Select Traffic Control->Connection Setup

2. Double-click on the entry with the description Add a New Connection, as shown in Figure 24 on page 67.

3. Enter the appropriate information in the Connection Name and Description fields.

By only creating a connection for the SNMP service from the SN

(NetView’s) to the UN, you also indirectly allow SNMP requests to FW1s UI (since the UI is part of UN). Consider also that SNMP requests from NetView can only be directed to the UI and not the SI, unless another connection is created specifically to the FW itself.

Also note that the FW1 will need the SNMP Service installed if configuration and SNMP polling is required. This will depend on the security requirements of the network. If SNMP to the FW is strictly not allowed in the network, then in order to manage the FW through ^ping you may consider configuring NetView’s topology manually for all the FW’s interfaces.

Note

Figure 24. Adding a connection

4. We now select which NO source the connection is permitted to be initiated from. In our example, it is the NetView Clients (NetView Clients referring to the NO label of a group of NetView servers). Click the Select button on the Source field and from the Network objects list, select the “NetView Clients” group object and click OK.

5. We now select the destination for the connection, which in the example is the UN. Click the Select button on the Source field, and from the NO list, select the “Unsecure Network” object and click OK.

6. We now select which services are permitted to flow from the source to destination that we have selected for this connection (in our example it is the SNMP Get service. Connection Services area). Click Select, select the SNMP Get service from the list of services, and click OK. See Figure 25 on page 68.

7. Click OK to complete the connection.

Figure 25. Connection details

8. After creating the connection, it needs to be activated to test that it functions properly. Click on Control from the Connection List dialog box.

9. Click “Regenerate Connection Rules and Activate” and Click OK (see Figure 26 on page 69.).

Figure 26. Connection control

10. Click Close.

The connection is now complete and activated. In the next section, we will show how we tested the service to ensure that it is configured correctly.

3.4.1.7 Testing the connection configuration

Each connection will require a different test. For this example configuration, we executed the ^snmpwalk command from each of the NetViews to MLM1, and were able to receive SNMP data from MLM1. Here is a sample of the test result:

3.4.2 Polling using SNMP

Prior to NetView Version 6.0, NetView for both AIX and Windows NT could only check the status of nodes using ICMP. NetView Version 6.0 introduces, in the netmon daemon, the facility to poll nodes using SNMP by checking the ifAdminStatus and ifOperStatus values for the interfaces (the only

requirement is the nodes managed must support SNMP). This is also useful for checking interfaces that do not respond to ICMP, such as unnumbered serial interfaces on routers. Using SNMP for status checking, you can eliminate the need to open up the ICMP ports on the firewall and eliminate another security hole. netmon automatically configures routers containing unnumbered serial interfaces for SNMP status polling. In addition, you can also set the -P switch to the /usr/OV/conf/oid_to_type file for classes of devices to specify that SNMP should be used for status polling instead of ICMP.

This behavior is set in one of three ways:

1. Automatically, if the node has at least one unnumbered interface.

2. Explicitly, by setting the IP address or range of addresses in your netmon seed file. This may be done by using the Server Setup application (select Configure –> Set options for daemons –>Set options for topology, discovery, and database daemons –> Set options for netmon daemon) by creating an SNMP Status entry using the Network Monitor Seed File Editor (you may also edit the netmon.seed file using a text editor, using the prefix $ to denote an SNMP Status polled node). The SNMP status entry can be created in the Special Features Tab of the Seed File Editor, as shown in Figure 27 on page 71.

root@itso8 > snmpwalk itso7 system

system.sysDescr.0 : DISPLAY STRING- (ascii): IBM PowerPC CHRP Computer Machine Type: 0x0800004c Processor id: 000677154C00

Base Operating System Runtime AIX version: 04.03.0003.0000 TCP/IP Client Support version: 04.03.0003.0000

system.sysObjectID.0 : OBJECT IDENTIFIER: .iso.org.dod.internet.private.en terprises.ibm.3.1.2.1.1.3

system.sysUpTime.0 : Timeticks: (6679183) 18:33:11.83 system.sysContact.0 : DISPLAY STRING- (ascii):

system.sysName.0 : DISPLAY STRING- (ascii): itso7 system.sysLocation.0 : DISPLAY STRING- (ascii):

system.sysServices.0 : INTEGER: 72 root@itso8 >

Figure 27. Netmon seed file editor

Please to the man page for netmon and Tivoli NetView Administration’s Guide V6.0, SC31-8440 for further information.

3.4.3 Troubleshooting techniques

In the next lab environments, we needed some tools and methods of

troubleshooting the network environment and especially concerning the FW.

This section will provide some methods we used to understand the network traffic we wished to permit across the FW.

3.4.3.1 The IBM SecureWay logging facility

The SWF has some built-in logging facilities to log different levels of data to the log files. However, our lab experience suggests that retrieving information to create reports on denied packets is not quite straightforward. Let us take a look at the Logging Facility by following these steps: