User Guide: AMF Security version 2.6.1 for VST-VRT

What is AMF Security

Quick Tour > What is AMF Security

Where does AMF Security Fit In

AMF-SECurity (AMF-SEC) is our solution to streamline network operations and enhance security in office environments.
AMF Security is the SDN controller that is the core of the solution, and it realizes the cooperation between our products supporting the AMF (Allied Telesis Management Framework) and various business security related applications.
Note
When registering data such as device IDs or MAC Addresses in AMF Security, refer to the Reference section as well.

What does AMF Security Manage (OpenFlow)

AMF Security can centrally control the network access from various devices by installing packet control flows for the devices' MAC Address on the OpenFlow Switches it manages.
AMF Security controls network traffic by using the OpenFlow protocol over the TCP connections established with the switches.
For each device, administrators can define two conditions on AMF Security, where and when the device can access the network. The first one is called "Location" and the other is called "Schedule".
Condition can be more granular like "From this OpenFlow Switch in that location" or "on this particular switchport of the switch in that location".
If a device meets those conditions, it is allowed to join the logical network defined by a VLAN ID.

The MAC Address interface of the device is managed by connecting, blocking, and isolating based on the security policy assigned to the device.
A device can have more than one MAC Address interface.
Assuming that a device has two MAC Addresses - one for a wireless interface and the other for a wired interface, both of them can access the same network if they meet the conditions for Location and Schedule.
Table 1: Configurable Security Policies (OpenFlow)
Device Information
Device network-capable equipment which connects to an OpenFlow Switch
MAC Address a MAC Address of the device interface
: (multiple items can be defined)
Security Policies Network a VLAN segment (VLAN ID) to which a device is assigned.
Location a physical location where a device can access the network.
OpenFlow Switch a switch in the location.
Switch Port a port on the switch from which a device can access the network.
: (multiple items can be defined)
Schedule a range of time during a device can access the network (Start Date / Time, and End Date / Time).
(multiple items can be defined)
OpenFlow Switches have two types of network ports: control plane ports and data plane ports. The former is used for communicating with OpenFlow controllers while the latter is used for delivering user traffic and controlled by OpenFlow protocol.
In AMF Security, data plane ports are further categorized into "upstream port" and "client port".
AMF Security is designed to manage user devices which are connected to client ports of OpenFlow Switches, assuming that the upstream ports are protected by other security measures such as firewalls.
By default, a switch port with the lowest OpenFlow port number is configured as the upstream port. This can be changed on each OpenFlow Switch.

What is AMF Application Proxy

The AMF Application Proxy controls traffic from edge devices, which are connected to AMF Members (Edge Nodes) where AMF Master (Proxy Node) authenticates the devices by querying AMF Security (AMF Application Proxy Whitelist).
It is also possible for AMF Security to notify the AMF Proxy Node of suspected node and make Edge Nodes to block the devices (AMF Application Proxy Blacklist).
Note
◼ AMF Application Proxy Whitelist and AMF Application Proxy Blacklist
・ A Proxy Node also can be an Edge Node (Only supported models).
・ Cannot be linked with AMF controller.
You can use Whitelist only, Blacklist only, or both.

◼ AMF Application Proxy Whitelist
・ Use Virtual Chassis Stack (VCS) to provide redundancy to the AMF Master (Only supported models).
・ When linking with multiple local masters under AMF controller, make each local master a separate area.
To use the AMF Application Proxy, you have to configure all of AMF Security, Proxy Node and Edge Nodes.

What does AMF Security Manage (AMF Application Proxy Whitelist)

AMF Security can centrally control the network access from various devices by utilizing the port authentication feature on the AMF Members it manages.
The AMF Application Proxy Whitelist is an AMF Security's integration feature where AMF devices ask the AMF Security's whitelist server if a specific device can be allowed access to the network.
If a device meets those conditions, it is allowed to join the logical network defined by a VLAN ID.

