User Guide: AMF Security Controller version 2.1.0

System Settings




Account List


Table 1: Target columns for sort operation
Item Name Sort
Account Name ×
Account Group ID ×

Table 2: Displayed columns
Item Name Description
Account Name Name of the login account.
When clicked, the Update Account page for the account is displayed.
Account Group ID Account group to which the Login Account belongs.
When clicked, the Update Account Group page for the account group is displayed.
If you delete the account group on the System settings > Account group list page after registering the account group to the login account, the link to the Update Account Group page above is deleted.

Table 3: Buttons
Item Name Description
Page Top
Add Account Go to Add Account page.
Account List
Heading Row
Delete Selected Delete all the checked accounts.
Each Row
Edit Go to Update Account page for the account.
Delete Delete the account.
Note
Default account "manager" cannot be deleted.

Add Account


Table 4: Sample Configuration Data
Item Name Description
Account Name (Mandatory) Name of the login account.
Maximum length is 64 characters. Allowed characters are as follows.
a-z, A-Z, 0-9, ' - _ .
Password Login password for the account. Click "Edit" to configure password.
Email Address Enter the Email Address associated with the account. If you forget your password, you can recover it by email.
Account Group ID Select the Account Group ID to which the Login Account belongs.
Permission
Modify authentication database Check this to grant permission to change authentication database to the account.
Configure system settings Check this to grant permission to change system configurations to the account.

Table 5: Buttons
Item Name Description
Password
Edit Open Password Configuration dialog to configure the account's password.
Page Bottom
Submit Add a new account with the input information.
Cancel Cancel the operation for adding a new account.
Note
The AMF Security configurations must be initialized if you forget passwords for all accounts with the permission of "Configure system settings" including the "manager" account. Please make sure that you keep your passwords safely and never forget them.
Refer to Appendix > Recovery mode for the initialization of AMF Security.
Note
Register your Email Address in your account and set the Email Notification on the System settings > Email Notification Settings page. This allows you to recover your password by email if you forget it.
Refer to Appendix > If you forget your password for instructions on how to recover your password by email.


Password Configuration


Table 6: Sample Configuration Data
Item Name Description
Password (Mandatory) Login password for the account.
Password must be 6 to 64 characters long. Allowed characters are as follows.
a-z, A-Z, 0-9, ! # $ % & ' * + - / = ? ^ _ ` { | } ~ .
Confirm Password (Mandatory) Enter the password again.

Table 7: Buttons
Item Name Description
Bottom of the dialog
Submit Configure the input password.
Cancel Cancel the operation for configuring a password.

Update Account


Table 8: Configurable fields
Item Name Description
Account Name (Mandatory) Name of the login account.
Maximum length is 64 characters. Allowed characters are as follows.
a-z, A-Z, 0-9, ' - _ .
Password Login password for the account. Click "Edit" to configure password.
Email Address Enter the Email Address associated with the account. If you forget your password, you can recover it by email.
Account Group ID Select the Account Group ID to which the Login Account belongs.
Permission
Modify authentication database Check this to grant permission to change authentication database to the account.
Configure system settings Check this to grant permission to change system configurations to the account.

Table 9: Buttons
Item Name Description
Password
Edit Open Password Configuration dialog to configure the account's password.
Page Bottom
Submit Update the account with the input information.
Cancel Cancel the operation for updating the account.
Note
Account name and permissions of the default account "manager" cannot be changed.
Note
The AMF Security configurations must be initialized if you forget passwords for all accounts with the permission of "Configure system settings" including the "manager" account. Please make sure that you keep your passwords safely and never forget them.
Refer to Appendix > Recovery mode for the initialization of AMF Security.
Note
Register your Email Address in your account and set the Email Notification on the System settings > Email Notification Settings page. This allows you to recover your password by email if you forget it.
Refer to Appendix > If you forget your password for instructions on how to recover your password by email.


