Controlling Devices with AMF Application Proxy

Configuration Examples > Controlling Devices with AMF Application Proxy

Configuring AMF Application Proxy

Configuration

Information on each product

Configuring AMF Master

Configuring AMF Members

Configuring AR Router

Configuring AT-VST-APL

Configuring AMF Security

AMF Master Configuration

AMF Member Configuration

AR Routre Configuration

Configuration example using Tag

AMF Master, AMF Member, AR Router, AT-VST-APL setting procedure

Configuring AMF Security

Configuring AMF Application Proxy

In this section, this is an example of setting the AMF Application Pproxy.

In this section, this is an example of setting the AW+ AMF Application Proxy Whitelist and AMF Application Proxy Blacklist.

Applications linked with the AMF Application Proxy Blacklist use the UTM (Unified Threat Management) related functions of the AT-AR3050S/AR4050S of the AR router, and set the action to drop packets.

Note
A separate license is required to use each function. Required licenses differ depending on the product, so check our website.

Note
Refer to Appendix/Configuring AT-AR3050S/AT-AR4050S for the AR router UTM-related functions that can be linked with AMF Security.

Note
In order to keep the recording date and time of logs etc. accurate and to operate various functions properly, it is recommended to set the system time of each product accurately.
AMF Security obtains and uses the AT-VST-APL system time. The AMF Security timezone is set in AMF Security, but the NTP synchronization destination is set in AT-VST-APL.

Configuration

This setting example assumes the following configuration.

Note
AT-Vista Manager EX (including Plug-ins) of AT-VST-APL is not explained in this setting example. Refer to the AT-Vista Manager EX document for settings.

Note
The AMF Master in this configuration uses a separate device instead of the AMF Cloud on AT-VST-APL, but you can also use the AMF Cloud on AT-VST-APL.

Note
For details on AT-VST-APL basic settings (IP Address, static route settings, etc.), refer to the AT-VST-APL document posted on our website.

Note
For details on AMF Security basic settings (application settings) performed with AT-VST-APL, refer to the AT-VST-APL document posted on our website.

Information on each product

◼ AMF Master Configuration

Table 1: Sample Configuration Data
Item Name	Value
Username	manager
Password	friend
Hostname	AMF-Master
AMF Network Name	AMF001
IP Address	192.168.1.254
AMF Security IP Address	192.168.1.10
Pre-shared key (between AMF Security and AMF Master)	password

◼ AMF Member Configuration

Table 2: Sample Configuration Data
Item Name	Value
Username	manager
Password	friend
Hostname	AMF-Member
AMF Network Name	AMF001
AMF Actions	Drop Packets

◼ AT-AR4050S information

Table 3: AT-AR4050S Information
Item Name	Information
Username	manager
Password	friend
Hostname	awplus-UTM-Router
AMF Network Name	AMF001
Username for ISP connection	user@isp
Password for ISP connection	isppasswd
PPPoE service name	unspecified
WAN IP Address	Dynamic allocation (IPCP)
DNS server	Automatic acquisition (IPCP)
Log output destination for UTM-related functions	192.168.1.10
Source IPv4 Address when sending syslog messages	IP Address of vlan1 interface (192.168.1.1)

Note
When linking the UTM-related functions of the AR Router with AMF Security, the host name of the AR Router must start with "awplus".

◼ AT-VST-APL information

Table 4: AT-VST-APL Information
Item Name	Information
IP Address	192.168.1.100
Static route (Gateway)	192.168.1.254

◼ AMF Security Information

Table 5: AMF Security Information
Item Name	Information
IPv4 address	192.168.1.10
AMF Master IP Address	192.168.1.254
AMF Master Username	manager
AMF Master Password	friend
Pre-shared key (between AMF Security and AMF Master)	password

Note
In this setting example, the AMF Master account (Username and Password) uses the default “manager and friend”. However, it is recommended that you create a user account with a privilege level of 15 on AMF Master and AMF Member and separate it from the user account used for console connection.

◼ Device (terminal) authentication information to be registered with AMF Security

Table 6: Device (terminal) authentication information to be registered with AMF Security
Terminal 1
Item Name	Information
Device ID	Device1
MAC Address	00:00:00:00:00:01
Network (VLAN)	VLAN100
Terminal 2
Item Name	Information
Device ID	Device2
MAC Address	00:00:00:00:00:02
Network (VLAN)	VLAN101

Configuring AMF Master

Note
Depending on the product, some features that are enabled during the procedure are enabled by default.

