example shows how to configure Alaxala routers to send sFlow:
alaxala# enable

Password
alaxala# config
alaxala(config)# sflow yes
alaxala(config)# sflow
[sflow]
alaxala(config)# set destination 10.0.0.1
[sflow]
alaxala(config)# sample 3
[sflow]
alaxala(config)# version 4
alaxala(config)exit
alaxala(config)# show sflow
sFlow service status: enable
sFlow service version: 4
Progress time from sFlow statistics cleared: 2 day
Received sFlow samples:12444692 Dropped sFlow samples:132300
Collector exported sFlow samples:12444689 Couldn’t exported sFlow
samples:0
Collector IP address: 10.0.2.140 UDP:6343 Source IP address: 10.0.2.3
Send FlowSample UDP packets:2527966 Send failed:0
Send CounterSample UDP packets:1204 Send failed:0
CounterSample interval rate:300
Default configured rate:32 Default actual rate:32
Configured sFlow port: 0/0 - 0/1
About configuring sFlow on Force10 routers

Configuring Force10 routers is similar to configuring other routers, except that Force10
routers only use sFlow version 5.
For more information about configuring sFlow on Force10 routers, see the Force10 router
documentation.

Configuring Force10 routers to send sFlow

To configure a Force10 router to send sFlow:
2. To configure terminal mode so that you can make changes, enter configure
terminal
3. To enable sFlow services on the router, enter sflow enable
4. Enter sflow sample-rate rate
rate = the sample rate that is appropriate for the traffic load of your interface
5. To set the source and destination IP addresses, enter sflow collector
destination_IP_address agent-addr source_IP_address port
destination_IP_address = the Sightline appliance IP address
Tip
You can find the destination IP address on the Configure Appliances page
(Administration > Appliances ) in the Sightline web UI.
source_IP_address = the router’s source IP address
port = the router’s source port
6. To enter the configuration mode for that interface, enter interface interface_
type interface_number
interface_type = the type of interface that you want the switch to use to
forward data to Sightline
interface_number = the number of the interface that you want the switch to use
to forward data to Sightline
7. To set forwarding for that interface, In the interface menu, enter sflow enable
8. To return to the configuration menu, enter exit
Example: configuring Force10 routers to send sFlow

The following example shows how to configure the sFlow settings on a Force10 router:
force10# configure terminal
force10(config)# sflow enable
force10(config-if-e100-13)# sflow sample-rate 1024
force10(config)# sflow collector 192.168.1.1 agent-addr 10.1.1.1 5000
force10(config)# interface GigabitEthernet 4/47
force10(config-if-gi-4/47)#sflow enable
force10(config-if-gi-4/47)# exit
About enabling sFlow on your Sightline appliances

After you configure sFlow to forward packets to your Sightline appliance, you must
configure Sightline to monitor the flow.
sFlow contains an agent address in the payload, which can be an IPv4 or IPv6 address.
Typically, you can set this on the sFlow appliance; however some Foundry switches do not
allow you to set the source IP address of sFlow packets. sFlow looks at the agent address
instead of the source IP address of the sFlow packet when deciding whether or not the
packet came from a configured router. To correct this issue, you can allow many-to-one
mappings of export IP addresses to routers using the Sightline web UI.

See “Configuring Routers” in the Sightline and Threat Mitigation System User Guide .

Configuring Alcatel 7750 Routers to Send cFlowd Data to

Sightline
You can configure your Alcatel 7750 router to send cFlowd data to Sightline.
For detailed information about these configurations, cFlowd, and your router, see the
Alcatel product documentation.
About cFlowd
The Alcatel 7750 router supports cFlowd versions 5 and 8. When the flow cache of the
router exports a flow, the router sends the collected data to an Sightline appliance. The
Sightline appliance retains the historical data flows so that network operators can use the
flows to analyze traffic patterns.
cFlowd configuration commands

The following table contains descriptions of many cFlowd configuration commands:
cFlowd configuration command descriptions
Command Description
configure cflowd Configures the number of minutes that you want the router
active-timeout to retain the current flow before the cache deletes it and a
new flow is created.
configure cflowd Configures the maximum number of active flows to maintain

cache-size in the flow cache table. The no form of this command resets
the number of active entries back to the default value.
configure cflowd Identifies the Sightline appliance used to collect cFlowd data.
collector You must configure the IP address of the flow collector, and
you can optionally configure the UDP port number.
configure cflowd Specifies the number of seconds that must pass without a
inactive-timeout packet matching a flow in order for the flow to be considered
inactive.
configure cflowd Configures the percentage of entries that you want to be

overflow removed from cFlowd cache when the maximum number of
entries is exceeded. The entries removed are the entries that
have not been updated for the longest amount of time.
configure cflowd Specifies the rate at which the router samples traffic and
rate sends it for flow analysis. If you configure the sampling rate as
1, then all packets are sent to the cache. If you configure the
sampling rate as 100, then one in every 100 (1/100) packets is
sent to the cache.
configure cflowd Enables cFlowd sampling.

no shutdown

Enabling cFlowd
To enable cFlowd:
1. Log in to the router (through Telnet or SSH) using your user name and password.
2. Enter configure
3. Enter cflowd no shutdown
Configuring the Sightline appliance on the Alcatel router

To configure the Sightline appliance:
1. Enter collector IP_address
IP_address = the IP address of the Sightline appliance to which you want the
router to send flow
2. Enter aggregation type
type = the aggregation scheme type (as-matrix, destination-prefix, protocol-port,
raw, source-destination-prefix, or source-prefix) that you want the router to
export to Sightline
3. Enter autonomous-sys type
type = the AS origin or peer that you want to configure, based on origination or
external peer AS routes
4. Enter description description
description = a brief description of the Sightline appliance
5. Enter exit
Example: configuring the Sightline appliance cFlowd destination on the Alcatel router
The following example shows how to configure the Sightline appliance cFlowd destination
on an Alcatel 7750 router:
cflowd
rate 1
collector 10.8.2.127
aggregation
raw
exit
description "chrono"
exit
collector 10.8.2.135
aggregation
raw
exit
description "This is the description of the collector."
exit
exit

Enabling cFlowd and traffic sampling on interfaces

To enable cFlowd and traffic sampling on your interfaces:
1. Navigate to the configure router interface menu.
2. Enter the name of the interface on which you want to enable cFlowd.
3. Enter cflowd {acl | interface}.
{acl | interface} = choose whether you want to enable traffic sampling on an
IP filter or an interface
4. Enter exit
Example: enabling cflowd and traffic sampling on interfaces

The following example shows how to enable cflowd on an Alcatel 7750 router to send flow
to an Sightline appliance:
router
interface "net-196-162-40-16/20"
address 196.162.40.16/20
port 1/2/5:822
cflowd interface
exit
Enabling cFlowd on your Sightline appliances

After you configure your Alcatel routers to forward cFlowd packets to your Sightline
appliances, you must enable flow on your appliances so that they can receive the flow
data.
System User Guide .