Password Configuration


Table 10: Configurable fields
Item Name Description
Password (Mandatory) Login password for the account.
Password must be 6 to 64 characters long. Allowed characters are as follows.
a-z, A-Z, 0-9, ! # $ % & ' * + - / = ? ^ _ ` { | } ~ .
Confirm Password (Mandatory) Enter the password again.

Table 11: Buttons
Item Name Description
Bottom of the dialog
Submit Configure the input password.
Cancel Cancel the operation for configuring a password.

Account Group List


Table 12: Target columns for search and sort operations
Item Name Search Sort
Account Group ID × ×
Note × ×

Table 13: Displayed columns
Item Name Description
Account Group ID Account group name.
Note Arbitrary string (comment) for the Account Group.

Table 14: Buttons
Item Name Description
Page Top
Add Account Group Go to Add Account Group page.
Export to CSV Start downloading of a list of account groups in CSV format.
Account Group List
Heading Row
Delete Selected Delete all the checked account groups.
Each Row
Edit Go to Update Account Group page for the account group.
Delete Delete the account group.
Note
Refer to Appendix > CSV File for CSV Files.

Add Account Group


Table 15: Configurable fields
Item Name Description
Account Group ID (Mandatory) Account group to which the Login Account belongs.
Account Group ID must be unique.
Max 255 characters
Note Arbitrary string (comment) for the Account Group.

Table 16: Buttons
Item Name Description
Submit Add a new account group with the input information.
Cancel Cancel the operation for adding a new account group.

Update Account Group


Table 17: Configurable fields
Item Name Description
Account Group ID (Mandatory) Account group to which the Login Account belongs.
Account Group ID must be unique.
Max 255 characters
Note Arbitrary string (comment) for the Account Group.

Table 18: Buttons
Item Name Description
Submit Go to Update Account Group page for the account group.
Cancel Cancel the operation for updating the account group.



Network Settings

View and change network configurations for the AMF Security system.
Note
With the following settings, the connection with connected OpenFlow Switch or AMF Master is temporarily disconnected.
・Interfaces
・Uploading or deleting the SSL Certificate of the Web server
・Database Synchronization
・Database Synchronization Option Settings



Interfaces


Table 19: Displayed columns
Item Name Description
Name Name of the interface.
MAC Address MAC address of the interface.
IPv4 Address IPv4 address and subnet mask of the interface.

Table 20: Buttons
Item Name Description
Edit Open the Edit Interface dialog for the interface.
Delete Delete configurations for the interface.


Edit Interface


Table 21: Configurable fields
Item Name Description
Name Name of the interface.
IPv4 Address IPv4 address of the interface.
Netmask IPv4 netmask for the interface.
Default Gateway IPv4 default gateway address.
Primary DNS Server
Secondary DNS Server
IPv4 DNS server addresses.

Table 22: Buttons
Item Name Description
Submit Save the input interface configurations.
Cancel Cancel the settings and return to the Network Settings page.


Services


Table 23: Configurable fields
Item Name Description
Web Server Protocol Protocol (HTTP or HTTPS) to use for the web interface. Default is HTTPS.
Web Server Port Number TCP port number that AMF Security's web interface is listening on. Valid range is 1 to 65535. Default is 443.
Note
Only TLS 1.1 and TLS 1.2 are supported for HTTPS.
Note
AMF Security is using several ports internally. Refer to Appendix > TCP or UDP port used by AMF Security for the ports used by AMF Security.
Note
If you specify HTTP as the web server protocol and 80 as the port number when accessing the web setting screen, you will be redirected to the web server protocol and port number set above.
Note
The combination of web server protocol and port number HTTPS / 80 is non-configurable (reserved).
Note
If you upgrade to this version with the web server protocol and port number set to HTTPS / 80 in AT-SESC software version 1.8.x, or if you import the system setting file with the same settings, It will be changed to HTTP / 80 settings.


Table 24: Buttons
Item Name Description
Submit Save the input services configurations.


SSL Certificate

Register the SSL server certificate of the Web server (AMF Security) and the SSL server certificate of the whitelist authentication server installed in AMF Security.
If you want external applications to interact with AMF Security via HTTPS, you may have to install an SSL server certificate issued by a trusted certificate authority (CA).
If you want to encrypt control session between AMF Master and Whitelist Server (AMF Security), upload an SSL server certificate issued by a trusted certificate authority (CA).