Disable Spanning Tree Protocol (RSTP), which is enabled by default.
Set the time zone to Japan Standard Time.
Configure the hostname.
Configure the AMF network name.
Enable AMF Master functionality.
Enable AMF Application Proxy.
Enable web server function.
Enable GUI support function for AMF Security.
Set the IP Address and pre-shared key of AMF Security linked with the AMF Application Proxy Whitelist.
Create the following VLANs.
- vlan10 connecting with AMF Member
- vlan100 and vlan101 used for terminal packet transfer
Set IP Addresses for the following VLANs.
- vlan1 connected with AR Router
- vlan10 connecting with AMF Member
- vlan100 and vlan101 connected with terminal
Assign the VLANs to a port and configure it as an AMF link to the AR Router.
Note
When the above settings are made, the following is automatically set.
switchport trunk native vlan none
Assign the VLANs to a port1.0.3 and configure it as an AMF link to the AMF Member.
Set the default route.

AMF Master configuration is done.

To save the current settings as a startup-config, do the following:

AMF-Master(config)# end ↓
AMF-Master# copy running-config startup-config ↓

Configuring AMF Members

Note
Depending on the product, some features that are enabled during the procedure are enabled by default.

Disable Spanning Tree Protocol (RSTP), which is enabled by default.
Set the time zone to Japan Standard Time.
Configure the hostname.
Configure the AMF network name.
Enable AMF Application Proxy.
Enable web server function.
Create the following VLANs.
- vlan10 connecting with AMF Master
- vlan100 and vlan101 used for terminal packet transfer
Set IP Addresses for the following VLANs.
- vlan10 connecting with AMF Master
Set the default route.
Assign the VLANs to a port1.0.1 and configure it as an AMF link to the AMF Master.
Configure the AMF Application Proxy Whitelist on the port that the terminal connects to.
Disable ingress filtering so that after the terminal authenticates, it can move to another port and authenticate again.
Note
If the terminal may move to another port, this setting must be performed for all ports involved in terminal movement. When ingress filtering is enabled, terminal information remains on the port before movement, so authentication cannot be received on the destination port.
Enable the AMF Application Proxy Whitelist on the port that the terminal connects to.
Note
For the target port, the default setting of the authentication suppression period (quietPeriod) after authentication failure is 60 seconds. To shorten the authentication suppression period, use the "auth timeout quiet-period" command.

Note
Terminals that have not been assigned a VLAN by AMF Security use the VLAN set for the port (vlan1 by default).
Enable session timeout for the AMF Application Proxy Whitelist on the port that the terminal connects to.
With the session timeout enabled, authentication state for a device is deleted when the time configured on the AMF > AMF Application Proxy Settings page has passed after the device was successfully authenticated.
When the session timeout is set to 0, authentication state of a device is not deleted due to the time passed since a successful authentication.
Note
Make sure to configure the session timeout when you are going to use schedule-based authentication.
Change the authentication operation mode to Multi-Supplicant mode on the port that the terminal connects to.
When the device ports are in the default "Single-Host" mode, only the first authenticated device is allowed.
Enable dynamic VLAN on the port that the terminal connects to.
When dynamic vlan is not enabled, a vlan configured on the device ports is used for authenticated devices even if AMF Security assigned a specific vlan to each device.
Set the action to drop packets when blocking a terminal with the AMF Application Proxy.

AMF Member configuration is done.

To save the current settings as a startup-config, do the following:

AMF-Member(config-if)# end ↓
AMF-Member# copy running-config startup-config ↓

Configuring AR Router

Note
Depending on the product, some features that are enabled during the procedure are enabled by default.

