User Guide: AMF Security Controller version 2.1.0

Policy Settings



From "Policy Settings" in the navigation menu, you can view and configure security policies for devices and the UnAuth Group.
You can also view and add actions from this menu.

About Security Policies

Each security policy consists of the following attributes.

When a device has multiple security policies attached, a matching policy with the lowest priority value is used.

When a security policy has a specific schedule, AMF Security determines what action to take based on the date and time when a device gets connected.
This section describes an example in which the security policies shown in the following table:

Table 1: A security policy for a registered device
Priority Schedule Start Date / Time Schedule End Date / Time Network
10 20XX-04-01 00:00:00 20XX-09-30 23:59:59 VLAN10
20 20XX-01-01 00:00:00 20XX-12-31 23:59:59 VLAN20
When a device gets connected to a network at "20XX-03-30 10:00:00", the device is assigned to the VLAN20 because it matches the security policy with the priority value of 20.
As the time goes on, the device is re-assigned to the VLAN10 at "20XX-04-01 00:00:00" because the time suddenly goes into the valid range of the security policy with the higher priority value of 10.

About the start date and time and end date and time of the schedule

The Start Date / Time and End Date / Time to be set are the date and time of the timezone currently set on the System Settings > Date / Time Settings page.
If the timezone is changed after registering the schedule, the Start Date / Time and End Date / Time of the schedule is changed according to the changed timezone.

As an example, if you register the schedule with the timezone set to "UTC" and then change the timezone to "Asia/Tokyo", the Start Date / Time of the schedule is "UTC + 9 hours".

Table 2: Set the following with the timezone set to "UTC"
Schedule Start Date / Time Schedule End Date / Time
20XX-04-01 08:00:00 20XX-09-30 23:59:59

Table 3: Timezone changed from "UTC" to "Asia / Tokyo"
Schedule Start Date / Time Schedule End Date / Time
20XX-04-01 17:00:00 20XX-10-01 08:59:59
Therefore, when performing operations related to schedule settings such as the following, make sure that the timezone used is set in advance.

Note
The system settings exported on the System Settings > System Information page include timezone settings. The default timezone for AMF Security is UTC. If you want to import the backed up System Settings and Authentication Data after initializing AMF Security or performing a new installation, use the "Authentication Data" item on the System Settings page to import.

Network List

This page shows a list of Networks.


Table 4: Target columns for search and sort operations
Item Name Search Sort
Network ID × ×
VLAN ID × ×
Note × ×

Table 5: Displayed columns
Item Name Description
Network ID ID (Name) of the network.
When clicked, the Update Network page for the Network is displayed.
VLAN ID VLAN ID for the network.
Note Arbitrary string (comment) for the network.

Table 6: Buttons
Item Name Description
Page Top
Add Network Open the Add Network page.
Export to CSV Start downloading of a list of networks in CSV format.
Network List
Heading Row
Delete Selected Delete all the checked networks.
Each Row
Edit Open the Update Network page.
Delete Delete the network.
Note
Refer to Appendix > CSV File for CSV Files.

Add Network

This page lets you create a new network with its VLAN ID.
Networks are used for specifying which VLAN to put an allowed device in.
AMF Security achieves this by telling switches to add appropriate VLAN tags to the packet originating from the allowed devices.


Table 7: Configurable fields
Item Name Description
Network ID (Mandatory) ID (Name) of the network.
Network ID must be unique.
Max 255 characters
VLAN ID (Mandatory) A VLAN ID for the network. You cannot specify a VLAN ID which is already assigned to another network.
If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy.
VLAN ID must be in the range of 0 to 4094.
Note Arbitrary string (comment) for the network.
Max 255 characters.

Table 8: Buttons
Item Name Description
Page Bottom
Submit Add a new network with the input data.
Cancel Cancel the operation for adding a new network.

Update Network

This page lets you update the information of an existing network.


Table 9: Configurable fields
Item Name Description
Network ID (Mandatory) ID (Name) of the network.
Network ID must be unique.
Max 255 characters
VLAN ID (Mandatory) A VLAN ID for the network.
If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy.
VLAN ID must be in the range of 0 to 4094.
Note Arbitrary string (comment) for the network.
Max 255 characters.

Table 10: Buttons
Item Name Description
Page Bottom
Submit Update information of the network with the input data.
Cancel Cancel the operation for updating the network.


Location List

This page shows a list of Locations.


Table 11: Target columns for search and sort operations
Item Name Search Sort
Location ID × ×
Note × ×
Number of Switches × ×

Table 12: Displayed columns
Item Name Description
Location ID ID (Name) of the location.
When clicked, the Update Location page for the location is displayed.
Note Arbitrary string (comment) for the location.
Number of Switches The number of OpenFlow Switches and AMF Members registered at the location.

Table 13: Buttons
Item Name Description
Page Top
Add Location Open the Add Location page.
Export to CSV Start downloading of a list of locations in CSV format.
Location List
Heading Row
Delete Selected Delete all the checked locations.
Each Row
Edit Open the Update Location page for the location.
Delete Delete the location.
Note
Refer to Appendix > CSV File for CSV Files.

Add Location

This page lets you add a new Location and associate OpenFlow Switches and AMF Members with the location.
If you specify an added Location for a device, the device can access the network only from the OpenFlow Switches and AMF Members associated with the location.


Table 14: Configurable fields
Item Name Description
Location ID (Mandatory) ID (Name) of the location.
Location ID must be unique.
Max 255 characters
Note Arbitrary string (comment) for the location.
Max 255 characters.
OpenFlow Switches / AMF Members List of OpenFlow Switches and AMF Members associated with the location.

Table 15: Displayed columns
Item Name Description
OpenFlow Switch
Switch ID ID (Name) of the OpenFlow Switch or AMF Member associated with the location.
Datapath ID OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). In most cases, It is automatically generated or configured on the switch.
Note Arbitrary string (comment) for the OpenFlow Switch or AMF Member.

Table 16: Buttons
Item Name Description
OpenFlow Switches / AMF Members
Select Open the OpenFlow Switches / AMF Members dialog.
Page Bottom
Submit Add a new location with the input information on this page and subordinate dialogs by committing the information for the newly added location.
Cancel Cancel the operation for updating the list of switches which belong to the location.

OpenFlow Switches / AMF Members

This dialog lets you associate or dissociate OpenFlow Switches and AMF Members with the location.
This page shows a list of OpenFlow Switches / AMF Members which are registered on the Switches > OpenFlow Switch List page or the Switches > AMF Member List page.
By selecting OpenFlow Switches or AMF Members using the checkboxes, they can be added to the location.


Table 17: Displayed columns
Item Name Description
Switch ID ID (Name) of the registered OpenFlow Switch or AMF Member.
Datapath ID OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). In most cases, It is automatically generated or configured on the switch.
Note Arbitrary string (comment) for the OpenFlow Switch or AMF Member.

Table 18: Buttons
Item Name Description
Bottom of the dialog
Submit Add the checked OpenFlow Switches or AMF Members to the location.
Cancel Cancel the operation on the list of OpenFlow Switches or AMF Members in the location.

Update Location

This page lets you update the information of an existing location.


Table 19: Configurable fields
Item Name Description
Location ID (Mandatory) ID (Name) of the location.
Location ID must be unique.
Max 255 characters
Note Arbitrary string (comment) for the location.
Max 255 characters.
OpenFlow Switches / AMF Members List of OpenFlow Switches and AMF Members associated with the location.

Table 20: Displayed columns
Item Name Description
OpenFlow Switch
Switch ID ID (Name) of the OpenFlow Switch or AMF Member associated with the location.
Datapath ID OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). In most cases, It is automatically generated or configured on the switch.
Note Arbitrary string (comment) for the OpenFlow Switch or AMF Member.

Table 21: Buttons
Item Name Description
OpenFlow Switches / AMF Members
Select Open the OpenFlow Switches / AMF Members dialog.
Page Bottom
Submit Update the location.
Cancel Cancel the operation for updating the location.

OpenFlow Switches / AMF Members

This dialog lets you associate or dissociate OpenFlow Switches and AMF Members with the location.
This page shows a list of OpenFlow Switches / AMF Members which are registered on the Switches > OpenFlow Switch List page or the Switches > AMF Member List page.
By selecting or deselecting OpenFlow Switches or AMF Members using the checkboxes, they can be added to or removed from the location.


Table 22: Displayed columns
Item Name Description
Switch ID ID (Name) of the registered OpenFlow Switch or AMF Member.
Datapath ID OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). In most cases, It is automatically generated or configured on the switch.
Note Arbitrary string (comment) for the OpenFlow Switch or AMF Member.

Table 23: Buttons
Item Name Description
Bottom of the dialog
Submit Update the list of switches which belong to the location.
Cancel Cancel the operation for updating the list of switches which belong to the location.