"SSL Certificate" section shows a summary of the installed SSL server certificate.

Use the method best suited for your needs to get the certificate.

Table 26: Displayed columns
Item Name Description
Role Displays Web (Web server) or WhiteList (Authentication server).
Common Name(CN) Displays the common name of the web server (AMF Security) or authentication server (AMF Security).
Organization(O) Displays the name of the organization to which the Web server (AMF Security) or authentication server (AMF Security) belongs.
Expiration Date [UTC] Expiration date of the certificate.

Table 27: Buttons
Item Name Description
Detail The detailed information of the registered SSL server certificate is displayed.
Upload Open the Upload SSL Certificate dialog to register the SSL Certificate with AMF Security.
Delete Delete the installed SSL server certificate and restore the default certificate which is self-signed by AMF Security.
Note
After setting the AMF master, AMF Security accepts both unencrypted and encrypted sessions. You cannot disable one of them.

Upload SSL Certificate

This dialog lets you upload your own SSL Certificate for the White-list Authentication Server.


Table 28: Configurable fields
Item Name Description
Certificate Click the "Choose File" button and select the SSL Certificate to upload.
Private Key Click the "Choose File" button and select the SSL private key to upload.

Table 29: Buttons
Item Name Description
Submit Import the specified private key and certificate.
Cancel Cancel the operation for importing SSL Certificate.

Database Synchronization

Set AMF security to redundant and synchronize the authentication database.
Set up database synchronization on the device used first as the secondary device and then on the device used as the primary device.
Disable database synchronization on the device used first as the secondary device and then on the device used as the primary device.

Note
The Device > Active Device List page and Switches > Active OpenFlow Switch List page show the live information retrieved from OpenFlow Switches managed by AMF Security. Therefore, the information displayed on those pages may differ between the primary and secondary's web interfaces.
Note
AMF Application Proxy Whitelist does not support redundant AMF Security configuration.
Note
When an OpenFlow packet control flow (flow entry) is updated, such as when an authenticated node moves to another port, multiple logs indicating that the flow entry has been deleted may be recorded. However, it does not affect the authentication behavior.
Note
Database synchronization settings are not included in the file exported (downloaded) on the System Settings > System Information page. Therefore, after importing the system settings file, set the database synchronization again.
Note
If you import a system configuration file that contains database synchronization settings from an older version (AT-SESC 1.8.0 or earlier) into AMF Security 2.x.x, the database synchronization settings do not apply. Therefore, set the database synchronization again.
Note
Both systems must synchronize their clocks with the same NTP Server.
Also, the timezone of both systems must have the same settings.
Note
If the system time is changed by a certain amount after synchronization started, there may be a case where the authentication data cannot be changed any further.
If it happens, please disable synchronization on both systems, adjust system clocks correctly, then enable synchronization again.



Table 30: Displayed columns
Item Name Description
Node Displays the database synchronization node as Local or Peer.
IPv4 Address The set IPv4 address is displayed.
Status Displays the status of database synchronization as Primary, Secondary, Not Ready, or Down.

Table 31: Buttons
Item Name Description
Enable Open the Database Synchronization Node Settings dialog.
Disable Disable authentication database synchronization. Only when database synchronization is enabled, the "Enable" button changes to the "Disable" button.
Reconnect Reconnect to the authentication database.


Database Synchronization Node Settings


Table 32: Configurable fields
Item Name Description
Local IPv4 Address Set the currently set AMF Security IPv4 address.
Peer IPv4 Address Set the IPv4 address of the synchronization destination AMF security.

Table 33: Buttons
Item Name Description
Enable as Primary AMF Security works as the primary.
Enable as Secondary AMF Security works as a secondary.
Close Go back to the Network Settings page.