Disable Spanning Tree Protocol (RSTP), which is enabled by default on the LAN port.
Set the time zone to Japan Standard Time.
Configure the hostname.
When linking the UTM-related functions of the AR Router with AMF Security, the host name of the AR Router must start with "awplus".
Configure the AMF network name.
Enable AMF Application Proxy.
Enable web server function.
Create PPPoE interface ppp0 on WAN port eth1.
Configure settings for PPPoE connection for PPP interface ppp0.
- Request to get DNS server address by IPCP (ppp ipcp dns)
- Checking PPP connection status by LCP Echo (keepalive)
- Request to obtain IP address by IPCP (ip address negotiated)
- Username (ppp username)
- Password (ppp password)
- MSS rewrite (ip tcp adjust-mss)
Set the IP Address for the LAN side interface.
Configure Firewall, IP Reputation and Malware Protection logging and sending the log messages to AMF Security (192.168.1.10).
Use the log command for this.
Assign the VLANs to a port1.0.1 and configure it as an AMF link to the AMF Master.
Note
When the above settings are made, the following is automatically set.
switchport trunk native vlan none
Configure settings for the IP reputation (IP address blacklist) function.
In order to link the IP reputation function and AMF Security, it is necessary to set the action for the categories that can be linked to "deny". Note that the default "alert" does not work.
Configure settings for the malware protection (stream type antivirus) function.
Defines the entity (communication subject) used when creating firewall and NAT rules.
Create a zone 'private' to represent the internal network.
Create a zone "public" to represent the external network.
Set up the firewall function to block communication from the outside while allowing communication from the inside to occur freely.
- rule 10 - Allow communication between internal networks
- rule 20 - Allow communication from internal network to external
- rule 30 - Allow DNS communication from the WAN side interface of the AR Router to the outside for database updates and inquiries for each UTM function
- rule 40 - Allow HTTPS communication from the WAN side interface of the AR Router to the outside for updating the database of each UTM function
Set all computers connected to the LAN side network to use the dynamic ENAT function.
Enable DNS relay function.
Set IP route information as static.
- LAN side (192.168.100.0/24, 192.168.101.0/24) via AMF Master (192.168.1.254)
- Others (0.0.0.0/0) via ppp0 (default route)

AR Router configuration is done.

To save the current settings as a startup-config, do the following:

awplus-UTM-Router(config)# end ↓
awplus-UTM-Router# copy running-config startup-config ↓

Configuring AT-VST-APL

For details on AT-VST-APL basic settings (IP Address, static route settings, etc.), refer to the AT-VST-APL document posted on our website.

Access to AT-VST-APL setting page
Accessing Management Interface / Starting Configuration
AT-VST-APL interface IP Address setting
Network Settings / Interface Settings
AT-VST-APL static route (Gateway) settings
Network Settings / Static route
AT-VST-APL system time, NTP synchronization destination settings
System / Day and Time

Configuring AMF Security

Refer to the following for the basic settings of AMF Security.

Setting AMF Security in AT-VST-APL
Refer to the AT-VST-APL document
Initial setting of AMF Security
Accessing Management Interface/Starting Configuration > Preparing for Configuration

Open the AMF > AMF Application Proxy Settings page, register the AMF Master.
Click the AMF Master "Add" button to open the AMF > Edit AMF Master dialog.
Enter the AMF Master's IP Address, Username, Password and Pre-Shared Key.

Configure the settings shown in the following table:

Table 7: Configurable fields
Item Name Value

IPv4 Address 192.168.1.254

Username manager

Password friend

Pre-Shared Key password
Click the "Submit" button, then click the "OK" button.
You can view the registered AMF Master on the AMF > AMF Application Proxy Settings page.

Note
If IP communication between AMF Security and AMF Master is not established, or if the AMF Master and AMF Member settings are insufficient, the connection status display is "Error". In this case, check the communication path, AMF Master, and AMF Member settings again.
Register the network to which the terminal is connected.
Networks can be registered on the Policy Settings > Network List page. Open the Policy Settings > Network List page.
Click the "Add Network" button at the top right corner to move to the Policy Settings > Add Network page.
Enter information for the network to add.

Configure the settings shown in the following table:

Table 8: Configurable fields
Item Name Value

Network ID VLAN100

VLAN ID 100

Note (empty)
Click the "Submit" button.
Once the network is registered, the added information is displayed on the Policy Settings > Network List page.
Register another network using the same procedure as steps 6 to 8.
Configure the settings shown in the following table:

Table 9: Configurable fields
Item Name Value

Network ID VLAN101

VLAN ID 101

Note (empty)
Register the Device ID (Device).
Devices can be registered on the Device > Add Device page. Open the Deice > Device List page.
Click the "Add Device" button at the top right corner to move to the Device > Add Device page.
On this page, register the device ID, interface, and policy of the new device.
Enter information about the new device.

Configure the settings shown in the following table:

Table 10: Configurable fields
Item Name Value

Device ID Device1

Tag (empty)

Note (empty)
Next, you have to enter the interface MAC Address of the device.
Click the "Add" button next to "Interfaces" to open the Device > Edit Interface dialog.
Register the MAC Address of the "Device1" terminal.

Configure the settings shown in the following table:

Table 11: Configurable fields
Item Name Value

MAC Address 00:00:00:00:00:01

Name (empty)

Note (empty)
Click the "Submit" button.
"Interfaces" section of the Device > Add Device page now shows the interface MAC Address which you just entered.
Click the "Add" button next to "Policies" to open the Device > Edit Policy dialog.
Enter information for the policy.

Configure the settings shown in the following table:

Table 12: Configurable fields
Item Name Value

Priority 10

Network VLAN100

Location (empty)

Schedule (empty)
Click the "Submit" button.
"Policies" section of the Device > Add Device page shows the security policy which you just added.
Click the "Submit" button.
Once the device is added, the Device > Device List page reflects the updated information.

Table 7: Configurable fields
Item Name	Value
IPv4 Address	192.168.1.254
Username	manager
Password	friend
Pre-Shared Key	password

Table 8: Configurable fields
Item Name	Value
Network ID	VLAN100
VLAN ID	100
Note	(empty)

Table 9: Configurable fields
Item Name	Value
Network ID	VLAN101
VLAN ID	101
Note	(empty)

Table 10: Configurable fields
Item Name	Value
Device ID	Device1
Tag	(empty)
Note	(empty)

Table 11: Configurable fields
Item Name	Value
MAC Address	00:00:00:00:00:01
Name	(empty)
Note	(empty)

Table 12: Configurable fields
Item Name	Value
Priority	10
Network	VLAN100
Location	(empty)
Schedule	(empty)

Table 13: Configurable fields
Item Name	Value
Device ID	Device2
Tag	(empty)
Note	(empty)
Interfaces
MAC Address	00:00:00:00:00:02
Name	(empty)
Note	(empty)
Policies
Priority	10
Network	VLAN101
Location	(empty)
Schedule	(empty)

Device > Add Device page
Device > Device List page

Configure trap monitoring settings so that automatic response operations are performed based on the threat information logs detected and sent by the UTM-related functions of the AR Router.
Open the System Settings > Trap Monitor Settings page.

On this page, set "Rules".
Enter "Rules".

Configure the settings shown in the following table:
- Check the checkbox for "Enable the monitoring of traps from this host."
- Enter the IP Address (192.168.1.1) of the AR Router in "Host Addresses" (only receive notifications from the set IP Address)
- Select "AMF Dependency" for "AMF Action" (the action set on the switch side is applied)
- Check all checkboxes for "Trap Action Target List" table.
Click the "Submit" button, then click the "OK" button.

AMF Security configuration is done.

For terminals connected to AMF members, AMF Security authenticates based on the registered authentication information.
You can view the authentication results on the Device > Active Device List page.

When a terminal is detected by the UTM-related functions of the AR Router, information about the suspected device is registered on AMF Security and displayed on the Policy Settings > Action List page. At the same time, AMF Security informs the AMF Master of the information of the suspect terminal.

◼ AMF Master

AMF-Master#show application-proxy threat-protection all

Quarantine Vlan           : Not set
Global IP-Filter          : Disabled
IP-Filter Limit Exceeded  : 0
Redirect-URL              : Not set

Client IP        Interface       MAC Address     VLAN      Action
-----------------------------------------------------------------
192.168.101.100  -               -               -           none
AMF-Master#

In this setting example, since the AMF Master operates as an L3 switch, the IP Address and MAC Address of the suspected terminal are linked from the ARP table of the AMF Master itself, and the packet discard action is applied. AMF Members search FDB for MAC addresses of suspected devices and apply actions.

