
Feedback
Search
Index
Contents
What's New?
Home
PolicyCenter Home
Overviews
Recommendations
Tasks
	Setup
		Run Guided Setup
		Modify Settings
		Basic Settings
		Traffic Shaping
		Security
		HTTPS Settings
		SSH Settings
		RADIUS
		TACACS+
		Management Port
		Flow Detail Records
		Date and Time
		Upgrade Software
		Download Plug-Ins
		Email
		SNMP
		Failover
		High Availability
		Reset Tree
		Reboot Unit
		Reset Unit
		System Variables
		Frame Relay
		ATM
		WCCP
	Classification
	Traffic Tree Mgmt.
	Monitoring
	Partitions
	Policies
	Policy Manager
	Graphs & Reports
	Measurement
	Event Notification
	Response Time
	Xpress
	Administration
	Customer Portal
	Adaptive Response
	Direct Standby
	Watch Mode
PolicyCenter Tasks
Reference
Product Information
Documents

Specify Security Settings

Access to the unit can be limited in a number of ways, for example by setting passwords and securing the interfaces.

Note: To perform this task from PolicyCenter, you must first select a unit or draft configuration in the Configurations window. Then select the Setup tab from the right pane of this window, and proceed to step 2 of the procedure below.

To view or update security settings:

1. Click the setup tab.

2. From the Choose Setup Page list, select security. The security settings appear on the Setup screen. show screen

3. Verify or modify configuration details, as described in the following table.

4. Click apply changes to update the settings.

Field	Description
Look Password	The password for look (read) access. To change from look to touch access, click the logout button on the info tab, and login with the touch password. Passwords can be up to nineteen characters long and are case-sensitive. They can consist of a combination of letters, numbers, and all special characters. Commands that modify the PacketShaper's configuration are not available in look mode. Similarly, you cannot retrieve sensitive information or issue commands that would impact the performance of the unit, nor can you create, edit, or delete classes, policies, or partitions. When you're in look mode, the browser interface will only present the options that are available with look access. For example, the class menu is not shown on the Manage tab because you cannot add, delete, or rename classes in look mode. You can view all the setup pages, but the apply changes button is not available because you cannot change the settings in look mode. Note: Each time you display the Security setup page, the password fields will be populated with eight asterisks, regardless of whether there is a password or how long the password is. These asterisks provide extra security in that they prevent anyone from discerning the length of the password string and whether a look or touch password has been set. You do not need to erase the asterisks before applying changes, unless you want to remove the password.
Touch Password	The password for touch (read/write) access. After you change the touch password, you must log in again to gain touch access. In touch mode, all commands and options are available.
Confirm Password	Use this entry as verification when changing a password.
Inside Interfaces Outside Interfaces	Enable/disable access to the unit over the inside and/or outside interfaces (for example, ping, Telnet, or web access). The MGMT port (available on certain models) is considered an outside port. Therefore, securing the outside interface will secure the MGMT port as well. When both the inside and outside interfaces are set to secure, access to the unit is available only via a console connection. The browser interface is disabled. unsecure enables unlimited access over the specified interface. secure blocks all access from the specified interface. list enables access to up to eight listed IP addresses, separated by spaces and/or commas. To specify a subnet, use the format: ipaddress:subnet_mask. Keep in mind that securing an interface means that queries such as DNS and SNTP cannot be made via the secured interface. Consider using the list option and including these servers and your gateway in the list. If you plan on using direct standby, do not set the outside interface to secure. For standby to work, each device must be able to communicate with the other device. If you set the outside interface to list, you must add both the partner's and the unit's IP addresses to the Outside security list. The PacketShaper will not be able to process local ARP requests via a secured interface. If you secure the outside interface and your gateway is on the outside, a "gateway not found" message will be displayed in the login banner or on the info page. In this state, tasks such as upgrading the software image from a non-local address will be disabled.
Modem on Console	When this option is enabled, PacketWise will log out the console user if the modem drops its carrier connection. (Be sure to configure your modem to drop DSR when the call is disconnected.) For security reasons, set this option to on if you have a modem connected to the serial port. This setting forces a logout when the modem hangs up or the serial cable is disconnected. When this option is set to off, the console session will remain active until the user types exit at the command line. The session remains active even if the modem hangs up or if the serial cable is disconnected.
Offline Reports	If allow is selected, third-party applications can create graphs from your unit's data, without requiring authentication. If disallow is selected, external programs will not be able to create graphs from your data. Note: A Microsoft Word document that mimics the Network Performance Summary report is included on your unit's hard drive. See Save Reports as Word Files for details on using this document to create and save graphs.
Unit Access	Click the checkbox by a service protocol to disable access to the unit via that protocol. By default, all services are enabled, allowing you to access the unit by all available secure and nonsecure protocols. To allow access to a PacketShaper only via secure protocols such as HTTPS and SSH, disable all non-secure protocols (FTP, HTTP, Telnet, SNMP, and TCP Echo). Note: If you disable all secure and nonsecure protocols, you will only be able to access the unit via a direct console connection.
Login Message	Configure a message that will display before logging into the PacketShaper. The message displays on the browser login page, when logging in using a remote login utility (such as Telnet), and when console connecting to the unit. This feature is useful for informing users about the company's access policies and consequences for unauthorized use. The text can be up to 511 characters long. If you want to display a message that is longer than 511 characters, you can create a text file that contains your message text. Name the file login.txt and upload it to the 9.256/ directory. The first 2048 characters of the text file will display after any message that is configured as the Login Message. Thus, the text file is appended to the message text, allowing the message to have a total approximate length of 2500 characters. Notes: No login message is displayed when accessing the PacketShaper via FTP.