Database Synchronization Option Settings


Table 34: Configurable fields
Item Name Description
Don't send error response against authentication database modification request by API via the Secondary host. Suppress error logs generated by the secondary AMF Security system.
Suppress duplicated syslog messages and mail from secondary host. Suppress duplicated log messages by disabling log transmission on the secondary AMF Security system.

Table 35: Buttons
Item Name Description
Submit Save the settings.



Logging Settings

Note
With this setting, the connection with connected OpenFlow Switch or AMF Master is temporarily disconnected.


◼ Log Output
You can view and configure levels for various types of logs.

Table 36: Configuration Parameters for Log Output
Item Name Description
Device Authentication Result Minimum level for device authentication logs to be output. Default is Informational.
OpenFlow Controller Minimum level for the OpenFlow protocol logs to be output. Default is Informational.
OpenFlow Protocol Packets Minimum level for the OpenFlow packet logs to be output. Default is Disable (do not output any log of this type).
GUI Operation Minimum level for the web interface logs to be output. Default is Informational.
Trap Monitor Minimum level for the trap monitor logs to be output. Default is Informational.
Escape double quotation characters in quoted string Escape double quotes in the log message. Default is disabled.

◼ Syslog

Table 37: Configuration fields for Syslog
Item Name Description
Syslog Server Set the IPv4 address or hostname and UDP port number of the external Syslog server that sends the log.
The forwarding destination should be in the form of "A.B.C.D:P" where the A.B.C.D is an IPv4 address and P is a port number.
Multiple Syslog servers can be specified by separating each address by a semicolon (;). A colon (:) and a port number can be omitted if the host is listening on the default syslog port (514).
Note
AMF Security is using several ports internally. Refer to Appendix > TCP or UDP port used by AMF Security for the ports used by AMF Security.


Table 38: Buttons
Item Name Description
Page Bottom
Submit Save the input logging configurations.


Date / Time Settings

◼ System Time

Table 39: Displayed columns
Item Name Description
Current Date / Time Display system date.

Table 40: Buttons
Item Name Description
Edit Display the Date / Time Settings dialog and set the system date and time.
◼ System Time

Table 41: Displayed columns
Item Name Description
Timezone Display the system timezone. Default is UTC.

Table 42: Buttons
Item Name Description
Edit Display the Select Timezone dialog and set the system timezone.
◼ NTP
Note
AMF Security may not synchronize the time if the configured NTP Server is not synchronized with other trusted NTP Servers.

Table 43: Configurable fields
Item Name Description
NTP Server IPv4 Address Set the IPv4 address or hostname of the external NTP server that synchronizes the time.

Table 44: Buttons
Item Name Description
Submit Save the NTP Server setting.

Date / Time Settings


Table 45: Configurable fields
Item Name Description
Date Set the system date (year, month, day).
Date / Time can be selected using calendar controls or entered manually. The input format is YYYY-mm-dd.
Time Set the system time (hour, minute).

Table 46: Buttons
Item Name Description
Submit Save the settings.


Select Timezone


Table 47: Configurable fields
Item Name Description
Timezone Select the timezone from the dropdown list.

Table 48: Buttons
Item Name Description
Submit Save the selected timezone.
Note
If you change the timezone setting, AMF Security restarts. Then reboot the device.
Example: Open the System Settings > System Information page. Click the "Reboot" button next to "Reboot this system".
After that, the timezone setting is retained.


OpenFlow Settings

Note
With this setting, the connection with connected OpenFlow Switch or AMF Master is temporarily disconnected.