The MAC Address interface of the device is managed by connecting, blocking, and isolating based on the security policy assigned to the device.
A device can have more than one MAC Address interface.
Assuming that a device has two MAC Addresses - one for a wireless interface and the other for a wired interface, both of them can access the same network if they meet the conditions for Location and Schedule.
Table 2: Configurable Security Policies (AMF Application Proxy Whitelist)
Device Information
Device network-capable equipment which connects to an AMF Member
MAC Address a MAC Address of the device interface
: (multiple items can be defined)
Security Policies Network a VLAN segment (VLAN ID) to which a device is assigned.
Location a physical location where a device can access the network.
AMF Member a switch in the location.
Switch Port a port on the switch from which a device can access the network.
: (multiple items can be defined)
Schedule a range of time during a device can access the network (Start Date / Time, and End Date / Time).
(multiple items can be defined)
Note
To use this feature, your Proxy Node and Edge Nodes must have AlliedWare Plus firmware version 5.5.0-0.x or later installed.
Note
Display the terminal information authenticated by the AMF Application Proxy displayed on the Devices > Active Device List page with the following settings or operations. In this case, firmware version 5.5.0-0.x or later is required for both the proxy node and edge node of your AlliedWare Plus device. For the proxy node and edge node settings, refer to "Configuring AMF Master (Proxy Node) and AMF Members (Edge Nodes)".

・The check box of "Reload authorized device list when AMF Member connects to network." on the AMF > AMF Application Proxy Settings page is checked. ・Click the "Sync" button on the Switches > Active AMF Member List page.

Configuring AMF Master (Proxy Node) and AMF Members (Edge Nodes)

The following are required settings for the AMF node to be managed.
Refer to the AlliedWare Plus Product's command reference manual for more information.
Depending on the AlliedWare Plus product model you use for a Proxy Node, you may have to install the proper license on the products.

Configuring AMF Security

To use AMF Application Proxy Whitelist, you have to configure an IP Address, level 15 (privileged) username and password of the AMF Master (Proxy Node) on AMF Security.
  1. Open the AMF > AMF Application Proxy Settings page.
  2. Click the "Add" button.
  3. Enter an IP Address of the AMF Master (Proxy Node) in "IPv4 Address".
  4. Enter a username and a password for a level 15 (privileged) user account on the AMF Master (Proxy Node).
  5. In Pre-Shared Key, enter the pre-shared key set in the key parameter of the "application-proxy whitelist server" command of the AMF Master (Proxy Node).
  6. Click the "Submit" button.
Note
When you finish this configuration, AMF Security starts regular queries to the AMF Master (Proxy Node) at 30 seconds interval.

Blocking with AMF Application Proxy (AMF Application Proxy Blacklist)

Notifying Proxy Node of Suspected Node Information

AMF Security notifies the Proxy Node of suspected node when receiving information from security software or devices that detect suspected node, or adding an action on the Policy Settings > Add Action page. The suspected node's information is stored on AMF Security and can be viewed on the Policy Settings > Action List page.
AMF Security does not notify the proxy node of the information again.
Note
If the proxy node holding the suspected node information reboots, the information is removed from the proxy node.
Because the proxy node cannot receive the information from AMF Security again, the proxy node cannot relearn the suspected node automatically.
To manually tell the proxy node about the suspected node, follow the steps:
1. Open the Policy Settings > Action List page.
2. Click the "Export to CSV" button to save a CSV file.
3. Open the System Settings > System Information page.
4. Click the "Import" button for the Authentication Data item to open the "Upload Authentication Data" dialog.
5. Click the "Choose File" button, select the saved CSV file, and click the "Submit" button.

AMF Actions

When AMF Security notifies the Proxy Node of suspected nodes, it can also specify a blocking action (AMF action).
AMF Security can specify the following AMF actions:
When "Quarantine", "Drop Packets", "Link-Down", "IP-Filter", or "Log-Only" are set, these AMF actions are executed with priority over the AMF actions set on the edge node side.
When "AMF Dependency" is selected, AMF Security does not send the AMF action, but the AMF action set on the edge node side is executed.
Note
If AMF Security and AMF Master receive suspected node information from multiple sources (e.g. external applications), specify the same AMF action for all the sources.
The AMF Action for each application can be specified in the "Rules" section on the System Settings > Trap Monitor Settings page.
To change the AMF action for a suspected node which has already been registered on the Policy Settings > Action List page, delete the existing action and recreate it.
Note
If you also use the "Quarantine" action on the whitelist port, your Proxy Node and Edge Nodes must have AlliedWare Plus firmware version 5.5.0-2.x or later installed.
Note
Even if the device is permitted by the whitelist, if it is the target of AMF Action, the communication from the corresponding device is processed according to the action.