◼ AMF Master

AMF-Master#show application-proxy threat-protection all

Quarantine Vlan           : Not set
Global IP-Filter          : Disabled
IP-Filter Limit Exceeded  : 0
Redirect-URL              : Not set

Client IP        Interface       MAC Address     VLAN      Action
-----------------------------------------------------------------
192.168.101.100  -               0000.0000.0002  -           none
AMF-Master#

◼ AMF Member

AMF-Member#show application-proxy threat-protection all

Quarantine Vlan           : Not set
Global IP-Filter          : Disabled
IP-Filter Limit Exceeded  : 0
Redirect-URL              : Not set

Client IP        Interface       MAC Address     VLAN      Action
-----------------------------------------------------------------
192.168.101.100  * (port1.0.3)   0000.0000.0002  101         drop
AMF-Member#

◼ Policy Settings > Action List page

◼ Device > Active Device List page

Click the "Resume" button and then the "OK" button to release the action.

AMF Master Configuration

!
hostname AMF-Master
!
service http
!
clock timezone JST plus 9:00
!
atmf network-name AMF001
atmf master
atmf topology-gui enable
!
service atmf-application-proxy
application-proxy whitelist server 192.168.1.10 key password
!
no spanning-tree rstp enable
!
vlan database
vlan 10,100-101 state enable
!
interface port1.0.1
switchport
switchport mode trunk
switchport trunk allowed vlan add 1
switchport trunk native vlan none
switchport atmf-link
!
interface port1.0.3
switchport
switchport mode trunk
switchport trunk allowed vlan add 10,100-101
switchport atmf-link
!
interface vlan1
ip address 192.168.1.254/24
!
interface vlan10
ip address 192.168.10.254/24
!
interface vlan100
ip address 192.168.100.254/24
!
interface vlan101
ip address 192.168.101.254/24
!
ip route 0.0.0.0/0 192.168.1.1
!
end

AMF Member Configuration

!
hostname AMF-Member
!
service http
!
clock timezone JST plus 9:00
!
atmf network-name AMF001
!
service atmf-application-proxy
!
no spanning-tree rstp enable
!
vlan database
vlan 10,100-101 state enable
!
interface port1.0.1
switchport
switchport mode trunk
switchport trunk allowed vlan add 10,100-101
switchport atmf-link
!
interface port1.0.2-1.0.3
switchport
switchport mode access ingress-filter disable
application-proxy whitelist enable
auth session-timeout
auth host-mode multi-supplicant
auth dynamic-vlan-creation type multi
application-proxy threat-protection drop
!
interface vlan10
ip address 192.168.10.10/24
!
ip route 0.0.0.0/0 192.168.10.254
!
end

AR Routre Configuration

!
hostname awplus-UTM-Router
!
log host 192.168.1.10
log host 192.168.1.10 level informational facility local5
!
service http
!
clock timezone JST plus 9:00
!
atmf network-name AMF001
!
zone private
network lan
ip subnet 192.168.1.0/24
ip subnet 192.168.10.0/24
ip subnet 192.168.100.0/24
ip subnet 192.168.101.0/24
!
zone public
network wan
ip subnet 0.0.0.0/0 interface ppp0
host ppp0
ip address dynamic interface ppp0
!
firewall
rule 10 permit any from private.lan to private.lan
rule 20 permit any from private.lan to public
rule 30 permit dns from public.wan.ppp0 to public.wan
rule 40 permit https from public.wan.ppp0 to public.wan
protect
!
nat
rule 10 masq any from private to public
enable
!
malware-protection
provider kaspersky
protect
!
ip-reputation
category Bot action deny
category CnC action deny
category Drop action deny
category Mobile_CnC action deny
category Mobile_Spyware_CnC action deny
category SpywareCnC action deny
provider proofpoint
protect
!
service atmf-application-proxy
!
no spanning-tree rstp enable
!
interface port1.0.1
switchport
switchport mode trunk
switchport trunk allowed vlan add 1
switchport trunk native vlan none
switchport atmf-link
!
interface eth1
encapsulation ppp 0
!
interface vlan1
ip address 192.168.1.1/24
!
interface ppp0
ppp ipcp dns request
keepalive
ip address negotiated
ppp username user@isp
ppp password isppasswd
ip tcp adjust-mss pmtu
!
ip route 0.0.0.0/0 ppp0
ip route 192.168.100.0/24 192.168.1.254
ip route 192.168.101.0/24 192.168.1.254
!
ip dns forwarding
!
end

Configuration example using Tag

This is an example of setting authentication using the tag set in the Device ID (Device) of the authentication data of AMF Security.