Table 49: Configurable fields
Item Name Description
OpenFlow TCP Port Number TCP port number on which AMF Security's OpenFlow controller is waiting for control plane connections.
Valid range is 1 to 65535. Default is 6653.
OpenFlow Session Timeout Configure a timeout (in seconds) to disconnect an OpenFlow session with an irresponsive switch.
When AMF Security does not receive any message from an OpenFlow Switch for half of this timeout value, AMF Security sends Echo request message to the switch. If the switch does not respond to the Echo request within the timeout period, AMF Security automatically closes the session with the switch.
Valid range is 20 to 300. Default is 30.
Default Upstream Port Default setting for OpenFlow Switch's upstream port. If no upstream port is specified in a configuration for an OpenFlow Switch, the default upstream port is used as upstream port on the OpenFlow Switch. Specify it with a port name or an OpenFlow port number.
Default is unspecified (empty) which means that the OpenFlow port with the smallest OpenFlow port number on a switch is used as upstream port.
Quarantine VLAN ID VLAN ID of the quarantine network where quarantined devices are placed.
Valid range is 0 to 4094. Default is 4089.
Flow Lifetime
(Hard Timeout)
Configure the default flow lifetime (in seconds) on the switch.
When this amount of time has passed since a flow is created for a device, the flow is automatically deleted from OpenFlow Switches even though the device is still sending traffic.
Valid range is 0 to 65535. Default is 65535. Specifying 0 means that flows are never timed out.

This value is used when a security policy for a device does not have Schedule. This value may be preceded by a Schedule's End Date / Time.
This value is used as it is when the interval between the successful authentication and a scheduled End Date / Time is less than 65535 seconds. If the interval between the successful authentication and a scheduled End Date / Time is larger than or equals to 65535 seconds, actual timeout is set to 65535 seconds.
Flow Lifetime fluctuation Configure a maximum fluctuation value for Flow Lifetime (in seconds).
When set to non-zero value (X), actual flow lifetime value is calculated by subtracting a random fluctuation value between 0 and X from the Default Flow Lifetime.
This value must be less than the Flow Lifetime value and in the range between 0 and 600 (Only 0 is valid when the Default Flow Lifetime is 0). Default is 0. (The Default Flow Lifetime is used as is).

For example, when the Flow Lifetime fluctuation is set to 600 seconds, actual flow lifetime set to flow entries is determined by subtracting a random value between 0 and 600 from the Default Flow Lifetime (If the Default Flow Lifetime is 65535 (default), actual flow lifetime can be any value in the range between 64935 and 65535).
Reject Flow Lifetime Flow lifetime in seconds for devices which failed to authenticate. Valid range is 0 to 65535. Default is 30. Specifying 0 means that reject flows are never created.
Flow Idle Timeout
(Idle Timeout)
An amount of time that should have passed without any traffic from a device before the flow for the device is deleted automatically.
Valid range is 0 to 65535. Default is 300. Specifying 0 means that flows are never deleted even though no traffic is seen from devices.
Encrypt the OpenFlow control session. Check this to encrypt control plane traffic between AMF Security and OpenFlow Switches.
TLS is used for encryption. To use encrypted control plane, you also have to configure OpenFlow Switches to use encryption.
Discard packets generated by OpenFlow Switches. Check this to install flows on the OpenFlow Switches that discard packets originated from the OpenFlow Switch themselves.
Reject Flow is operated same as normal flow. Configure the timer and deletion behavior of Reject flows.
Default is disabled.
  • Unchecked: The timer is set to Reject Flow Lifetime. OpenFlow Switches does not notify AMF Security when they delete the flow entry.
  • Checked: The timer is set to Default Flow Lifetime and Flow Idle Timeout is used. OpenFlow Switches notify AMF Security when they delete the flow entry.
Note
AMF Security is using several ports internally. Refer to Appendix > TCP or UDP port used by AMF Security for the ports used by AMF Security.
Note
Default Upstream Port is applied to unregistered OpenFlow Switches When you are using both AlliedWare plus switches and AT-TQ wireless access points as OpenFlow Switches, configuring the Default Upstream Port disturbs flow entry registration due to the difference in the port number structure between AlliedWare Plus and AT-TQ series.
When you use non-minimum number OpenFlow port as upstream port on AlliedWare Plus Devices, individually configure the upstream port on each OpenFlow Switch.
Refer to Switches > Add OpenFlow Switch for instructions on how to register OpenFlow Switches.


Table 50: Buttons
Item Name Description
Page Bottom
Submit Save the input OpenFlow configurations.