Schedule List

This page shows a list of Schedules.
Note
The Start Date / Time and End Date / Time to be set are the date and time of the timezone currently set on the System Settings > Date / Time Settings page.
For details, refer to Policy settings > About the start date and time and end date and time of the schedule.


Table 24: Target columns for search and sort operations
Item Name Search Sort
Schedule ID × ×
Start Date / Time × ×
End Date / Time × ×
Note × ×

Table 25: Displayed columns
Item Name Description
Schedule ID ID (Name) of the schedule.
When clicked, the Update Schedule page for the schedule is displayed.
Start Date / Time The beginning of the time range during a device is allowed to connect to the network. This can be also used as a condition for detecting unauthenticated devices with the UnAuth Group.
End Date / Time The end of the time range during a device is allowed to connect to the network. This can be also used as a condition for detecting unauthenticated devices with the UnAuth Group.
Note Arbitrary string (comment) for the schedule.

Table 26: Buttons
Item Name Description
Page Top
Add Schedule Open the Add Schedule page.
Export to CSV Start downloading of a list of schedules in CSV format.
Schedule List
Heading Row
Delete Selected Delete all the checked schedules.
Each Row
Edit Open the Update Schedule page.
Delete Delete the schedule.
Note
Refer to Appendix > CSV File for CSV Files.

Add Schedule

This page lets you add a new schedule.
You can control when devices can access the network by specifying schedules in security policies.


Table 27: Configurable fields
Item Name Description
Schedule ID (Mandatory) ID (Name) of the schedule.
Schedule ID must be unique.
Max 255 characters
Start Date / Time The beginning of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network.
Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
End Date / Time The end of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network.
Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
Note Arbitrary string (comment) for the schedule.
Max 255 characters.
◼ Calendar Controls

Table 28: Buttons
Item Name Description
Page Bottom
Submit Add a new schedule.
Cancel Cancel the operation for adding a new schedule.

Update Schedule

This page lets you update information of an existing schedule.


Table 29: Configurable fields
Item Name Description
Schedule ID (Mandatory) ID (Name) of the schedule.
Schedule ID must be unique.
Max 255 characters
Start Date / Time The beginning of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network.
Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
End Date / Time The end of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network.
Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
Note Arbitrary string (comment) for the schedule.
Max 255 characters.
◼ Calendar Controls

Table 30: Buttons
Item Name Description
Page Bottom
Submit Update the schedule.
Cancel Cancel the operation for updating the schedule.


Action List

This page shows a list of actions such as Block and Quarantine which are being executed on the Device > Active Device List page or at the request of external applications.

You can also unblock devices by deleting actions on this page.

Note
To unblock an AMF Security-reported suspected device in an AMF Application Proxy environment, use this page to delete a corresponding action. Refer to Quick Tour / What is AMF Security > What is AMF Application Proxy for more details on AMF Application Proxy.


Table 31: Target columns for search and sort operations
Item Name Search Sort Note
Action ID × ×  
Priority × ×  
Condition * × * Only the strings after "mac=", "ip=", "device-name=", "tag=", "location=", "switch=" and "network=" can be matched.
Action (OpenFlow/AMF) *1 *2 *1 Only the strings after "Pass(Permit) ->", "Drop(Block) ->", "Quarantine ->" and "Log-Only ->" can be matched. AMF Action after them cannot be matched.
*2 Sorted in the order of "Pass(Permit)", "Drop(Block)", "Quarantine" and "Log-Only". Sort by the AMF Action is not supported.
Requester × ×  
Reason × ×  

Table 32: Displayed columns
Item Name Description
Action ID ID (Name) of the action to register. It is automatically assigned if unspecified.
When clicked, the Action Detail page for the action is displayed.
Priority Priority of the action. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed.
Condition Trigger condition of the action.
Action (OpenFlow/AMF) Action
OpenFlow Action (Pass(Permit), Quarantine, Drop(Block) and Log-Only) and AMF Action (Quarantine, Drop Packets, Link-Down and IP-Filter) are displayed.
Requester Name or identifier of the system (AMF Security or an external application) which runs the action.
Reason Reason why the action is triggered.

Table 33: Buttons
Item Name Description
Page Top
Add Action Open the Add Action page.
Export to CSV Start downloading of a list of actions in CSV format.
Refresh Refresh the Action List page.
Action List
Heading Row
Delete Selected Delete all the checked actions.
Each Row
Delete Delete the action.
Note
Refer to Appendix > CSV File for CSV Files.