Configuring SNMP on the Alcatel 7750 Router

Simple Network Management Protocol (SNMP) is an application-layer protocol that
provides a message format to facilitate communication between SNMP managers and
agents. SNMP provides a standard framework to monitor and manage devices in a
network from a central location. This topic describes how to configure SNMP on your
Alcatel 7750 router.
For more information about configuring SNMP on your Alcatel router, see the 7750 SR OS
System Management Guide .
Configuring an SNMP community string

To configure an SNMP community string on your router:
1. Navigate to the configure system security snmp menu.
2. Enter community community_string value
value = one of the following permission values:
l r to allow the community string read-only access to the router’s system
information, except to security information.
l rw to allow the community string read and write access to the router’s system
information, except to security information.
l rwa to allow the community string read and write access to the router’s system
information, including security information.
l mgmt to assign the community string to the management router.
l vpls-mgmt to assign the community string to the management virtual router.
3. Enter version {v1 | v2c | both}
{v1 | v2c | both} = the SNMP version number that you want to use
Alcatel 7750 supports SNMP versions 1 and 2c.
4. Enter exit
Example: SNMP configuration

The following example shows how to configure SNMP:
system
security
snmp
community public r version both
exit
exit
exit
Enabling SNMP in Sightline

After you configure your Alcatel routers with SNMP, you must configure SNMP in Sightline.
System User Guide .
For information on the level of SNMP polling that is supported in Sightline for the Alcatel
7750 router, see “Supported SNMP Polling with Alcatel 7750 Router ” on the facing page.

Supported SNMP Polling with Alcatel 7750 Router

The level of SNMP polling that is supported by Sightline with Alcatel 7750 router depends
on the Alcatel hardware configuration.
Supported SNMP polling on Alcatel 7750 router

The following table describes the possible combinations of Alcatel hardware
configurations and indicates the level of SNMP polling that is supported in Sightline:
Supported SNMP polling for Alcatel hardware configurations
Line Card
OS Version Type Chassis Mode Supported Operation
is 8 or less Any Any Poll standard MIB.
Only the interfaces in virtual
router 1 will have SNMP values.
is ≥ 9 IOM1 or IOM2 A, B, or C Poll standard MIB.

Only the interfaces in virtual
router 1 will have SNMP values.
is ≥ 9 IOM1 or IOM2 D This router configuration is

invalid.
is ≥ 9 IOM3/IMM A, B, or C Poll standard MIB.

IOM3/IMM interfaces will not
populate SNMP values.
is ≥ 9 IOM3/IMM D Poll new virtual router MIB.

All interfaces will have SNMP
values.

Configuring Routers to Send SNMP Information to Sightline

SNMP OIDs are object identifiers for objects in an SNMP MIB (Management Information
Base). Routers that support SNMP polling can use both generic and vendor-specific OIDs
to communicate information to Sightline. This topic describes how to configure routers to
send SNMP information to Sightline.
You may need to change firewall and ACL rules to allow Sightline to poll these OIDs or
reconfigure routers to reply to this information.
SNMP public OIDs that Sightline uses to poll routers

Sightline uses the following SNMP public OIDs to poll routers:
SNMP public OIDs used to poll routers
SNMP OID Object

.1.3.6.1.2.1.1.1 system.sysDescr
.1.3.6.1.2.1.1.2 system.sysObjectID
.1.3.6.1.2.1.2.2.1.1 interfaces.ifTable.ifEntry. ifIndex
.1.3.6.1.2.1.2.2.1.2 interfaces.ifTable.ifEntry.ifDescr
.1.3.6.1.2.1.2.2.1.5 interfaces.ifTable.ifEntry.ifSpeed
.1.3.6.1.2.1.2.2.1.8 interfaces.ifTable.ifEntry.ifOperStatus
.1.3.6.1.2.1.31.1.1.1.1 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifName
.1.3.6.1.2.1.31.1.1.1.18 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifAlias
.1.3.6.1.2.1.31.1.1.1.15 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHighSpeed
.1.3.6.1.2.1.31.1.1.1.6 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInOctets
.1.3.6.1.2.1.31.1.1.1.7 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInUcastPkts
.1.3.6.1.2.1.31.1.1.1.8 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInMulticastPkts
.1.3.6.1.2.1.31.1.1.1.9 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInBroadcastPkts
.1.3.6.1.2.1.31.1.1.1.10 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutOctets
.1.3.6.1.2.1.31.1.1.1.11 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutUcastPkts
.1.3.6.1.2.1.31.1.1.1.12 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutMulticastPkts
.1.3.6.1.2.1.31.1.1.1.13 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutBroadcastPkts
.1.3.6.1.2.1.4.20.1.2 ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex
For information on SNMP OIDs that management systems use to poll Sightline appliances,
see “Configuring Alert Management Software” on page 214 .

Low capacity counters

Sightline uses the following SNMP public OIDs to poll routers when the Poll low capacity
counters check box is selected for the router's SNMP settings.
For more information about polling low capacity counters, see Configuring Router SNMP
Settings.
SNMP public OIDs used to poll routers (low capacity counters)
SNMP OID Object
.1.3.6.1.2.1.2.2.1.10 interfaces.ifTable.ifEntry.ifInOctets
.1.3.6.1.2.1.2.2.1.11 interfaces.ifTable.ifEntry.ifInUcastPkts
.1.3.6.1.2.1.2.2.1.16 interfaces.ifTable.ifEntry.ifOutOctets
.1.3.6.1.2.1.2.2.1.17 interfaces.ifTable.ifEntry.ifOutUcastPkts
.1.3.6.1.2.1.31.1.1.1.2 ifMIB. ifMIBObjects.ifXTable.ifXEntry.ifInMulticastPkts
.1.3.6.1.2.1.31.1.1.1.3 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifInBroadcastPkts
.1.3.6.1.2.1.31.1.1.1.4 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifOutMulticastPkts
.1.3.6.1.2.1.31.1.1.1.5 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifOutBroadcastPkts
Vendor-specific SNMP OIDs

Sightline queries the following SNMP vendor-specific OIDs for router health and
performance data:
Vendor-specific SNMP OIDs
SNMP OID Vendor Object

.1.3.6.1.4.1.21839.2.2.2.2.2.1.1.21 Alaxala ax7800sBcuRmMemoryTotalSize
.1.3.6.1.4.1.21839.2.2.2.2.2.1.1.23 Alaxala ax7800sBcuRmMemoryFreeSize
.1.3.6.1.4.1.21839.2.2.2.2.2.1.1.33 Alaxala ax7800sBcuCpCpuLoad1m
.1.3.6.1.4.1.6527.3.1.2.1.1.1 Alcatel sgiCpuUsage
.1.3.6.1.4.1.6527.3.1.2.1.1.2 Alcatel sgiMemoryUsed
.1.3.6.1.4.1.6527.3.1.2.1.1.3 Alcatel sgiMemoryAvailable
.1.3.6.1.4.1.6527.3.1.2.1.1.4 Alcatel sgiMemoryPoolAllocated
.1.3.6.1.4.1.6527.3.1.2.1.1.5 Alcatel sgiSwMajorVersion
.1.3.6.1.4.1.6527.3.1.2.1.1.9 Alcatel sgiKbMemoryUsed
.1.3.6.1.4.1.6527.3.1.2.1.1.10 Alcatel sgiKbMemoryAvailable
.1.3.6.1.4.1.6527.3.1.2.1.1.11 Alcatel sgiKbMemoryPoolAllocated

Vendor-specific SNMP OIDs (Continued)

.1.3.6.1.4.1.6527.3.1.2.2.1.3.1.20 Alcatel tmnxChassisOperMode
.1.3.6.1.4.1.6527.3.1.2.3.4.1.4 Alcatel vRtrIfName
.1.3.6.1.4.1.6527.3.1.2.3.4.1.9 Alcatel vRtrIfOperState
.1.3.6.1.4.1.6527.3.1.2.3.4.1.10 Alcatel vRtrIfAlias
.1.3.6.1.4.1.6527.3.1.2.3.4.1.34 Alcatel vRtrIfDescription
.1.3.6.1.4.1.6527.3.1.2.3.4.1.63 Alcatel vRtrIfGlobalIndex
.1.3.6.1.4.1.6527.3.1.2.3.6.1.3 Alcatel vRiaIpAddress
.1.3.6.1.4.1.6527.3.1.2.3.54.1.40 Alcatel vRtrIfRxPkts
.1.3.6.1.4.1.6527.3.1.2.3.54.1.43 Alcatel vRtrIfRxBytes
.1.3.6.1.4.1.6527.3.1.2.3.54.1.46 Alcatel vRtrIfTxV4Pkts
.1.3.6.1.4.1.6527.3.1.2.3.54.1.49 Alcatel vRtrIfTxV4Bytes
.1.3.6.1.4.1.6527.3.1.2.3.54.1.52 Alcatel vRtrIfTxV6Pkts
.1.3.6.1.4.1.6527.3.1.2.3.54.1.55 Alcatel vRtrIfTxV6Bytes
.1.3.6.1.4.1.6527.3.1.2.3.54.1.103 Alcatel vRtrlfSpeed
.1.3.6.1.4.1.9.9.48.1.1.1.5 Cisco ciscoMemoryPoolUsed
.1.3.6.1.4.1.9.9.48.1.1.1.6 Cisco ciscoMemoryPoolFree
.1.3.6.1.4.1.9.9.109.1.1.1.1.8 Cisco cpmCPUTotal5MinRev
.1.3.6.1.4.1.6027.3.1.1.3.7.1.5 Force10 chRpmCpuUtil5Min
.1.3.6.1.4.1.6027.3.1.1.3.7.1.6 Force10 chRpmMemUsageUtil
.1.3.6.1.4.1.6027.3.8.1.3.7.1.5 Force10 chRpmCpuUtil5Min - C series
.1.3.6.1.4.1.6027.3.8.1.3.7.1.6 Force10 chRpmMemUsageUtil - C series
.1.3.6.1.4.1.6027.3.10.1.2.9.1.4 Force10 chStackUnitCpuUtil5Min - S series
.1.3.6.1.4.1.6027.3.10.1.2.9.1.5 Force10 chStackUnitMemUsageUtil - S series
.1.3.6.1.4.1.1991.1.1.2.1.35 Foundry snAgGblCpuUtilData
.1.3.6.1.4.1.1991.1.1.2.1.53 Foundry snAgGblDynMemUtil
.1.3.6.1.4.1.116.6.1.11.3.2.2.1.1.21 Hitachi gr4kBcuRmMemoryTotalSize
.1.3.6.1.4.1.116.6.1.11.3.2.2.1.1.23 Hitachi gr4kBcuRmMemoryFreeSize
.1.3.6.1.4.1.116.6.1.11.3.2.2.1.1.25 Hitachi gr4kBcuRmCpuLoad1m
.1.3.6.1.4.1.2011.5.25.31.1.1.1.1.5 Huawei hwEntityCpuUsage

Vendor-specific SNMP OIDs (Continued)

.1.3.6.1.4.1.2011.5.25.31.1.1.1.1.7 Huawei hwEntityMemUsage
.1.3.6.1.4.1.2011.5.25.110.1.2.1.2 Huawei hwifNet32BitIndex
.1.3.6.1.4.1.2636.3.1.13.1.8.9.1.0 Juniper jnxOperatingCPU
.1.3.6.1.4.1.2636.3.1.13.1.11.9.1.0 Juniper jnxOperatingBuffer
When available, the CPU and memory values displayed for each router are shown only for
the primary route processor.