System Information

This page lets you perform maintenance operations such as backup, restore and system restart.
Note
When changing the hostname, the connection with connected OpenFlow Switch or AMF Master is temporarily disconnected.
Note
System settings export and import features are intended for pure backup and restore. Do not modify an exported file nor imported a modified file using the feature.
When importing System Settings, you can specify a file with any extension as long as the contents of the file are correct.


◼ System Information

Table 51: Configurable fields
Item Name Description
Hostname Hostname of the system Default is "sesc".
To change the hostname, enter a new hostname and click "Update".
Max 63 characters. Allowed characters are as follows.
a-z, A-Z, 0-9, -
Hyphen (-) cannot be used for the first letter.
System Uptime Time since the system started.
Database Synchronization Status of database synchronization. One of Disabled, Syncing or Disconnected.

Table 52: Buttons
Item Name Description
Refresh Update the hostname.

◼ Software Info

Table 53: Displayed columns
Item Name Description
Version Version and build number (internal version) of the installed AMF Security software.
Build Time Build date and time of the installed AMF Security software.
Software Upgrade You can upgrade AMF Security software from this section.
Upgrade process begins by selecting a file with the "Browse" button and clicking "Update". The system automatically reboots after the upgrade is complete.

Table 54: Buttons
Item Name Description
Refresh Upgrade AMF Security software by uploading the specified software image file.
Note
You cannot downgrade from AMF Security software version 2.x.x to AT-SESC software version 1.8.x or earlier.
Note
When upgrading from AT-SESC software version 1.8.x to AMF Security software version 2.x.x, icons such as the drop-down menu on the Web setting screen may not be displayed correctly. In that case, clear the cache of your web browser.

◼ System Settings

Table 55: Configurable fields
Item Name Description
Size Displays the file size of system setting data.
Updated Date / Time Displays the date and time when the system setting data was updated.

Table 56: Buttons
Item Name Description
Export Download system configuration for backup.
Import Import and restore system settings.
Reset Reset system configuration to factory default.
Some system settings that are exported, imported, or reset are not covered.
Manually backup, configure or delete those elements.

Note
Licenses include the Base and Addon licenses.

◼ Authentication Data

Table 57: Configurable fields
Item Name Description
Size Displays the file size of the authentication data.
Updated Date / Time Displays the date and time when the authentication data was updated.

Table 58: Buttons
Item Name Description
Export Download authentication data for backup.
Import Import authentication data from a CSV file.
Reset Delete all authentication data on this system.
Note
Authentication data file to import should be in CSV format. Refer to Appendix > CSV File for CSV Files.
Note
The Start Date / Time and End Date / Time of the schedule included in the Authentication Data are the date and time of the currently set timezone.
For details, refer to Policy settings > About the start date and time and end date and time of the schedule.
Note
When you import and update authentication data, AMF Security resets packet control flows for the devices which are contained in the authentication data.
Note
The method of uploading authentication data of AT-SESC software version 1.3.x or earlier cannot remove the network, location, and schedule settings from the security policy set for the device that has already been registered. To delete, delete the device once and then upload the authentication data, or update the security policy directly on the Device > Update Device page.

◼ Services

Table 59: Buttons
Item Name Description
Restart All Only restart AMF Security related services. The server on which AMF Security runs is not restarted, only AMF Security related application processes are restarted.
Reboot Reboot the server hardware itself.
Shutdown Shutdown the server hardware.

◼ Technical Support Information

Table 60: Buttons
Item Name Description
Download Download technical support information for trouble shooting.


Trap Monitor Settings

This page lets you configure various parameters required for interaction with external applications.
You can also setup AMF Security to forward SNMP traps and syslog messages to other systems.
Note
Trap monitor only responds to specific set of log messages and SNMP traps. You cannot define actions for arbitrary messages and traps.
Note
With this setting, the connection with connected OpenFlow Switch or AMF Master is temporarily disconnected.