Unblocking Suspected Nodes

To unblock a suspected node (delete the suspected node information), delete the corresponding action on the Policy Settings > Action List page. When the action is deleted, AMF Security tells the proxy node to delete the suspected node information.
Note
You can also unblock the suspected node by running commands on the proxy node. But in this case, the proxy node does not request AMF Security to delete the node information. So AMF Security keeps the suspected node information. If you want to delete it, manually delete the action on the Policy Settings > Action List page.
Refer to the AlliedWare Plus Product's command reference manual for the commands.

Displaying and Emailing Blocking Status of the Suspected Node

Status of the suspected node which has been applied an AMF action by an edge node can be view on the Device > Active Device List page.
AMF Security regularly gets this information from the proxy node at 30 seconds interval.
Note
To use this feature, your Proxy Node and Edge Nodes must have AlliedWare Plus firmware version 5.5.0-0.x or later installed.
You can also send emails by configuring email notification settings for AMF Security on the System Settings > Email Notification Settings page.
Note
When AMF Security queries the proxy node and finds that suspected node information is changed (e.g. a node moved to other switch and got blocked there again), AMF Security updates the information on the Device > Active Device List page and sends an email notification.

Configuring AMF Master (Proxy Node) and AMF Members (Edge Nodes)

The following are required settings for the AMF node to be managed.
Refer to the AlliedWare Plus Product's command reference manual for more information.
Depending on the AlliedWare Plus product model you use for a Proxy Node, you may have to install the proper license on the products.

Configuring AMF Security

To use AMF Application Proxy Blacklist, you have to configure an IP Address, level 15 (privileged) username and password of the AMF Master (Proxy Node) on AMF Security.
  1. Open the AMF > AMF Application Proxy Settings page.
  2. Click the "Add" button.
  3. Enter an IP Address of the AMF Master (Proxy Node) in "IPv4 Address".
  4. Enter a username and a password for a level 15 (privileged) user account on the AMF Master (Proxy Node).
  5. Click the "Submit" button.
Note
When you finish this configuration, AMF Security starts regular queries to the AMF Master (Proxy Node) at 30 seconds interval.
Refer to System Settings > Trap Monitor Settings for how to configure integration options with external applications.

AMF Application Proxy Function on TQ and TQR

The AMF Application Proxy function of TQ and TQR controls communication by having AMF Security authenticate wireless terminals connected to TQ and TQR (AMF Application Proxy Whitelist function).
When AMF Security receives the IP Address of a suspected terminal from an external application, it queries AT-Vista Manager EX for the corresponding MAC Address. The MAC Address held by the AWC plugin is then retrieved and sent to TQ and TQR, where communication control of the terminal is performed (AMF Application Proxy Blacklist function).

Supported actions are Drop Packets, Quarantine, Log (only log output without controlling communication of the corresponding device), and Redirect-URL.

Note
Hereafter, content common to both TQ and TQR is referred to as TQ. If there are differences between TQ and TQR, they are explicitly noted.
Note
Supported actions vary by product and version. Refer to Target Products and Versions for products and compatible versions.
Note
The AMF Application Proxy for TQ can be set from the AWC Plug-in (it cannot be done from the TQ management page). The configuration of the AMF Application Proxy function for TQR varies depending on the versions of AT-Vista Manager EX and TQR in use. Refer to Target Products and Versions for details.
When using the AMF Application Proxy function with either TQ or TQR, there are settings that must be configured outside of the AWC plugin. Refer to the documents for TQ/TQR and the AWC Plug-in as well.
Note
When using the AT-VST-VRT version of AT-Vista Manager EX, AMF Security contacts the AWC Plug-in directly.
Note
Authentication when a wireless terminal is connected is performed in the order of "Authentication by AMF Application Proxy (AMF Security)" → "Authentication set by security of VAP (multi-SSID) setting". If both authentications are not successful, the wireless terminal is not allowed to connect.
Note
The following items are not supported by TQ's AMF Application Proxy.
・Location policy
・Schedule policy
・session-timeout
・Obtaining authentication information on TQ
・IP Address display of node
・Search Devices
・Account Group
Note
If you restart AMF Security (including restarting the service) or set the connection between the connected OpenFlow Switch and the AMF Master once, if the device already managed by TQ's AMF Application Proxy (devices displayed on the Device > Active Device List page) exists, the authentication and action of that device remain applied. However, it is deleted from the Devices > Active Device List page.

The following applies to the settings and operations of AMF Security.