Glossary
A
AAA (Authentication, Authorization, & Accounting) — This is an acronym used to describe the
process of authorizing access to a system, authenticating the identity of users, and logging their
behaviors.
ACL (Access Control List) — A list composed of rules and filters stored in a router to allow, deny, or
otherwise regulate network traffic based on network parameters such as IP addresses, protocol
types, and port numbers.
active route — A network route installed in a routing table.
address — A coded representation that uniquely identifies a particular network identity.
AES (Advanced Encryption Standard) — A commonly used encryption block cipher adopted as the
standard of the U.S. government.
AIF (ATLAS Intelligence Feed) — Real-time threat information that is an Arbor-maintained feed
consisting of a database of security threats and signatures that automatically updates each minute
and DDoS regular expressions that are used by TMS to mitigate attacks. Sightline regularly
downloads this information and uses it to detect and block emerging botnet attacks and
application-layer attacks.
anomaly — An event or condition in the network that is identified as an abnormality when compared to a
predefined illegal traffic pattern.
anonymous statistic sharing — A service whereby service providers and enterprise businesses share
anonymized statistics on ongoing attacks in order to provide an internet-wide view of ongoing
attacks.
API (Application Programming Interface) — A well-defined set of function calls providing high-level
controls for underlying services.
appliance — An NETSCOUT® Arbor server that gathers network statistics from adjacent routers via either
packet capture or flow and performs first-order traffic analysis. Anomalous activities are
compressed into alert messages that are periodically sent to the listening leader.
ARP (Address Resolution Protocol) — A protocol for mapping an IP address to a physical machine
address.
AS (Autonomous System) — A collection of IP networks and routers under the control of one entity
and assigned a single ASN for purposes of BGP routing.

ASCII (American Standard Code for Information Interchange) — A coded representation for
standard alphabetic, numeric, and punctuation characters, also referred to as “plain text.”
ASN (Autonomous System Number) — A unique number assigned to an autonomous system for
purposes of BGP routing.
AS Path (Autonomous System Path) — The ASNs that comprise a packet's path through the internet
using BGP.
ATLAS (Active Threat Level Analysis System) — A globally scoped threat analysis network that
analyzes data from darknets and the internet’s core backbone to provide information to
participating customers about malware, exploits, phishing, and botnets.
authentication — An identity verification process.
B
backbone router — An OSPF router with all operational interfaces within 0.0.0.0.
baseline — A description of typical traffic patterns over a period of time. Baselines are generated by
reducing collections of fine-grained profiles into a more monolithic data representation that
includes a chronological component.
BGP (Border Gateway Protocol) — The core routing protocol of the internet.
binning — Grouping data into chunks or "bins" usually defined by time periods, for example, traffic for
the last 24 hours.
blackhole routing — A technique to route traffic to null interfaces that can never forward the traffic.
bogon — An IP packet that claims to originate from "dark" IP space.
border router — A router at the border of an AS or network.
bps — Bits per second.
C
CA (Certificate Authority) — A third party which issues digital certificates for use by other parties. CAs
are characteristic of many public key infrastructure (PKI) schemes.
CAR (Committed Access Rate) — A tool for managing bandwidth that provides the same control as
ACL with the additional property that traffic can be regulated based on bandwidth usage rates in
bits per second.
CIDR (Classless Inter-Domain Routing) — Method for classifying and grouping internet addresses.
CIDR Group — CIDR addresses grouped together to share a common managed object configuration. The
equivalent of DoS "detection groups."
cflowd — Developed to collect and analyze the information available from NetFlow. It allows the user to
store the information and enables several views of the data. It produces port matrices, AS matrices,
network matrices, and pure flow structures.

Glossary
challenge packets — Information sent by a TMS model to an unknown host in response to a request
from the unknown host. The unknown host must provide a valid response to the challenge
packets. If it does not, the TMS model refuses the request and adds the unknown host to the
blacklist. Several TMS countermeasures use challenge packets to authenticate unknown hosts.
chargen — The character generator protocol that was used for testing the TCP/IP protocol.
CLI (Command Line Interface) — A user interface that uses a command line, such as a terminal or
console (as opposed to a graphical user interface).
client — The component of client/server computing that uses a service offered by a server.
Collector — An appliance that gathers network information from adjacent routers through flow and
performs first-order traffic analysis. Anomalous events are compressed into event messages that
are then sent to the listening leader.
commit — The process of saving a configuration change so that the changes take effect on the Sightline
system.
customer — A managed object that defines traffic for a business or organization who purchases internet
service from an internet service provider. Note, this type of managed object should be used to
define most managed services clients.
customer edge router — A router within a customer's network connected to an ISP's customer peering
edge.
D
Dark IP — Regions of the IP address space that are reserved or known to be unused.
DDoS (Distributed Denial of Service) — An interruption of network availability typically caused by

many, distributed malicious sources.
designated router — The router designated by other routers (via the OSPF protocol) as the sender of
link state advertisements.
DHCP (Dynamic Host Configuration Protocol) — A protocol used to distribute IP addresses to host
machines, which has a list of available addresses.
DNS (Domain Name System) — A system that translates numeric IP addresses into meaningful,
human-consumable names and vice-versa.
DoS (Denial of Service) — An interruption of network availability typically caused by malicious sources.
DoS alert — A notification indicating an event or condition in the network that is identified as a statistical
abnormality when compared to typical traffic patterns gleaned from previously collected profiles
and baselines or that matches a predefined illegal traffic pattern.
E
encryption — The process by which plain text is scrambled in such a way as to hide its content.
ESP (Encapsulating Security Payload) — An IPSec protocol for establishing secure tunnels.