◼ Protocols

Table 61: Configurable fields
Item Name Description
Syslog Port Number Listening port number to receive syslog messages. Valid range is 1 to 65535. Default is 514.
SNMP Trap Port Number Listening port number to receive SNMP traps. Valid range is 1 to 65535. Default is 162.
Note
AMF Security is using several ports internally. Refer to Appendix > TCP or UDP port used by AMF Security for the ports used by AMF Security.

◼ Networks
Specify the monitored or unmonitored network, Syslog message, and SNMP Trap transfer destination host.
If Monitored Networks and Excluded Networks overlap, Exclude Networks have precedence.
Note
Some external applications do not respect settings of Monitored Networks and Excluded Networks.

Table 62: Configurable fields
Item Name Description
Monitored Networks IPv4 networks to monitor using syslog and trap messages. Multiple networks can be specified by separating each network by a semicolon (;). If this field is empty or 0.0.0.0/0 is specified, all networks are monitored. Default is 0.0.0.0/0.
Excluded Networks IPv4 networks not to monitor. Multiple networks can be specified by separating each network by a semicolon (;).
Syslog Forwarding Destination Hosts Specify a host to which AMF Security forwards the received syslog messages. The forwarding destination should be in the form of "A.B.C.D:P" where the A.B.C.D is an IPv4 address and P is a port number. Multiple hosts can be specified by separating each address by a semicolon (;). A colon (:) and a port number can be omitted if the host is listening on the default syslog port (514). Source IPv4 address of the forwarded messages are the address of AMF Security.
SNMP Trap Forwarding Destination Hosts Specify a host to which AMF Security forwards the received trap messages. The forwarding destination should be in the form of "A.B.C.D:P" where the A.B.C.D is an IPv4 address and P is a port number. A colon (:) and a port number can be omitted if the host is listening on the default trap port (162). Multiple hosts can be specified by separating each address by a semicolon (;). Source IPv4 address of the forwarded messages are the address of AMF Security.

◼ Device Lookup
Specify a target range of the action to notify.

Table 63: Configurable fields
Item Name Description
None Notify actions on MAC address.
Device Notify actions on Device.
Tag Notify actions on Device Tag.
Note
Device Lookup is not supported for AMF Application Proxy's IP-Filter action.
Note
When the action is applied to the target device by the IP address of the device, the IP address is displayed as "ip =" in the "MAC address" item of the Device > Active Device List page. This IP address is the IP address that caused the action to be applied.

Table 64: Buttons
Item Name Description
Submit Save the settings.

◼ Rules
Trap monitor rules can be updated and added through trap monitor rule files.
By default, trap monitor rules for the UTM functions of AT-AR3050S/AT-AR4050S routers are installed.

Note
Trap monitor rule files are provided by our "AMF-SEC Technology Partner Program". Contact our sales engineer for the Technology Partner Program.



Rules


Table 69: Displayed columns
Item Name Description
Name Name of the Trap Monitor Rules

Table 70: Buttons
Item Name Description
Choose File Select the rule settings file to upload.
Upload Upload the selected rule settings file.
Delete Delete the registered rule settings.
Close Go back to the Trap Monitor Settings page.



Email Notification Settings

This page lets you configure Email Notifications.
AMF Security can send email to the set address when an event such as device authentication or blocking occurs or when you forget your password.
AMF Security also sends emails to forward the contents of syslog messages and SNMP traps it receives.
Note
Email Notification of syslog and trap messages are always enabled and cannot be disabled.
Note
With this setting, the connection with connected OpenFlow Switch or AMF Master is temporarily disconnected.
Note
To recover your password if you forget it, you need to register your Email Address on the Add Account page or Update Account page in advance.

AMF Security queues the notification emails by the following rules and tries to resend them upon failure.
To enable Email Notifications, check the "Enable Email Notification" on the page.


◼ Email Notification Settings
You can enable or disable email notification for each event with checkboxes.
Note
"Send Email Notification on Block Event" or "Send Email Notification on Quarantine Event" is checked, AMF Security also sends notification email when a device is blocked or quarantined by AMF Application Proxy.
If you want to notify by email in the OpenFlow Action / AMF Action Log, check "Send Email Notification on Block Event".