System Settings > Network Settings page
Uploading or deleting the SSL Certificate of the Web server
Database Synchronization
Database Synchronization Option Settings
System Settings > Logging Settings page
System Time Settings > Date > Time Settings page
System Settings > OpenFlow Settings page
System Settings > System Information
Hostname
System Settings - Import
System Settings - Reset
Services - Restart All
System Settings > Trap Monitor Settings page
Device Lookup
System Settings > Email Notification Settings page
System Settings > Action Log
Clear Action Log
AMF > AMF Application Proxy Settings page
AMF Master
White-List Settings
Uploading or deleting the SSL Certificate of the Web server
AMF > TQ Setting page

It also applies to restarting (stopping and starting) the AMF Security application and restarting AT-VST-VRT on the AT-VST-VRT settings page.

Target Products and Versions

To use this function, the following products and compatible versions are required.

TQ Series

◼ Actions to use: Drop Packets, Quarantine, Log-Only
Table 3: AT-TQ7403
Corresponding products Corresponding version
AT-TQ7403 10.0.4-0.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.12.0 (3.12.0) or later
AMF Security 2.5.0 or later
Table 4: AT-TQ6403 GEN2/AT-TQm6403 GEN2
Corresponding products Corresponding version
AT-TQ6403 GEN2/AT-TQm6403 GEN2 9.0.4-0.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.12.0 (3.12.0) or later
AMF Security 2.5.0 or later
Table 5: AT-TQ6702e GEN2
Corresponding products Corresponding version
AT-TQ6702e GEN2 9.0.4-3.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.13.1 (3.13.1) or later
AMF Security 2.6.0 or later
Table 6 : AT-TQ3403/AT-TQm3403
Corresponding products Corresponding version
AT-TQ3403/AT-TQm3403 11.0.5-0.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.14.0(3.14.0)以降
AMF Security 2.6.0 or later
Table 7: AT-TQ7613
Corresponding products Corresponding version
AT-TQ7613 12.0.5-0.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.15.0 (3.15.0) or later
AMF Security 2.6.0 or later
Table 8: AT-TQ5403/AT-TQm5403/AT-TQ5403e
Corresponding products Corresponding version
AT-TQ5403/AT-TQm5403/AT-TQ5403e 6.0.1-6.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.6.0 (3.6.0) or later
AMF Security 2.3.0 or later
Table 9: AT-TQ6602
Corresponding products Corresponding version
AT-TQ6602 7.0.1-1.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.7.0 (3.7.0) or later
AMF Security 2.3.0 or later
Table 10: AT-TQ6602 GEN2/AT-TQm6602 GEN2/AT-TQ6702 GEN2/AT-TQm6702 GEN2
Corresponding products Corresponding version
AT-TQ6602 GEN2/AT-TQm6602 GEN2/AT-TQ6702 GEN2/AT-TQm6702 GEN2 8.0.1-1.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.9.0 (3.9.0) or later
AMF Security 2.3.0 or later
 
◼ Action to use: Redirect-URL
Table 11: AT-TQ5403/AT-TQm5403/AT-TQ5403e
Corresponding products Corresponding version
AT-TQ5403/AT-TQm5403/AT-TQ5403e 6.0.3-0.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.10.3 (3.10.1) or later
AMF Security 2.5.0 or later
Table 12: AT-TQ6602 GEN2/AT-TQm6602 GEN2/AT-TQ6702 GEN2/AT-TQm6702 GEN2
Corresponding products Corresponding version
AT-TQ6602 GEN2/AT-TQm6602 GEN2/AT-TQ6702 GEN2/AT-TQm6702 GEN2 8.0.2-1.1 or later
AT-Vista Manager EX (AWC Plug-in) 3.10.1 (3.10.0) or later
AMF Security 2.5.0 or later