Ethernet — A series of technologies used for communication on local area networks.
exploit — Tools intended to take advantage of security holes or inherent flaws in the design of network
applications, devices, or infrastructures.
F
failover — Configuring two appliances so that if one appliance fails, the second appliance takes over the
duties of the first, ensuring continued service.
fate sharing — Putting a mitigation out of service when a part of the mitigation’s deployment fails or
becomes unreachable. Fate sharing can occur when a dependent interface loses link, a nexthop
becomes unreachable, a BGP peer is down, a GRE tunnel is down, one or more TMS appliances or
TMS clusters are out of service, or the leader appliance becomes unreachable. For example, if
nexthop fate sharing is configured for a TMS appliance and the nexthop used by a mitigation
becomes unreachable, then the mitigation is put out of service.
FCAP — A fingerprint expression language that describes and matches traffic information.
Fibre Channel — Gigabit-speed network technology primarily used for storage networking.
firewall — A security measure that monitors and controls the types of packets allowed in and out of a
network, based on a set of configured rules and filters.
flow — Flow is a characterization of the network traffic. It defines the traffic that is seen. It provides
Sightline with information from layers 1, 3, and 4 for the traffic that traverses a network.
flowspec — A BGP-based IETF standard for exchanging flexible firewall and ACL rules implemented by
Juniper routers utilizing JunOS 7.3 or later.
fps — Traffic flows per second (NetFlow, ArborFlow, SFlow, etc.).
FQDN (Fully Qualified Domain Name) — A complete domain name, including both the registered
domain name and any preceding node information.
FTP — A TCP/IP protocol for transferring files across a network.
G
GMT (Greenwich Mean Time) — A deprecated world time standard, replaced by UTC.
GRE (Generic Routing Encapsulation) — A tunneling protocol commonly used to build VPNs.
H
host — A networked computer (client or server); in contrast to a router or switch.
HTTP (HyperText Transfer Protocol) — A protocol used to transfer or convey information on the
World Wide Web. Its original purpose was to provide a way to publish and retrieve HTML pages.
HTTPS (HyperText Transfer Protocol over SSL) — The combination of a normal HTTP interaction
over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) transport
mechanism.

Glossary
I
IANA (Internet Assigned Numbers Authority) — An entity that oversees global IP address allocation,
DNS root zone management, and other internet protocol assignments. It is operated by ICANN.
ICMP (Internet Control Message Protocol) — An IP protocol that delivers error and control messages
between TCP/IP enabled network devices, for example, ping packets.
IETF (Internet Engineering Task Force) — An internet standards organization that develops draft
documents and RFC documents defining protocols for the internet.
IGMP (Internet Group Management Protocol) — A communications protocol used to manage the
membership of Internet Protocol multicast groups.
intelligent filtering — A feature that adds the ability to work with an integrated filtering device to
automatically filter traffic.
IMAP (Internet Message Access Protocol) — An application layer internet protocol that allows a local
client to access email on a remote server. (Also known as Internet Mail Access Protocol, Interactive
Mail Access Protocol, and Interim Mail Access Protocol.)
interface — An interconnection between routers, switches, or hosts.
IP (Internet Protocol) — A connectionless network layer protocol used for packet delivery between
hosts and devices on a TCP/IP network.
IP Address — A unique identifier for a host or device on a TCP/IP network.
IPS (Intrusion Prevention System) — A computer security device that exercises access control to
protect computers from exploitation.
IPSec (Internet Protocol Security) — A suite of protocols for securing Internet Protocol (IP)
communications by authenticating and/or encrypting each IP packet in a data stream.
ISP (Internet Service Provider) — A business or organization that provides to consumers access to the
internet and related services.
L
LAN (Local Area Network) — A typically small network that is confined to a small geographic space.
leader — A designated Sightline appliance that accepts alert messages from one or more normal devices
and performs second-order traffic analysis in order to identify and visualize potential attacks.
(These were referred to as "Controllers" in previous NETSCOUT® Arbor products.)
M
MAC (Media Access Control) Address — A unique hardware number associated with a networking
device.
managed object — User-defined network objects used to classify logical portions of your network or
network traffic. Managed objects can be customers, peers, profiles, VPNs, or VPN sites.
MD5 (Message Digest algorithm 5) — A widely used cryptographic hash function.

MDI (Media Dependent Interface) — An Ethernet port connection that allows network hubs or
switches to connect to other hubs or switches without a null-modem or Ethernet crossover cable.
MIB (Management Information Base) — A database used by the SNMP protocol to manage devices
in a network. Your SNMP polling device uses this to understand Sightline SNMP traps.
MPLS label — An identifying string for packets using the MPLS protocol.
mitigation — The process of using recommendations from Sightline to apply policies to your network to
reduce the effects of a worm or DoS attack.
mitigation device — A device that filters network traffic passing through it based upon a ruleset
provided by Sightline. This can be either a dedicated network device (TMS appliance or Flowspec
capable router) or an Sightline appliance with software mitigation enabled.
MPLS (Multiprotocol Label Switching) — A packet-switching protocol developed by the Internet

Engineering Task Force (IETF) initially to improve switching speeds, but other benefits are now
seen as being more important.
MS (Managed Services) — an Sightline appliance that has the ability to provide a web UI to allow
customers a special, restricted access to the Sightline system.
MTU (Maximum Transmission Unit) — The size (in bytes) of the largest packet that a given layer of a
communications protocol can efficiently forward.
multicast — Protocols that address multiple IP addresses with a single packet (as opposed to unicast
and broadcast protocols).
N
NAT (Network Address Translation) — Rewriting the source and destination addresses of IP packets
as they pass through a router or firewall.
NetFlow — A technology developed by Cisco Systems, Inc. that allows routers and other network devices
to periodically export information about current network conditions and traffic volumes.
netmask — A dotted quad notation number used by routers determine which part of the address is the
network address and which part is the host address.
network object — Network objects are portions of your network or network traffic and include both
managed objects (customers, peers, profiles, VPNs, or VPN sites) and physical network objects
(routers and interfaces).
NIC (Network Interface Card) — A hardware component that maintains a network interface
connection.
NTP (Network Time Protocol) — A protocol that is used to synchronize clock times in a network of
computers.
O
OC-3 — A fiber optic network line with transmission speeds of up to 155.52 Mbit/s.
OC-12 — A fiber optic network line with transmission speeds of up to 622.08 Mbit/s.