◼ SMTP Server Settings

Table 71: Configurable fields
Item Name Description
SMTP Server IPv4 address of a SMTP server which AMF Security uses to send out emails.
SMTP Port Listening port of the SMTP server.
Sender Mail address of the sender.
Receiver Mail address of the recipient. Multiple addresses can be specified by separating them with a semicolon (;).
Username Username for SMTP authentication.
Password Password for SMTP authentication.
Encryption Check this to use TLS connection to the SMTP server.
Language Select a language used in emails.
Note
AMF Security is using several ports internally. Refer to Appendix > TCP or UDP port used by AMF Security for the ports used by AMF Security.
Note
If your browser is configured to use Japanese, some part of emails is written in Japanese even if Language setting for Email Notification is English. If both browser and Email Notification are configured to use English, mail body is written in English. Note that strings contained in authentication data or messages received from an external application are left unchanged.
Note
When you want AMF Security to send notification emails when a device is blocked by the AMF Application Proxy with "Drop Packets", "Link-Down" or "IP-Filter" action, check "Send Email Notification on Block Event" .


Table 72: Buttons
Item Name Description
SMTP Server Settings
Send Test Email Send a test email.
Page Bottom
Submit Save the SMTP server settings.


Licenses

This section lets you manage licenses for AMF Security.
There are two types of licenses: "Base" and "Addon".

Note
Purchase a license to use OpenFlow.
Note
After registering the basic license, if you delete or add the basic license during operation of the OpenFlow and AMF Application Proxy network, OpenFlow and AMF Application Proxy may not operate normally.
Therefore, disconnect AMF security from the operating network before removing or adding a registered base license.

If the base license is removed or added during operation and AMF Application Proxy does not work properly, restart AMF security.


Table 73: Displayed columns
Item Name Description
The maximum number of concurrent OpenFlow Switch connections The maximum number of OpenFlow Switches which can be supported by the installed licenses.
Name Name of the license.
Serial Number Internal serial number of the license.
Expiration Date Displays the license years.
Number of Switches Number of OpenFlow Switches supported by the license.


Table 74: Buttons
Item Name Description
Add Add a license. In the dialog, enter the Serial Number and Authentication Key shown on the license certificate and click the "Submit" button.
Delete Delete the license.


AMF Security Log

This page shows log messages generated by AMF Security service. The latest 1000 messages are displayed in this page.
You can view messages for a specific date by selecting a date at the right side of the page.


Table 75: Buttons
Item Name Description
Clear All Logs Clear all log messages.
Download Download the latest log messages.
Refresh Refresh the AMF Security Log page.


Action Log

This page shows AMF Security services' log messages related to actions.
It is possible to filter messages by each field's content.
Note
Depending on the specifications of the Web browser, it may not be possible to display all action logs on this page. In that case, download and check the action log.
Note
Clearing the action log temporarily disconnects the connected OpenFlow switch from the AMF Master.



Table 76: Displayed columns
Item Name Description
Date / Time Date / Time the action was applied to a device.
MAC Address MAC address of the device.
Device ID Device ID
Device IPv4 Address IPv4 address of the device.
Device Tag Device Tag
Connected Switch ID ID of the switch to which the device is connected.
Connected Switch IPv4 Address IPv4 address of the connected switch
Connected Port ID ID of the port to which the device is connected.
Connected Port Number Port number of the port to which the device is connected.
Status Type of action applied to the device.
VLAN ID VLAN ID to which the device belongs
Network ID Network ID to which the device belongs
Action ID ID of the action applied to the device
Priority Priority of the action applied to the device
Action Originator Originator of the action applied to the device
Reason Reason of the action applied to the device.

Table 77: Buttons
Item Name Description
Refresh Refresh the Action Log page.
Download Download the latest log messages.
Clear Action Log Deletes action logs.

Table 78: Target columns for search and sort operations
Item Name Search Filter Sort
Duration ×
MAC Address ×
Device IPv4 Address ×
Device Tag ×
Action Originator ×
Status ×


14 Jun 2021 09:30