Add Action

This page lets you add a new action.


Table 34: Configurable fields
Item Name Description
Action ID (Mandatory) ID (Name) of the action to register.
Action ID must be unique.
Max 255 characters
Priority Priority of the action. It must be an integer between 1 and 65535.
Smaller number has higher priority. Thus the matching action with the smaller priority value is executed. Priority value is set to 10 if it is unspecified.
Reason Administrative comment such as a reason for running this action.
Max 255 characters
Condition
Device MAC Address Unicast MAC address of the target device.
Valid formats are as follows
xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx, xxxx.xxxx.xxxx
Device IPv4 Address Unicast IPv4 address of the target device.
Device Device ID of the target device.
Maximum 100 device IDs are shown in the dropdown list. If you enter text in the field, device IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Device ID, Tag or Note (it shows maximum 100 elements). From the dropdown list, select a Device ID for the device.
Device Tag Device Tag of the target device.
Location Location ID for the target device.
Maximum 100 IDs of the existing locations are shown in the dropdown list. If you enter text in the field, location IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Location ID or Note (it shows maximum 100 elements). From the dropdown list, select a Location ID.
OpenFlow Switch Switch ID for the target device.
Maximum 100 IDs of the existing switches are shown in the dropdown list. If you enter text in the field, switch IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Switch ID, Datapath ID, Upstream Port or Note (it shows maximum 100 elements). From the dropdown list, select a Switch ID.
Connecting Network Network ID for the target device.
Maximum 100 IDs of the existing networks are shown in the dropdown list. If you enter text in the field, Network IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Network ID, VLAN ID or Note (it shows maximum 100 elements). From the dropdown list, select a Network ID.
Action
OpenFlow Action OpenFlow action to run on the target device.
  • Pass(Permit): Permit traffic from the device.
  • Quarantine: Move the device to the quarantine network.
  • Drop(Block): Block traffic from the device.
  • Log-Only: Permit traffic from the device and record a log.
Pass/Quarantine VLAN ID A VLAN ID on which the device is allowed to transmit packets.
AMF Action An action to be taken on the AMF network deploying AMF Application Proxy feature.
  • AMF Dependency: AMF Security does not specify an action and lets AMF devices determine its action.
  • Quarantine: Move the port where the device is connected to the quarantine VLAN.
  • Drop Packets: Block traffic from the device at the layer two (MAC) level.
  • Link-Down: Shutdown the port where the device is connected.
  • IP-Filter: Block traffic from the device at the layer 3 (IP) level.
  • Log-Only: AMF Security does not specify an action and records the device information.

Table 35: Buttons
Item Name Description
Page Bottom
Submit Add a new action with the input data.
Cancel Cancel the operation for adding a new action.

Action Detail

This page shows detailed information about the action.


Table 36: Displayed columns
Item Name Description
Action ID ID (Name) of the action to register. It is automatically assigned if unspecified.
Priority Priority of the action. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed.
Reason Reason why the action is triggered.
Condition
Device MAC Address Unicast MAC address of the target device.
Device IPv4 Address IPv4 address of the target device.
Device Device ID of the target device.
Device Tag Device Tag of the target device.
Location Location ID for the target device.
OpenFlow Switch Switch ID for the target device.
Connecting Network Network ID for the target device.
Action
OpenFlow Action OpenFlow action to run on the target device.
  • Pass(Permit): Permit traffic from the device.
  • Quarantine: Move the device to the quarantine network.
  • Drop(Block): Block traffic from the device.
  • Log-Only: Permit traffic from the device and record a log.
Pass/Quarantine VLAN ID A VLAN ID on which the device is allowed to transmit packets.
AMF Action An action to be taken on the AMF network deploying AMF Application Proxy feature.
  • AMF Dependency: AMF Security does not specify an action and lets AMF devices determine its action.
  • Quarantine: Move the port where the device is connected to the quarantine VLAN.
  • Drop Packets: Block traffic from the device at the layer two (MAC) level.
  • Link-Down: Shutdown the port where the device is connected.
  • IP-Filter: Block traffic from the device at the layer 3 (IP) level.
  • Log-Only: AMF Security does not specify an action and records the device information.

Table 37: Buttons
Item Name Description
Page Top
Back Go back to the Action List page.


14 Jun 2021 09:30