Glossary
offnet — Traffic that leaves the network through a BGP boundary and is not destined for a configured
customer entity.
P
packet — A unit of data transmitted across the network that includes control information along with
actual content.
password — A secret code used to gain access to a computer system.
PCC (Packet Capture Collector) — Packet capture is a method of passively monitoring network traffic
to create flow information. The packet capture mode on an NETSCOUT® Arbor appliance can be
used in cases where flow from routers is unavailable or unwanted.
PE (Provider Edge) Router — A router in a service provider's network that is connected to a customer
edge router.
peer — A managed object that describes other networks that are peering with yours.
peer to peer — (Sometimes abbreviated P2P) a computer network that relies primarily on the computing
power of the clients in the network rather than concentrating it in a relatively low number of
servers. P2P networks are typically used for connecting nodes via largely ad hoc connections.
pps — Packets per second.
ping — An ICMP request to determine if a host is responsive.
POP (Post Office Protocol) — A TCP/IP email protocol for retrieving messages from a remote server.
PoP (Point of Presence) — A physical connection between telecommunications networks.
port — A field in TCP and UDP protocol, packet headers that corresponds to an application level service
(for example TCP port 80 corresponds to HTTP).
profile — A managed object that defines an arbitrary subset of network traffic that does not fit any of the
other managed object types.
protocol — A well-defined language used by networking entities to communicate with one another.
Q
QoS (Quality of Service) — A method of providing different priority to different traffic, or guaranteeing
a certain level of performance to a data flow for a particular traffic type.
R
RADIUS (Remote Authentication Dial In User Service) — A client/server protocol that enables
remote access servers to communicate with a central server to authenticate dial-in users and
authorize their access to the requested system or service.
RDN (Registered Domain Name) — A domain name as registered, without any preceding node
information (for example, “arbor.net” instead of www.arbor.net).
refinement — The process of continually gathering information about anomalous activity seen.

remediation — The process of minimizing attack damage by taking the recommendations from Sightline
and applying reasonable changes to the network.
remote BGP routeviews — External route servers maintained by NETSCOUT® Arbor which provide
information on route availability with remote ASNs.
report — An informational page presenting data about a traffic type or event.
RFC (Request For Comments) — An IETF document that defines a protocol or other standard for
internet communications.
route — A path a packet takes through a network.
route distinguisher — An address qualifier that is prepended to an IPv4 address to create a unique
VPN-IPv4 address.
route target — A VPN identifier. A VPN might require more than one route target.
router — A device that connects one network to another. Packets are forwarded from one router to
another until they reach their ultimate destination.
S
scoping — The container managed object within which a managed services customer's traffic view is
restricted.
secret key — A secret shared only between a sender and receiver of data.
SFlow — A standard similar to NetFlow which describes a mechanism to capture traffic data in switched
or routed networks.
site-of-origin — A BGP extended community attribute that identifies the VPN site from which a route
originates.
skins — Sets of UI parameters, including menus, used to facilitate different Sightline workflows.
SMTP - (Simple Mail Transfer Protocol) — The de facto standard protocol for email transmissions
across the internet.
smurf attack — A DDoS attack that exploits misconfigured network devices to broadcast large numbers
of ICMP packets to all the computer hosts on a network.
SNMP (Simple Network Management Protocol) — A standard protocol that allows routers and
other network devices to export information about their routing tables and other state
information.
spoofing — A situation in which one person or program successfully masquerades as another by

falsifying data (usually the IP address) and thereby gains an illegitimate advantage.
SSDP (Simple Service Discovery Protocol) — A network protocol that is used to advertise and
discover network services and devices.

Glossary
SSH (Secure Shell) — A command line interface and protocol for securely getting access to a remote
computer. SSH is also known as Secure Socket Shell.
SSL (Secure Sockets Layer) — A protocol for secure communications on the internet for such things as
web browsing, email, instant messaging, and other data transfers.
T
TACACS+ (Terminal Access Controller Access Control System +) — An authentication protocol
common to UNIX networks that allows a remote access server to forward a user’s login password
to an authentication server to determine whether that user is allowed to access a given system.
target — A victim host or network of a worm or other malicious denial of service (DoS) attacks.
TCP (Transmission Control Protocol) — A connection-based, transport protocol that provides reliable
delivery of packets across the internet.
TCP/IP — A suite of protocols that controls the delivery of messages across the internet.
Telnet — A TCP protocol used primarily for unencrypted CLI communications (usually deprecated and
replaced by SSH).
TMS — an Sightline appliance designed for intelligent traffic filtering and DNS monitoring in conjunction
with an Sightline deployment.
tunnel — A method of communication where one protocol is encapsulated within another.
U
UDP (User Datagram Protocol) — An unreliable, connectionless, communication protocol.
UNC (Universal Naming Convention) — A standard which originated from UNIX for identifying
servers, printers, and other resources in a network.
uptime — The time elapsed since a given host or server was last rebooted.
URI (Uniform Resource Identifier) — A protocol, login, host, port, path, etc. in a standard format used
to reference a network resource, (for example http://arbor.net/).
URL (Uniform Resource Locator) — Usually a synonym for URI.
UTC (Universal Time Coordinated) — The time zone at zero degrees longitude which replaced GMT as
the world time standard.
V
VLAN (Virtual Local Area Network) — Hosts connected in an infrastructure that simulates a local area
network, when the hosts are remotely located, or to segment a physical local network into smaller,
virtual pieces.
VoIP (Voice over Internet Protocol) — Routing voice communications (such as phone calls) through
an IP network.

VPN (Virtual Private Network) — A private communications network often used within a company, or
by several companies or organizations, to communicate confidentially over a public network using
encrypted tunnels.
vulnerability — A security weakness that could potentially be exploited.
W
WAN (Wide Area Network) — A computer network that covers a broad area. (Also, Wireless Area
Network meaning a wireless network.)
WEP (Wired Equivalent Privacy) — A security scheme for wireless networks intended to provide
comparable confidentiality to a traditional wired network (in particular it does not protect users of
the network from each other).
worm — A self propagating program, usually used to spread a malicious payload across networked
computers.
X
XML (eXtensible Markup Language) — A metalanguage written in Standard Generalized Markup
Language (SGML) that allows one to design a markup language for easy interchange of documents
on the World Wide Web.