Note
For more information, refer to Quick Tour/Authentication using Tags > What is authentication using Tag.

This setting example shows how to register AMF Security authentication data.

Normally, a terminal (MAC Address) is registered with an AMF Security device and associated with a policy, and the terminal connects to the network set for that policy.

When using tags, do not set policies on AMF Security devices, set tags on the devices, and connect to the networks set in the policies of the tags created separately.

In this setting example, the configuration of Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy and assume the following:

◼ Users and owned devices

User 1 (user_1) owns two terminals (PC-1, PC-2)
User 2 (user_2) owns 3 terminals (PC-3, PC-4, PC-5)
User 3 (user_3) owns one terminal (PC-6)
User 4 (user_4) owns one terminal (PC-7)
User 5 (user_5) owns one terminal (PC-8)

◼ Affiliation of each user

Group A (group_A)
User 1
User 2
User 3
Group B (group_B)
User 4
User 5

◼ Affiliation (Group) network

Group A (group_A)
VLAN100
Group B (group_B)
VLAN101

Note
This setting example does not describe port settings (such as adding the number of ports) to which AMF Member terminals connect due to an increase in the number of terminals.

An overview of the authentication data (devices, tags, networks) to be registered with AMF Security is as follows.

Device
user_1
user_2
user_3
user_4
user_5
Affiliation (tag)
group_A
group_B
Tags to set on the device
user_1 : group_A
user_2 : group_A
user_3 : group_A
user_4 : group_B
user_5 : group_B
Do not set policies on devices
Policy to set for the tag (Network)
group_A : VLAN100
group_B : VLAN101

Table 14: Device ID (Device) configuration data
Device ID (first)
Device ID	user_1
Tag	group_A
Interfaces
MAC Address	00:00:00:00:00:01
Name	PC-1
Interfaces
MAC Address	00:00:00:00:00:02
Name	PC-2
Policies	None
Device ID (second)
Device ID	user_2
Tag	group_A
Interfaces
MAC Address	00:00:00:00:00:03
Name	PC-3
Interfaces
MAC Address	00:00:00:00:00:04
Name	PC-4
Interfaces
MAC Address	00:00:00:00:00:05
Name	PC-5
Policies	None
Device ID (third)
Device ID	user_3
Tag	group_A
Interfaces
MAC Address	00:00:00:00:00:06
Name	PC-6
Policies	None
Device ID (fourth)
Device ID	user_4
Tag	group_B
Interfaces
MAC Address	00:00:00:00:00:07
Name	PC-7
Policies	None
Device ID (fifth)
Device ID	user_5
Tag	group_B
Interfaces
MAC Address	00:00:00:00:00:08
Name	PC-8
Policies	None

Table 15: Tag configuration data
Tag (first)
Tag	group_A
Policies	VLAN100
Tag (second)
Tag	group_B
Policies	VLAN101

With these settings, the network connected to users (terminals) belonging to a group are connected is changed collectively only by changing the tag policy.

AMF Master, AMF Member, AR Router, AT-VST-APL setting procedure

For the AMF Master, AMF Member, AR Router, and AT-VST-APL setting procedures, refer to Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy.

Configuring AMF Security

For basic settings, AMF Master, Network, and Trap Monitor Settings are the same as Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy.

The flow of setting procedures for AMF Security is as follows:

Basic settings of Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy
Step 1 to Step 9 of Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy
Register tags on the Group > Tag List page
Register devices on the Device > Add Device page
Steps from step 21 of Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy

Configure basic settings for AMF Security.
Refer to Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy/Configuring AMF Security.
Configure AMF Master and network.
Refer to steps 1 to 9 of Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy
Register tags based on the set policy.
Tags can be registered on the Group > Tag List page. Open the Group > Tag List page.
Click the "Add Tag" button at the top right corner to move to the Group > Add Tag page.
Enter information for the tag to add.

Configure the settings shown in the following table:

Table 16: Configurable fields
Item Name Value

Tag group_A

Note (empty)
Click the "Add" button next to "Policies" to open the Group > Edit Policy dialog.
Enter information for the policy.