TQR Series

◼ Actions to use: Drop Packets, Quarantine, Log-Only
AT-TQ6702 GEN2-R
Table 13: AT-TQ6702 GEN2-R (5.5.4-0.x and 5.5.4-1.x)
Corresponding products Corresponding version
AT-TQ6702 GEN2-R 5.5.4-0.x and 5.5.4-1.x
AT-Vista Manager EX (AWC Plug-in) 3.12.x (3.12.x)
AMF Security 2.6.0 or later
Note
The AMF Application Proxy function for TQR is configured via the TQR Command Line Interface (CLI) or Web GUI. Settings cannot be configured from the AWC Plug-in.
Table 14: AT-TQ6702 GEN2-R (5.5.4-2.3 or later)
Corresponding products Corresponding version
AT-TQ6702 GEN2-R 5.5.4-2.3 or later
AT-Vista Manager EX (AWC Plug-in) 3.13.1 (3.13.1) or later
AMF Security 2.6.0 or later
Note
The AMF Application Proxy function for TQR is configured via the TQR Command Line Interface (CLI) or Web GUI. However, if you are configuring the VAP for TQR using the AWC Plug-in, perform the configuration from the AWC plugin.
AT-TQ7403-R
Table 15: AT-TQ7403-R (5.5.4-2.1)
Corresponding products Corresponding version
AT-TQ7403-R 5.5.4-2.1
AT-Vista Manager EX (AWC Plug-in) 3.12.x (3.12.x)
AMF Security 2.6.0 or later
Note
The AMF Application Proxy function for TQR is configured via the TQR Command Line Interface (CLI) or Web GUI. Settings cannot be configured from the AWC Plug-in.
Table 16: AT-TQ7403-R (5.5.4-2.3 or later)
Corresponding products Corresponding version
AT-TQ7403-R 5.5.4-2.3 or later
AT-Vista Manager EX (AWC Plug-in) 3.13.1 (3.13.1) or later
AMF Security 2.6.0 or later
Note
The AMF Application Proxy function for TQR is configured via the TQR Command Line Interface (CLI) or Web GUI. However, if you are configuring the VAP for TQR using the AWC Plug-in, perform the configuration from the AWC plugin.

Behavior when using TQ dynamic VLAN

For TQ's AMF Application Proxy, when WPA Enterprise is selected for the security of VAP (multi-SSID) setting of TQ, the VLAN ID given to the wireless terminal at the time of authentication differs depending on whether the dynamic VLAN is disabled or enabled.
Note
The settings without VLAN ID in AMF Security are as follows:
・Set the network with VLAN ID 0 in the policy setting (isolated VLAN ID)
・Do not set the network
◼ Operation when VLAN ID 1 is assigned to TQ
The behavior when VLAN ID 1 is assigned to TQ depends on the setting of the management VLAN tag of TQ.
For details, refer to the TQ document posted on our website.

Critical mode

In the critical mode, you can select the processing of the newly connected wireless terminal in the event of a power failure such as a power failure in AMF Security.

Redirect-URL Action

When Redirect-URL Action is applied to a wireless device, that wireless device is connected to the quarantine network, similar to the quarantine action. After that, the Web access of the wireless terminal is redirected to the external page (URL) set by the TQ corresponding to Redirect-URL Action, and the content of the external page is displayed on the web browser.
When using Redirect-URL Action, the product/version used must be compatible with Redirect-URL Action. Please do not use Redirect-URL Action in products that do not support the intended action. Also, there is no setting item in AW+ AMF Application Proxy. OpenFlow is a common action with TQ's AMF Application Proxy, but do not use it because it is not supported.
In AMF Security, it is possible to set a site for Redirect-URL Action (Web Site For Quarantined Device) and specify it on an external page. Site settings for Redirect-URL Actions are performed on the AMF > Redirect-URL Settings page. The protocol of this site is HTTP.
Note
This website only supports redirected access, and does not support normal web servers.
Redirect-URL related setting for TQ is done by AT-Vista Manager EX's AWC Plug-in.
If AMF Security is used as a site for Redirect-URL Action, the external page URL setting of Redirect-URL with the AWC Plug-in is as follows. 
http://(AMF Security IP Address):(configured port number)/index.html
For example, if the IP Address set for AMF Security is "192.168.1.10" and the port number set on the AMF > Redirect-URL Settings page is "8000", specify the following:
http://192.168.1.10:8000/index.html

Supported OpenFlow Switches

List of OpenFlow Switch models supported by AMF Security can be found on the release notes of AMF Security, switches and wireless access points.
Find those documents on our website.
http://www.allied-telesis.co.jp/

Application Integration Solutions

AMF Security can be used with other applications such as threat detection, device management and HR management in order to further enhance network administration efficiency and security.
The latest information on the services or applications which can be integrated into AMF Security system is published under the AMF-SEC Technology Partner Program. Contact our sales engineer for the Technology Partner Program.

(C) 2025 Allied Telesis, Inc. All rights reserved.

C613-04202-00 Rev A

01 Oct 2025 12:50