Index
ATAC, contacting 11
6 ATLAS services
ports 26
6PE
Auto-Configuration
diversion 203
running manually 113
using to mitigate IPv6 traffic 203
auto-mitigation settings, traffic triggered
6PE mitigations
changing 196
configuring 203
autodiscovering
important things to know 203
local address space 28
important TMS appliance settings 205
A B
backup, TMS 49
access rules
backups, scheduled
adding to a VLAN subinterface of a TMS
configuring 242
appliance 119
BGP
acknowledgement question
monitoring routers with 106
adding 62
shared memory 83
editing 62
status, viewing for a TMS appliance 96
add TMS models 44
BGP interface
using ZTP 39
configuring on TMS appliance 117
administrator password
BGP session
resetting 64
labeled unicast BGP capabilities 204
AIF server address
blackhole nexthops
setting 37
custom templates 207
AIF signatures
importing 38
Alcatel 7740 router C
configuring to send cFlowd data 277 CLI
Alcatel 7750 router 281 command hierarchy 17
configuring SNMP 280 command types 18
alert database commands, using 16
resetting 82 compound commands 18
alert management software entering commands 18
configuring 214 help, using 18
alert notifications logging in 15
configuring 218 saving configuration 19
alert pages viewing current configuration 19
changing search result settings 175 viewing current directory status 19
alerts 173 cloud-based licensing
appliance CLI 70
configuring scheduled backups 242 installing 70
replacing with an RMA replacement 46 refreshing manually 70
securing 56 console
appliance, TMS connecting 14
replacing with an RMA replacement 49 conventions, typographic
Arbor Technical Assistance Center, contacting 11 in commands and expressions 10

Index: countermeasure – login default page
in procedures 9 FlowSpec routers

countermeasure 201 mitigating with 253
customer support, contacting 11 Foundry routers
configuring sFlow 271
D
data storage role G
adding managed object homing 72 GRE encapsulation 201
default route
adding to a VLAN subinterface of a TMS H
appliance 118 high availability
disabled mode
about 239
about 17 configuring 239-240
disk space deployment requirements 240
partitions 238 manually switching to backup leader 244
viewing available 238 recovering after a failover 245
DNS hosts file host detection misuse types
importing 32 enabling and disabling 191
DNS servers host detection settings
adding to a global configuration 32 combining 188
adding to a local configuration 32 converting shared to custom set 190
configuring 31
deleting from a global configuration 32
deleting from a local configuration 32
I
documentation 8 Interface Configuration History page
DoS alert 177 overriding the number of changes shown 172
changing the graph view on listing pages 174 interfaces
DoS evaluation baselines 193 viewing and resetting counters 99
interfaces, loopback
E configuring 114
IP addresses 177
edit mode IP alias
about 17 configuring 111
switching to 17 IPv4 next hop
setting on a TMS appliance 204
F IRR server
failover changing 28
about 239
manually switching to backup leader 244 J
flash drive Juniper router
restoring from 161 sending flow monitoring to Sightline 265
flow
enabling detection with SNMP polling 109
FPS limit, overriding 73
L
sub-sampled 73 labeled unicast BGP capabilities
flow monitoring 265 configuring 204
configuring for JunOS 265 local address space
configuring Juniper routers 265 autodiscovering 28
flow sources local BGP router ID
configuring 260 configuring on Sightline appliance 108
router and interface maximums 260 local blocked host logging
flowspec mitigation enabling 200
testing 256 logging in
CLI 15
login default page 171

Index: loopback interfaces – serial cable
loopback interfaces patches

configuring 114 about installing on TMS appliance 132
TMS 4000 135
M Peering Traffic Exchange tools
enabling 210
managed object
physical security
homing 72
about 61
metric
pinging
setting a limit 232
nexthop 90
metrics
ports
configuring thresholds 232
ATLAS services 26
mitigation pages
optional 25
changing search result settings 175
required 24
MPLS label
used by Sightline 24
setting on a TMS appliance 204
prefix aggregation 177
promiscuous mode
N disabling 86
NetFlow enabling 86
configuring 260
configuring Cisco IOS routers 261
configuring export IP address 262
R
RADIUS
configuring settings 261
changing default user group 185
enabling on interfaces 262
rate limit alert 87
enabling on subinterfaces 262
rate limiting 201
enabling on your Sightline appliances 263
raw flows
export IP address 262
disk threshold setting 78
forwarding to Sightline devices 261
estimated disk usage 79
setting the active flow timeout 263
maximum disk usage setting 78
setting the destination IP address 263
sample rate setting 78
supported versions 261
settings for capturing 78
teeing 75
recording settings
viewing export IP address 262
configuring 198
nexthop
reinstalling
pinging 90
Sightline 146
NTP servers
TMS 4000 155
adding to a global configuration 35
TMS 5000 155
adding to a local configuration 35
reports
configuring 34
default number listed 212
deleting from a global configuration 35
resetting administrator password 64
deleting from a local configuration 35
restoring from backup, TMS 49
restoring from flash drive 161
O RMA appliance
OIDs replacing 46
used to poll routers 282 TMS, replacing 49
vendor-specific 283 routing table file format 121
P S
password sample packet
configuring maximum length 63 configuring recording settings 198
configuring minimum length 63 sampling
default 15 disabling on a router interface 112
enabling hardening 63 serial cable
resetting 64 connecting for CLI setup 14