Configure the settings shown in the following table:

Table 17: Configurable fields
Item Name Value

Priority 10

Network VLAN100

Location (empty)

Schedule (empty)
Click the "Submit" button to return to the Group > Add Tag page.
Click the "Submit" button.
Once the tag is registered, the added information is displayed on the Group > Tag List page.
Register another tag using the same procedure as steps 4 to 9.

Table 18: Configurable fields
Item Name Value

Tag group_B

Note (empty)

Policies

　Priority 20

　Network VLAN101

　Location (empty)

　Schedule (empty)
Register the Device ID (Device).
Devices can be registered on the Device > Add Device page. Open the Deice > Device List page.
Click the "Add Device" button at the top right corner to move to the Device > Add Device page.
On this page, register the device ID, interface, and policy of the new device.
Enter information about the new device.

Configure the settings shown in the following table:

Table 19: Configurable fields
Item Name Value

Device ID user_1

Tag group_A

Note (empty)
Next, you have to enter the interface MAC Address of the device.
Click the "Add" button next to "Interfaces" to open the Device > Edit Interface dialog.
Register the MAC Address of the "user_1" terminal.

Configure the settings shown in the following table:

Table 20: Configurable fields
Item Name Value

MAC Address 00:00:00:00:00:01

Name PC-1

Note (empty)
Click the "Submit" button.
"Interfaces" section of the Device > Add Device page now shows the interface MAC Address which you just entered.
Register the MAC Address and name of the other terminal using the same procedure as steps 14 to 16.

Configure the settings shown in the following table:

Table 21: Configurable fields
Item Name Value

MAC Address 00:00:00:00:00:02

Name PC-2

Note (empty)
Since no policy is set for this device "user_1", just click the "Submit" button.
Once the device is added, the Device > Device List page reflects the updated information.

Table 17: Configurable fields
Item Name	Value
Priority	10
Network	VLAN100
Location	(empty)
Schedule	(empty)

Table 18: Configurable fields
Item Name	Value
Tag	group_B
Note	(empty)
Policies
Priority	20
Network	VLAN101
Location	(empty)
Schedule	(empty)

Table 20: Configurable fields
Item Name	Value
MAC Address	00:00:00:00:00:01
Name	PC-1
Note	(empty)

Table 21: Configurable fields
Item Name	Value
MAC Address	00:00:00:00:00:02
Name	PC-2
Note	(empty)

Register the "Device ID" of "user_2", "user_3", "user_4" and "user_5" in the same procedure as steps 12 to 18.
The tags and interfaces to be registered for each "Device ID" are as follows.

Table 22: Tag configuration data
Device ID	Tag to register
user_2～user_3	group_A
user_4～user_5	group_B

Table 23: Device ID (Device) configuration data
Device ID (user_2)
Tag	group_A ^{* Common with "user_1 to user_3"}
Note	(empty)
Interfaces
MAC Address	00:00:00:00:00:03
Name	PC-3
Note	(empty)
Interfaces
MAC Address	00:00:00:00:00:04
Name	PC-4
Note	(empty)
Interfaces
MAC Address	00:00:00:00:00:05
Name	PC-5
Note	(empty)
Device ID (user_3)
Tag	group_A ^{* Common with "user_1 to user_3"}
Note	(empty)
Interfaces
MAC Address	00:00:00:00:00:06
Name	PC-6
Note	(empty)
Device ID (user_4)
Tag	group_B ^{* Common with "user_4 to user_5"}
Note	(empty)
Interfaces
MAC Address	00:00:00:00:00:07
Name	PC-7
Note	(empty)
Device ID (user_5)
Tag	group_B ^{* Common with "user_4 to user_5"}
Note	(empty)
Interfaces
MAC Address	00:00:00:00:00:08
Name	PC-8
Note	(empty)

Device > Add Device page (user_2)
Device > Add Device page (user_3)
Device > Add Device page (user_4)
Device > Add Device page (user_5)
Device > Device List page

Configure Trap Monitor Settings.
Refer to steps from step 21 of Configuration Examples/Controlling Devices with AMF Application Proxy > Configuring AMF Application Proxy

AMF Security configuration is done.

C613-04150-00 Rev A

19 Apr 2023 14:12