Index: sFlow – transit traffic reporting
type 14
sFlow T
about enabling 275
TACACS+
configuring Alaxala routers 273
changing default user group 185
configuring Force10 routers 275
teeing NetFlow 75
configuring Foundry routers 271
terminal emulation
sending to Sightline 271
about 14
Shared memory for BGP 83
Hyperterminal 14
shell
timestamp suffix
disabling access 77
setting 247
Sightline
TMS 5000
connecting appliance to console 14
reinstalling software 155
installing maintenance releases 124
TMS appliance
physical security 61
about installing patches 132
reinstalling 146
adding a default route for a VLAN subinterface 118
syslog output 221
adding access rules for a VLAN subinterface 119
Sightline appliance
adding VLAN subinterfaces 118
configuring local BGP router ID 108
changing the leader 89
securing 56
configuring BGP interface 117
Sightline appliances
configuring VLAN subinterfaces 118
enabling NetFlow 263
enablimg promiscuous mode 86
single sign-on
enabling local blocked host logging 200
about header-based 181
obtaining valid license key 133
configuring header-based 183
pinging nexthop 90
slot status
removing VLAN subinterface 119
viewing 97, 100
replacing 49
SNMP
restoring from flash 161
configuring routers 282
running a traceroute 93
disabling polling for a router 110
securing 56
OID traps used by management systems 216
viewing and clearing interface counters 99
OIDs used to poll routers 282
viewing SFP and SFP+ information 100
OIDs used to poll Sightline 214
viewing slot status 97
OIDs used to poll TMS devices 215
viewing the BGP status 96
sending information to Sightline 282
TMS backup 49
vendor-specific OIDs 283
TMS physical interface
SNMP polling 281
enabling promiscuous mode 86
using to detect flow 109
TMS port
software updates
enabling to use MPLS labels 205
adding to appliances 141
TMS restore from backup 49
sorting alerts 173
traceroute command
SSH
running 93
configuring settings 67
traffic-triggered auto-mitigation settings
installing public keys 67
changing 196
setting version 67
Traffic Engineering tools
SSL Negotiation countermeasure
enabling 210
disabling whitelisting 199
traffic mitigation
subscriber group 170
configuring Juniper routers 254
support, contacting 11
FlowSpec routers 253
syslog
transit research reporting
sending messages to a remote host 229, 231
enabling 210
system configuration
transit traffic reporting
viewing current 19
enabling 210

Index: typographic conventions – ZTP
typographic conventions
commands and expressions 10
procedures 9
U
upgrading
BI 124
CP 124
FS 124
PI 124
TMS 4000 135
TMS firmware manually 140
user account 180
user name
default 15
V
VLAN subinterface
removing from a TMS appliance 119
VLAN subinterfaces
adding on a TMS appliance 118
configuring on a TMS appliance 118
VPN site auto-detection
disabling and enabling 194
W
whitelisting
disabling for SSL Negotiation countermeasure 199
Whois resolution server
adding 30
X
XML menu schema 166
Z
Zero Touch Provisioning 39
ZTP 39


Arbor Networks, Inc. License, Cloud, and Managed Service Agreement
The license agreement (https://www.netscout.com/cloud-and-managed-services-eula) contains
updated terms and conditions with respect to your license of Arbor product and services and is
deemed to replace any previous license terms provided with respect thereto; provided, however, if
you and Arbor have executed a direct agreement, such direct agreement shall govern your license
of Arbor product and services.

Sightline TMS 90 Advanced-Configuration-Guide 2018-10-16

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Sightline TMS 90 Advanced-Configuration-Guide 2018-10-16

Hochgeladen von

Copyright:

Verfügbare Formate

Sightline and Threat Mitigation System

Advanced Configuration Guide

Using the Command Line Interface (CLI)

Part I Sightline and TMS (TMS) Deployment

Sightline and TMS Advanced Configuration Guide, Version 9.0 3

Viewing the BGP Status of a TMS Appliance 96

Part II System Administration

4 Proprietary and Confidential Information of NETSCOUT Systems, Inc.

Proprietary and Confidential Information of NETSCOUT Systems, Inc. 5

6 Proprietary and Confidential Information of NETSCOUT Systems, Inc.

How to use Sightline and Threat Mitigation System (TMS) Documentation 8

Sightline and TMS Advanced Configuration Guide, Version 9.0 7

How to use Sightline and Threat Mitigation System (TMS)

Additional Sightline and TMS documentation

Available Documentation Contents

Sightline REST API Online help topics about the Sightline

(information) Information about a report or a particular feature of

8 Proprietary and Confidential Information of NETSCOUT Systems, Inc.

Conventions Used in this Guide

Conventions for procedures

Convention Description Examples

Bold An element on the graphical Type the computer’s address in

SMALL CAPS A key on the keyboard. Press ENTER.

Monospaced A file name, folder name, or Navigate to the

Monospaced Information that you must Type https:// followed by the IP

> A navigation path or sequence Select Mitigation > Threat

Proprietary and Confidential Information of NETSCOUT Systems, Inc. 9

Conventions for commands and expressions

Monospaced A variable for which you must supply a value.

{ } (braces) A set of choices for options or variables, one of which is required.

| (vertical bar) Separates the mutually exclusive options or variables.

10 Proprietary and Confidential Information of NETSCOUT Systems, Inc.

Contacting the Arbor Technical Assistance Center

Submitting documentation comments

n Document number (listed on the reverse side of the title page)

Sightline and TMS Advanced Configuration Guide

Proprietary and Confidential Information of NETSCOUT Systems, Inc. 11

12 Proprietary and Confidential Information of NETSCOUT Systems, Inc.

Connecting the Serial Cable for CLI Setup 14

Sightline and TMS Advanced Configuration Guide, Version 9.0 13

Connecting the Serial Cable for CLI Setup

Using the correct serial cable

About terminal emulation

Setting up terminal emulation with Hyperterminal

Connecting a Sightline or TMS appliance to the console

MCM Model Serial Connector Label Serial Connector Type

MCM-1 CONSOLE DB-9F

MCM-2 CONSOLE DB-9F micro-D

MCM-C SER RJ45F

14 Proprietary and Confidential Information of NETSCOUT Systems, Inc.

5. Use a terminal emulation program, such as Hyperterminal, to create a connection to

Setting Value Appliance

n Sightline Insight 8000 appliances

Data bits 8 All

Parity None All

Stop bits 1 All

Flow control None All

Communications Typically COM1, but All

6. To connect to the network, connect an Ethernet cable between the appliance’s

Default username and password

Proprietary and Confidential Information of NETSCOUT Systems, Inc. 15

Using CLI Commands

Exceptions to documented commands

Logging in to the CLI of an appliance